On Demand Migration for Email Current - User Guide

Introduction Preparing Migrations Test and Pilot Migrations Configuring and Running Migrations Post Migration Glossary

Getting Started for New Users

This section provides basic instructions on how to use On Demand Migration for Email.

  1. Log in the ODME Portal. For more details about how to get the service subscription, refer Subscribing to the Service.
  2. The Dashboard screen opens. Here you can create a migration plan. For that, press the New Plan button at the bottom of the screen.
    You can also create a migration plan from a template if available. To do this, select a template from the drop-down list in the dialog box where you create the migration plan.
  3. Once an ODME Plan is created, there are four steps: Connections, Mailboxes, Options and Migrate:
  • Connections
    On the first step, you need to specify Source and Target details so that ODME can connect to the both endpoints. Some fields may be not editable if your plan was created from a template.


  • Mailboxes
    On the second step, you need to add the list of mailboxes that you are going to migrate. This can be done manually one by one or using a TSV file.


  • Options
    On the third step, you can select different options for your migration, such as: migrate email or archive email, use date filtering, exclude some folders or use forwarding. Some fields may be not editable if your plan was created from a template.

  • Migrate
    Finally, you need to run the migration for all added mailboxes or select mailboxes that you want to migrate.

 

To get more detailed information on the migration process, see the following sections:

Roles and Permissions

On Demand Migration for Email uses a role-based approach to manage user permissions in the Users and Roles tab. The following table describes the migration-related permissions for the default roles Full Administrator and Migration for Email Admin:

Table 4: Roles and Permissions
Permission Actions Full Administrator Migration for Email Admin
Manage Migration Plans
  • Create a migration plan from scratch.
  • Edit / Delete / Rename / Copy a migration plan created from scratch.
  • The actions defined by the permission Read.
Execute Migration Plans
  • Start / Stop / Restart a migration plan created from scratch.
  • The actions defined by the permission Read.
Manage Migration Plans From Templates
  • Create a migration plan from template.
  • Edit / Delete / Rename / Copy a migration plan created from a template.
  • The actions defined by the permission Read.
Execute Migration Plans From Templates
  • Start / Stop / Restart a migration plan created from a template.
  • The actions defined by the permission Read.
Manage Templates
  • Create / Edit / Delete a migration template.

  • The actions defined by the permission Read.
Read
  • View the existing migration plans (including those created from a template) and templates.
  • Download and view audit logs for a migration template.
  • Download and view all types of reports for a migration.

 

Note: Users without any permissions can still log in to ODME and will see a blank page after login, but they cannot work with the product until proper permissions assigned.

Configure AD FS to Access ODME

Configure Active Directory Federation Services (AD FS) to Access ODME

Active Directory Federation Services (AD FS) allows a customer to configure the secure sharing of identity information between trusted on-premises Active Directory and On Demand Migration for Email. When a user needs to access the web application from one of its federation partners, the user's own organization is responsible for authenticating the user and providing identity information.

Supported AD FS versions: 2.0 and 4.0.

To configure the client AD FS Server to access On Demand Migration for Email

  1. Make sure that AD FS Server is installed in your on-premises Active Directory environment.

  2. Create the new Relying Party Trust named "Quest On Demand Federation":
    1. In the AD FS console, navigate to Trust Relationships and select Relying Party Trusts, then click Add Relying Party Trust in the Actions menu to open the Add Relying Party Trust Wizard. Also, you can edit an existing Relying Party Trust.
    2. Add the link shown below to the list of "Relying party identifiers" on the Identifiers tab and to the list of "WS-Federation Passive Endpoints" on the Endpoints tab of the trust properties:

      https://sts.ondemand.quest.com/PassiveFederation.aspx

  3. Create a new custom Claim Rule for "Quest On Demand Federation" (ODS requires a specific set of attributes), and configure it using the following rule text:

    c:[Type ==

    "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]

    => issue(store = "Active Directory", types =

    ("http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID",

    "http://schemas.xmlsoap.org/claims/UPN", "http://schemas.microsoft.com/ws/2008/06/identity/claims/role",

    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",

    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",

    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",

    "http://schemas.xmlsoap.org/claims/CommonName"), query = ";objectGuid,userPrincipalName,
    tokenGroups(domainQualifiedName),sAMAccountName,givenName,mail,displayName;{0}", param = c.Value);

  4. Download the Federation Metadata XML document using this address:
    https://<AD FS address>/FederationMetadata/2007-06/FederationMetadata.xml
  5. Create the support request using https://support.quest.com/contact-support and provide the following files:
    • FederationMetadata.xml
    • File that contains the list of email domains which will be used to log in to ODME
  6. When the ODME team reports back that they have configured the integration, log on to On Demand Migration for Email. You should see the redirection to your AD FS Server and then back at the ODME page (depending on your browser settings and the running context, it may ask you for your AD credentials).

    Note: Note that if the AD FS Server re-creates its certificate automatically, or you replace the certificate after expiration, the integration will break. Please contact the ODME team, so that they can replace the certificate information in the database.

  7. You can assign ODME roles to on-premises Active Directory security groups so that users in these groups would automatically gain access to the web application:
    1. For that, go to Users and Roles tab in ODME, select the role needed and click Users.
    2. Then, click the Add Group button.
    3. In the dialog that opens, specify the group name in the following format: <domain name>\<group name> and the client realm.

Using Azure AD Single Sign-On to Access ODME

Using Azure AD Single Sign-On to Access ODME

Azure Active Directory single sign-on (Azure AD SSO) enables users to access On Demand Migration for Email based on their single organizational account in Azure Active Directory. Single sign-on enables users to authenticate to the application using their single organizational account.

To configure access to On Demand Migration for Email via Azure AD SSO:

  1. First, the administrator of your organization must grant On Demand Migration for Email access to your organization’s data. To do this, perform the following steps:
    1. Go to https://portal.ondemand.quest.com/ and click Sign In.
    2. In the Sign In dialog, click the grant On Demand Migration for Email access link.


    3. Enter Azure AD administrator credentials.
    4. Click Accept in the dialog that opens to grant consent to the On Demand Migration for Email application.
  2. After that you can assign the ODME roles to Azure AD security groups directly, so that users in these groups would automatically gain access to ODME.
    1. For that, go to Users and Roles tab in ODME, select the role you need and click Users.
    2. Click the Add Azure Group button.
    3. In the dialog that opens, you can choose the group from the drop-down list. This list is populated with Azure AD groups that the user is a member of. You can also specify the group name in the following format: <domain name>\<group name>.
Related Documents