When you sign up for the On Demand service for the first time, you create an organization and you become the On Demand organization administrator. You can add additional organization administrators.
For more information about managing your organization see Organizations and regions section in On Demand Global Settings User Guide.
Each On Demand migration project needs a source and target tenant. These are Commercial tenants. For users in the United States deployment region, On Demand Migration offers two options depending on the type of Microsoft 365 tenant that you want to add:
|
|
NOTE: When you create a migration project, a GCC or GCC High tenant can be used as the target tenant only. |
For steps to add tenants to the On Demand organization, see Adding a Tenant in the On Demand Global Settings Current User Guide.
The following are some key roles that users will need to access and authorize tenant assets and work with On Demand Migration.
This role is assigned to users who have full access to the Quest On Demand application. They can initiate the migration of tenant assets, manage licenses, audit records and perform many other functions through the Quest On Demand application.
Quest On Demand is shipped with many predefined roles. On Demand Administrator, Migration Administrator, Audit Administrator, License Management Administrator and Recovery Administrator are some examples.
You can create more roles with specific permissions to allow other users to work with On Demand Migration. See the On Demand Global Settings Current User Guide for more information about setting up roles.
| Permission | Description | Service Scope |
| Create, Rename and Delete projects | Required permission to create, rename and delete migration projects from the Projects Dashboard | On Demand Migration |
| View projects and manage selected services | This permission must be select to activate the individual permissions to view and manage services. Services selected for this permission will be inherited by all child permissions | On Demand Migration |
| View projects | Required permission to be able to view objects tasks and events for the selected services. Only the tiles for the selected services will be shown in the project dashboards.
Always inherited from parent permission |
On Demand Migration |
| Edit project properties | Permission to edit properties associated with project services. E.g Enables access to Accounts Configure Connections and SharePoint Configure Project. | On Demand Migration |
| Run a full discovery |
Permission to enable the action that allows users to run the task that will discover all available objects. |
Accounts, Teams, SharePoint, Public Folders |
| Run a scoped discovery with CSV file |
Permission to enable the actions that allows users to run the task that will discover objects based on a list contained in a prepared CSV file. |
Accounts, Teams, SharePoint |
| Run a scoped discovery from security group | Permission to enable the actions that allows users to run the task that will discover objects based on selected security group. | Accounts |
| Run content discovery tasks |
Permission to enable the actions that allows users to discover content and statistics about selected objects. |
Mailboxes, OneDrive, SharePoint |
| Run match and map tasks |
Permission to enable the actions that allows users to find matching objects on the target for selected objects and to map objects on source and target based on prepared CSV file. |
Accounts, Teams, SharePoint |
| Run provision and migration tasks |
Permission to enable the actions that allow user to provision and migrate selected objects to the target. |
Accounts, Mailboxes, OneDrive, Teams, SharePoint, Public Folders |
| Manage collections |
Permission to enable actions for creating and manage the Collection feature. |
Accounts, Mailboxes, OneDrive, Teams, SharePoint, Public Folders, Desktop Update Agent |
| Update and delete migration objects |
Permission to enable the action that allows the user to remove selected objects form the list of services object grid. |
Accounts, Mailboxes, OneDrive, Teams, SharePoint, Public Folders, Desktop Update Agent |
| Acknowledge and clear task events |
Permission to enable the action that allows the user to acknowledge and clear events from the Events grid. |
Accounts, Mailboxes, OneDrive, Teams, SharePoint, Public Folders, Desktop Update Agent |
| Manage Desktop Update Agent | Permission to enable all management actions in Desktop Update Agent. | Desktop Update Agent |
Multi-factor authentication (MFA) is supported for tenant administrators. For On Demand users, MFA support depends on how your organization has set up your access.
If you sign-in with your email and password, MFA has not been activated. If you click Sign in with Microsoft, MFA has been activated. If your organization requires multi-factor authentication and you receive an authorization error, your conditional access policy may not be configured correctly. You can do one of two things:
To use On Demand Migration, the tenant administrator (a user account with the Global administrator security role) for each tenant in a project must grant Azure consents and permissions to the On Demand Migration service principals.
Tenant Administrator
In this document the term Tenant Administrator refers to the Azure active directory user account that is assigned the Global administrator security role and has full access to a tenant. Each tenant that you add to a project requires the credentials of the tenant administrator. The tenant administrator requires additional roles to grant the necessary consents to the On Demand service principals that are created in the tenant to access various assets in the tenant during the migration lifecycle. See Consents and Permissions for more details. For more information about user and service principals see the Microsoft article Application and service principal objects in Azure Active Directory.
Tenant administrator accounts must have a mailbox with a valid Microsoft Exchange Online license.
Migration Manager
You can use a temporary user account to migrate On Demand assets. In this document the term Migration Manager refers to the Azure active directory user who has temporary access to a tenant through the Global administrator security role. Depending on the On Demand asset that is being migrated, this temporary user account must be granted specific Azure AD roles. For example, to migrate Teams see the roles required for Teams migration.
If you choose to work with a temporary account, you must login to the tenant and regrant the consents and permissions for the On Demand asset being migrated.
When you are done with the migration, it is recommended that you delete the temporary account for security reasons. See Finalizing the Migration for more details.
Whenever you add tenants to your organization, you must log in as the tenant administrator. You will be redirected to the Azure consent page as shown below.
When you have granted the consents, you can verify that the service principals were successfully created in the tenant. You must verify both source and target tenants.
This section lists the minimum consents and permissions required by the various On Demand Migration service principals for managing tenants, Microsoft 365 objects and other migration services.
| Task | Minimum consents and permissions |
|---|---|
| Add and configure tenants, and grant consent |
Core-Basic consent from both Source and Target tenant administrator accounts. Global Administrator role from both source and target tenant administrator accounts. |
| Task | Minimum consents and permissions | ||
|---|---|---|---|
| All tasks including discover and migrate accounts | Migration - Basic consent from both Source and Target tenant administrator accounts. | ||
| Migrate hybrid accounts |
Global Administrator role for both Source and Target tenant administrator accounts.
| ||
| Migrate Guest Users |
Guest Inviter role for both Source and Target tenant administrator accounts.
| ||
| Process Resources |
Guest Inviter role for Source and Target tenant administrator accounts.
|
| Task | Minimum consents and permissions | ||
|---|---|---|---|
| All tasks | Migration - Basic consent from both Source and Target tenant administrator accounts. | ||
| Migrate mailboxes | Mailbox Migration consent from both Source and Target tenant administrator accounts. | ||
| Migrate Public Folders |
Migration - Mailbox Migration consent from both Source and Target tenant administrator accounts. Exchange Administrator role for both Source and Target tenant administrator accounts. Owner permission for the root Public Folder of the target tenant must also be granted to the target tenant administrator account.
|
| Task | Minimum consents and permissions | ||
|---|---|---|---|
| All tasks | Migration - Basic consent from both Source and Target tenant administrator accounts. | ||
| Migrate OneDrive | Migration - SharePoint consent from both Source and Target tenant administrator accounts. | ||
| Provision OneDrive |
SharePoint Administrator role for provisioning OneDrive on the target tenant.
|
| Task | Minimum consents and permissions |
|---|---|
| All tasks | Migration - Basic consent from both Source and Target tenant administrator accounts. |
| Migrate SharePoint | Migration - SharePoint consent from both Source and Target tenant administrator accounts. The target tenant should already have the fully configured SharePoint with the active license plan. See Prerequisites for details. |
| Task | Minimum consents and permissions |
|---|---|
| All tasks | Migration - Basic consent from both Source and Target tenant administrator accounts. |
| Migrate Teams and Microsoft 365 Groups with Teams functionality |
Mailbox Migration, Migration - SharePoint and Migration - Teams consents. Global Administrator or Teams Administrator Azure AD role, and the ApplicationImpersonation Microsoft Exchange Server role for both Source and Target tenant administrator accounts. In addition to these roles, the tenant administrator account that grants the consents to the Migration -Teams service also requires the following:
|
If the Teams license check fails, verify that the source and target tenants are valid. Then run the PowerShell commands in Quest KB article 337302 to confirm that the tenant administrator account used to grant consent has TeamspaceAPI activated.
© 2023 Quest Software Inc. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy
