This user guide covers the steps required to configure and perform a Domain Move. The Domain Move Quick Start Guide summarizes these steps and addresses some frequently asked questions.
This user guide covers the steps required to configure and perform a Domain Move. The Domain Move Quick Start Guide summarizes these steps and addresses some frequently asked questions.
A project in Domain Move allows you to configure and manage a subset of features, services and capabilities related to specific environments and/or user groups.
To create a new project, follow these steps:
- Click New Project to open the start of a project.
- If a project option is not available, this means you do not have the required licenses.
- Follow the wizard which will guide you through the setup process until it is complete.
All Domain Move Projects require at least 2 Microsoft 365 environments be added to your Domain Move Project to establish at least one source and one target environment for integration activities. Additional environments can be added for more complex migration scenarios.
A “tenant” or “environment” is this context is referring to an Microsoft 365 Worldwide subscription.
Before creating your project, it is recommended that an Application Service Account be created in each of your Microsoft 365 environments. This account will be used for the duration of the project or services requirement.
This account will be used to grant delegated permissions to Domain Move on-behalf of the signed-in user. The administrator consents to the permissions that the app requests and the app has delegated permission to act as the signed-in user when making calls to Microsoft Graph. Some higher-privileged permissions require administrator consent. Domain Move requires Global Administrator consent for 4 Graph permissions anytime a tenant is added or reconnected.
Follow these recommended steps to prepare your accounts for project setup:
- Create a cloud only Domain Move Application Service Account in each environment.
- The recommended name of the account would be “Domain Move App Services”.
- Set the account password expiration date to correspond with the project end date or set to “do not expire”.
- Assign Global Administrator Role to the account.
- Assign an Microsoft 365 License to the user. The minimal subscription should include Exchange Online.
- Login to the account for the first time in Microsoft 365 to verify access.
- Make the account information available to the authorized administrator for each client environment.
Please Note: It is acceptable to use an existing administrator account if that is preferred.
During the start of your project setup you will be asked to add your environments. Follow these steps to complete the process.
- Click the New Project button or open your existing project.
- Navigate through the setup wizard to the add an environment step.
Click the New button.
- When you add a tenant, you will be prompted for your Microsoft account.
- Enter the credentials of an administrative account for this Office365 tenant.
Read and accept the permission notice related to MS Graph permissions required to manage your projects. Note that two SharePoint Migration API permissions are included to allow OneDrive for Business Accelerated Velocity Mode migration to function.
(click to view larger)
- You will then be returned to the Add Tenant screen. You will repeat this process for each tenant that is part of the project.
When setting up your project for the first time, a Binary Tree PowerShell account will be created in each tenant added to the project and the Domain Move App will be installed. This account is used for PowerShell related tasks and to provide full access to the source and target mailboxes for migration purposes.
To complete this process, each tenant must have at least 1 available Microsoft 365 license, so it may be assigned to the account.
Domain Move will use your Application Service Account you created to connect to Microsoft 365. Credentials are never stored or transmitted between Domain Move and Microsoft 365.
Domain Move will add the Domain Move App to your Tenant. See figure 2 below.
Domain Move will create a cloud only account in your Microsoft 365 tenant for PowerShell.
Domain Move will license your new account with the available subscription that has the Exchange Online plan. A lower cost license will be used if available. For example, if you have both E3 and E1; E1 will be used if a license is available.
Domain Move by default will grant the Exchange and SharePoint Administrator Roles to this account.
Figure 2: Example Domain Move App (click to view larger)
Here is the list of minimal Graph permissions required to operate a Domain Move project.
Read and write all users’ full profile (User.ReadWrite.All)
Read and write all groups (Group.ReadWrite.All)
Read and write directory data (Directory.ReadWrite.All)
The following lists the basic need for each Graph permission.
Read and write all users’ full profile (User.ReadWrite.All) - Used to read and move email addresses.
Read and write all groups (Group.ReadWrite.All) – Used to read and move email addresses.
Read and write directory data (Directory.ReadWrite.All) - Used to discover Azure directory and automate licensing.
Domain Move will not ask you to save or transmit your administrator credentials in any cloud environment endpoint configuration.
For daily migration and integration operations and services, the minimum Microsoft 365 administrator roles required are:
- Global Administrator
Anytime a tenant is connected for the first time or reconnect later, the minimum Microsoft 365 administrator role required is:
- Global Administrator
There are a few reasons why you could be required to reconnect your Microsoft 365 tenant to your Domain Move project. The following lists the most common reasons this action is required.
- Office 365 OAuth Token has Expired – After 90 days a standard OAuth token will expire. So, if your project is running longer than 3 months, please be sure to update your token by reconnecting your tenant to your project.
- Before a Domain Cutover Event – Before a domain cutover event, it is required that you raise your application account’s role to Global Administrator to facilitate the domain move orchestration and automation.
- Application Account has Changed – If the Application Account is deleted, recreated or changed it will be required that you reconnect your tenant to the project to continue services.
Pairing in this context means to identify the source and target relationships in your project. There are three (3) pairing types in a project. Those are environment pairing, the accepted domain pairing and the object attribute pairing.
Pairing environments, domains and objects are important because without designating the source and target locations, it will not be possible to migrate data, match objects, orchestrate mail flow or translate email addresses.
The project setup wizard will ask a few questions about the required pairings. And authorized administrators may update pairings when needed.
After adding your environments in the project setup wizard, it is time to set up your environment pairs. This is where you identify the source and target relationships in your project.
Domain Move will use this information as it guides you through configuring your project. You start with your environments, and then it’s just a matter of “from” and “to.” From what environment would you like to migrate accounts? And to where are they going?
With only two environments it might be just a simple one-to-one relationship. If you have multiple environments like in a divestiture, you may need to set up several environment pairings.
(click to view larger)
After setting up environment pairs, the next step is to pair the domains. Domain Pairing is setting up accepted domains from the source environment with accepted domains in the target.
When an account is setup in the target, the email address is automatically stamped with the paired domain in the target. The default domain might be a different domain altogether, so pairing makes sure you know what you will have in the target after migration.
Create one pairing at time. Choose an accepted domain from the source. And then a domain from the target. That’s the basic pairing.
Create whatever combination of domain pairings meets your needs. You can do a simple one-to-one relationship, or pair several source domains to a single target domain.
(click to view larger)
After setting up domain pairs, the next step is to pair the attributes for the purposes of matching objects between environments. Attribute Pairing is setting up value pairs from the source object and the target object.
© ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center