Required Consents and Permissions
Whenever you add tenants to your organization, the Azure AD administrator account grants the Base consent to the Quest OnDemand application. To use On Demand Migration, the Azure AD administrator (the user principal) must grant additional consents and permissions to the On Demand Migration service applications (the service principals).
This section lists the minimum consents and permissions required by the Azure AD administrator account for managing tenants and Office 365 objects and the On Demand Migration service applications for migrating Office 365 objects.
|
|
IMPORTANT: The source and the target Azure AD administrator accounts should have a mailbox with a valid Microsoft Exchange Online license. |
For the Azure AD Administrator account
| Add and configure tenants, and grant consent |
Global Administrator role for both source and target Azure AD administrator accounts. See Adding a Tenant for details. |
| Provision OneDrive |
SharePoint Administrator role for provisioning OneDrive on the target tenant. |
| Migrate Guest Users |
Guest Inviter role for Target Azure AD administrator accounts. |
| Process Resources |
Guest Inviter role for Source Azure AD administrator accounts. |
| Migrate Teams and Microsoft 365 Groups |
Global Administrator or Teams Administrator role. In addition to these roles, the Azure AD Administrator account that grants the consents to the Migration -Teams application also requires the following:
- an active Microsoft 365 license
- Microsoft Teams app enabled within the Microsoft 365 license
- must remain active for the duration of the migration
|
For Basic migration
| All tasks including discover and migrate accounts |
Migration - Basic consent from both source and target Azure AD administrator accounts. |
| Migrate hybrid accounts |
Global Administrator role for both source and target Azure AD administrator accounts. |
| Guest User |
Guest Inviter role for both source and target Azure AD administrator accounts. |
For Mailbox migration
| All tasks |
Migration - Basic consent from both source and target Azure AD administrator accounts. |
| Migrate mailboxes |
Mailbox Migration consent from both source and target Azure AD administrator accounts. |
| Migrate Public Folders |
Migration - Mailbox Migration consent and Exchange Administrator role for source and target Azure AD administrator accounts. The Owner permission for the root Public Folder of the target tenant must also be granted to the target Azure AD administrator account. |
For SharePoint migration
| All tasks |
Migration - Basic consent from both source and target Azure AD administrator accounts. |
| Migrate OneDrive |
Migration - SharePoint consent from both source and target Azure AD administrator accounts. |
| Migrate SharePoint |
Migration - SharePoint consent from source and target Azure AD administrator accounts. The target tenant should already have the fully configured SharePoint with the active license plan. See Prerequisites for details. |
For Teams migration
| All tasks |
Migration - Basic consent from both source and target Azure AD administrator accounts. |
| Migrate Microsoft Teams and Microsoft 365 Groups with Teams functionality |
Mailbox Migration, Migration - SharePoint and Migration - Teams consents, the Global Administrator or Teams Administrator Azure Active Directory role, and the ApplicationImpersonation Microsoft Exchange Server role for both source and target Azure AD administrator accounts. |
Assigning Roles with PowerShell
To assign the required roles to an Azure AD administrator account you can use the PowerShell script as described below. Run this script as a Global Administrator for the source and target tenant.
This script assigns all minimum required permissions to the Azure AD administrator account odmServiceAccount@contoso.onmicrosoft.com. You can specify only the minimum roles required for the processes that you want to perform.
$serviceAccountUpn = "odmServiceAccount@contoso.onmicrosoft.com" |
function AssignAzureAdRole($RoleName, $UserPrincipalName) |
{ |
$role = Get-AzureADDirectoryRole | Where {$_.displayName -eq $RoleName} |
if (!$role) |
{ |
$RoleTemplate = Get-AzureADDirectoryRoleTemplate | Where-Object {$_.DisplayName -eq $RoleName} |
$role = Enable-AzureADDirectoryRole -RoleTemplateId $RoleTemplate.ObjectId |
} |
|
if ((Get-AzureADDirectoryRoleMember -ObjectId $role.ObjectId).UserPrincipalName -notcontains $UserPrincipalName) |
{ |
Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId (Get-AzureADUser -Filter "userPrincipalName eq '$UserPrincipalName'").ObjectID |
} |
} |
|
function AssignExchangeRoles($RoleName, $UserPrincipalName, $Roles) |
{ |
$group = Get-RoleGroup -Filter "Name -eq '$RoleName'" |
if (!$group) |
{ |
$group = New-RoleGroup $RoleName |
} |
$group | Update-RoleGroupMember -Members $UserPrincipalName -Confirm:$false |
|
$Roles | ?{ $group.Roles -notcontains $_ } | %{ |
New-ManagementRoleAssignment -SecurityGroup $group.Id -Role $_ |
} |
} |
|
Import-Module AzureAD |
Import-Module ExchangeOnlineManagement |
|
# Assign AzureAD roles |
Connect-AzureAD |
AssignAzureAdRole 'Guest Inviter' $serviceAccountUpn |
AssignAzureAdRole 'SharePoint Administrator' $serviceAccountUpn |
|
# Assign Exchange Online roles |
Connect-ExchangeOnline |
AssignExchangeRoles 'QuestODMServiceAccount' $serviceAccountUpn ( |
'ApplicationImpersonation', |
'Mail Recipients', |
'Federated Sharing', |
'Security Group Creation and Membership', |
'Mail Recipient Creation', |
'Transport Rules', |
'Remote and Accepted Domains', |
'Distribution Groups' |
) |
Adding a Tenant
Each On Demand migration project needs a source and target tenant. For steps to add tenants to the On Demand organization, see the Tenant Management section in the On Demand Global Settings User Guide.
For users in the United States deployment region
On Demand Migration offers two options depending on the type of Microsoft Office 365 tenant that you want to add:
- Commercial or GCC Tenant - choose this option if you want to add either a Microsoft Office 365 commercial tenant hosted on the Azure public cloud or a Microsoft Office 365 GCC (Government Community Cloud) tenant with moderate cyber-security and compliance standards hosted on the Azure Government cloud.
- GCC High Tenant - choose this option if you want to add a Microsoft Office 365 GCC High tenant with advanced cyber-security and compliance standards like NIST 800-171, FedRAMP High and ITAR hosted on the Azure Government cloud.
|
|
NOTE: When you create a migration project, a GCC or GCC High tenant can be used as the target tenant only. |
Upgrading Throttling Policies
Exchange Web Services (EWS) are throttled by Microsoft whenever large quantities of data flows through the EWS platform. The On Demand Migration service throughput can be improved by upgrading the following throttling policy parameter setting to Unlimited:
- EwsMaxBurst - Defines the amount of time that an EWS user can consume an elevated amount of resources before being throttled. This is measured in milliseconds. This value is set separately for each component.
- EwsRechargeRate - Defines the rate at which an EWS user's budget is recharged (budget grows by) during the budget time.
- EwsCutoffBalance - Defines the resource consumption limits for EWS user before that user is completely blocked from performing operations on a specific component.
Tenant administrators can upgrade the throttling policies by making a service request with Microsoft.
