Chat now with support
Chat with Support

On Demand Migration for Email Current - User Guide

Introduction Preparing Migrations Test and Pilot Migrations Configuring and Running Migrations Post Migration Third Party Assessments and Certifications Glossary

Microsoft 365

Required Permissions

Note: If you use end-user credentials for migration, you do not need to create an administrator account.

If you do not use the Use Modern Authentication option, your administrator account must have an Enterprise Microsoft 365 license and must be assigned to a Role-Based Access Control group that has Application Impersonation rights. By default, the ApplicationImpersonation role is not assigned to this group, which means the first step is to sign in as an organization administrator to the Microsoft 365 portal ( and add this role to either an existing role group or to a new role group that you create. See Exchange Online documentation for more information on creating role groups and assigning rights.

It is recommended that you create a new role group named "Migration Impersonation" and assign the ApplicationImpersonation role to it.

Role groups are created in the Role Groups page of the Microsoft 365 portal. After logging in, go to the Options menu, select See All Options.... Then from the Options: Manage Myself menu, select My Organization. Lastly, select the Roles & Auditing item and click New.

  • You can use Modern Authentication to connect to Microsoft 365. The Use Modern Authentication option lets you grant consent to ODME instead of providing Administrative credentials with Application Impersonation rights. When the Use Modern Authentication option is enabled, the Forwarding section in a plan’s Options page contains additional fields where you need to specify the credentials of the account which has the permissions to modify forwarding settings. The Use Modern Authentication option is enabled for any newly created plan by default.

    Note: The Use Modern Authentication option is supported for connections to the Microsoft 365 Worldwide. The option is not supported for connections to the Microsoft 365 hosted in the Germany, China or US Government environments (Microsoft 365 GCC High).

    When connecting to your Microsoft 365 server in the Migration Settings screen, it is recommended you select the auto-discovery option, which uses your login credentials to automatically obtain the server name during a migration. You can also enter the name of your Microsoft 365 server manually as it appears in the address bar when you log in as an administrator to your account.

    Note: If using the auto-discovery option, you need to have the proper DNS settings in place. See Exchange Online documentation for more information.

    To perform mail forwarding, the administrator account must be assigned the "Recipient Management" role. See the section Setting Up Mail Routing for more information.

    Upgrade Throttling Policies

    In order to minimize Microsoft 365 throttling impact to migration and to raise the overall migration throughput, we highly recommend to upgrade your Microsoft 365 tenant throttling policies. Please contact Microsoft support with the request to raise the limits for the following throttling parameters to 'Unlimited':

    • EwsMaxBurst
    • EwsRechargeRate
    • EwsCutoffBalance

    The upgrade can be done for the time of your migration only.

  • POP/Windows Live Hotmail

    Ensure that the keep mail on the server option is set. On Windows Live Hotmail, go to Managing your account settings, select POP and deleting downloaded messages and then select the option Don't let another program delete messages from Hotmail. (If your other program is set to delete messages from the server, messages are moved to a special POP folder. They are not deleted.


    Ensure IMAP support is enabled in mail server.

    Dovecot Mail Server

    To exclude a specific folder from migration, you should specify the full path to this folder (mail location).

    By default Dovecot uses the Maildir++ directory layout. This means that all mailboxes are stored in a single directory and prefixed with a dot.


    The full path to grandfolder is "Inbox.childfolder2.grandfolder"

    If the file system (fs) layout is enabled in the server, the full path to grandfolder looks like "Inbox/childfolder2/grandfolder".

    To enable the file system layout, use the following string: mail_location = maildir:~/Maildir:LAYOUT=fs

    For more details about the mail location, please see



    For Zimbra 7, 8 source systems, make sure that the following configuration settings are enabled at the server level as well as for each user account:

    Major Features
    • Mail
    • Address Book
    • Calendar
    • Tasks
    Mail Features
    • IMAP Access
    • External IMAP Access

    ODME uses a combination of IMAP and Zimbra's SOAP API to migrate data. Generally, IMAP is enabled for every user by default, but if not it must be enabled. The default IMAP ports are same as any IMAP-based server (143 and 993 using SSL). The default ports for Zimbra are port 7071 for the admin connection and port 80 for the normal connection. The admin connection is only used to configure impersonation for the mailbox being migrated. Once the mailbox is successfully impersonated, ODME uses a regular SOAP connection on port 80 for the rest of the SOAP calls. You can change port numbers if needed. You can also enable SSL on each connection.

    Related Documents

    The document was helpful.

    Select Rating

    I easily found the information I needed.

    Select Rating