Chat now with support
Chat with Support

On Demand Migration Current - User Guide

About On Demand Migration Working with On Demand Migration Account Migration Mailbox Migration OneDrive Migration Microsoft Teams Migration Microsoft 365 Groups Migration SharePoint Migration Public Folders Migration Troubleshooting Finalizing the Migration Appendix A: Using PowerShell

Roles

Quest On Demand uses the Role-based Access Control (RBAC) security policy that restricts information system access to authorized users. Subscribers can create specific roles based on job functions, with the permissions to perform needed operations on the assets of the organization. When users are assigned to On Demand roles, they inherit the authorizations or permissions defined for those roles. RBAC simplifies permission administration for subscribers because permissions are not assigned directly to every user (which can be a significant number of individuals for mid- to large-size organizations) but are instead acquired through role assignments.

The following are some key Quest On Demand and tenant roles that you will need to work with On Demand Migration.

On Demand Administrator

This role is assigned to users who have full access to the Quest On Demand application. They can manage organizations and tenants, initiate the migration of tenant assets, manage licenses, audit records and perform many other functions through the Quest On Demand application. Some of the key permissions associated with this role are as follows:

Permission Description Service Scope
Can Export Data Permission to export data as well as download the premigration report, comparison report and error report. Migration
Create, Rename and Delete projects Required permission to create, rename and delete migration projects from the Projects Dashboard On Demand Migration
View projects and manage selected services This permission must be selected to activate the individual permissions to view and manage services. Services selected for this permission will be inherited by all child permissions. On Demand Migration
View projects Required permission to be able to view objects tasks and events for the selected services. Only the tiles for the selected services will be shown in the project dashboards.

Always inherited from parent permission

On Demand Migration
Edit project properties Permission to edit properties associated with project services. For example, this permission enables access to Accounts Configure Connections and SharePoint Configure Project. On Demand Migration
Run a full discovery

Permission to enable the action that allows users to run the task that will discover all available objects.

Accounts, Teams, SharePoint, Public Folders
Run a scoped discovery with CSV file

Permission to enable the actions that allows users to run the task that will discover objects based on a list contained in a prepared CSV file.

Accounts, Teams, SharePoint
Run a scoped discovery from security group Permission to enable the actions that allows users to run the task that will discover objects based on selected security group. Accounts
Run content discovery tasks

Permission to enable the actions that allows users to discover content and statistics about selected objects.

Mailboxes, OneDrive, SharePoint
Run match and map tasks

Permission to enable the actions that allows users to find matching objects on the target for selected objects and to map objects on source and target based on prepared CSV file.

Accounts, Teams, SharePoint
Run provision and migration tasks

Permission to enable the actions that allow user to provision and migrate selected objects to the target.

Accounts, Mailboxes, OneDrive, Teams, SharePoint, Public Folders
Manage collections

Permission to enable actions for creating and manage the Collection feature.

Accounts, Mailboxes, OneDrive, Teams, SharePoint, Public Folders, Desktop Update Agent
Update and delete migration objects

Permission to enable the action that allows the user to remove selected objects form the list of services object grid.

Accounts, Mailboxes, OneDrive, Teams, SharePoint, Public Folders, Desktop Update Agent
Acknowledge and clear task events

Permission to enable the action that allows the user to acknowledge and clear events from the Events grid.

Accounts, Mailboxes, OneDrive, Teams, SharePoint, Public Folders, Desktop Update Agent
Manage Desktop Update Agent Permission to enable all management actions in Desktop Update Agent. Desktop Update Agent
On Demand predefined roles

Quest On Demand is shipped with many predefined roles. On Demand Administrator, Migration Administrator, Audit Administrator, License Management Administrator and Recovery Administrator are some examples.

On Demand custom roles

You can create more roles with specific permissions to allow other users to work with On Demand Migration. See the On Demand Global Settings Current User Guide for more information about setting up roles.

Tenant Administrator

In this document the term Tenant Administrator refers to the Azure active directory user account for the source or target tenant that is assigned the Global administrator security role and has full access to the tenant. Each tenant that you add to a project requires the credentials of the Tenant Administrator. The Tenant Administrator may require additional roles to grant the necessary consents to various On Demand service principals that are created in the tenant to access various assets in the tenant during the migration lifecycle. See Consents and Permissions for more details. For more information about user and service principals see the Microsoft article Application and service principal objects in Azure Active Directory.

Tenant Administrator accounts must have a mailbox with a valid Microsoft Exchange Online license.

To use On Demand Migration, the Tenant Administrator for each tenant in a project must grant Azure consents and permissions to the On Demand Migration service principals.

Migration Manager

You can use a temporary tenant user account to operate on tenant assets. In this document the term Migration Manager refers to the source or target Azure active directory user account that has temporary access to the tenant through the Global administrator security role. Depending on the tenant asset that is being migrated, this temporary user account must grant specific consents. For example, when teams are migrated, the account that is assigned the Migration Manager role is added to the team. This temporary role is required for migrating teams by the by the On Demand Migration service.

If you choose to work with this temporary account, you must login to the tenant as the Migration Manager and grant the consents and permissions to the On Demand service principal.

When you are done with the migration, it is recommended that you delete the temporary account for security reasons. See Finalizing the Migration for more details.

Multi-factor authentication

Multi-factor authentication (MFA) is supported for tenant administrators when granting Consents and Permissions. MFA is not supported for accounts whose credentials are entered explicitly when configuring connections for migrating Public Folders or provisioning OneDrive on the target tenant.. For On Demand users, MFA support depends on how your organization has set up your access.

If you sign-in with your email and password, MFA has not been activated. If you click Sign in with Microsoft, MFA has been activated. If your organization requires multi-factor authentication and you receive an authorization error, your conditional access policy may not be configured correctly. You can do one of two things:

  • Contact your IT administrator to deactivate MFA for during migrations.
  • Contact "Azure Identity" support for help with configuring conditional access policies.

Working with On Demand Migration

On Demand Migration provides intuitive project management for migrating accounts and content from one tenant to another. You can create a migration project that provides a full range of migration features, and track accounts and content migration in one comprehensive migration project dashboard. You can create multiple migration projects and use the My Projects list view for a summarized list of all your migration projects.

Migration steps

References to common migration steps are provided in the table below. There are many more activities that are required to prepare and migrate Office 365 assets, and these are described in detail in the subsequent topics.

Stage Step
Preparation Add source and target tenants
Grant consents
Upgrade throttling policies, install a Desktop Update Agent, plan a test or pilot migration
Create a migration project
Account migration Discover accounts
Match source accounts with the existing target accounts
Migrate accounts
(optional) Start Address Rewriting for Domain Coexistence
Mailbox migration Migrate mailboxes
Grant access to source user's resources to target users
OneDrive migration Migrate OneDrive
Teams and Groups migration Migrate Microsoft Teams
Groups migration Migrate Microsoft 365 Groups
SharePoint migration Migrate SharePoint objects
Private Folders migration Migrate Public Folders
Management Monitor the progress and track issues
Finalize the migration
Troubleshooting

Tenants

Each On Demand migration project needs a source and target tenant. These are Commercial tenants. For users in the United States deployment region, On Demand Migration offers two options depending on the type of Microsoft 365 tenant that you want to add:

  • Commercial or GCC Tenant - choose this option if you want to add either a Microsoft 365 commercial tenant hosted on the Azure public cloud or a Microsoft 365 GCC (Government Community Cloud) tenant with moderate cyber-security and compliance standards hosted on the Azure Government cloud.
  • GCC High Tenant - choose this option if you want to add a Microsoft 365 GCC High tenant with advanced cyber-security and compliance standards like NIST 800-171, FedRAMP High and ITAR hosted on the Azure Government cloud.

NOTE: When you create a migration project, a GCC or GCC High tenant can be used as the target tenant only. Currently, only the On Demand Migration module supports GCC and GCC High tenants.

For more information about adding, removing and managing tenants, see Managing your Azure tenants and on-premises domains in the On Demand Global Settings Current User Guide.

Adding a tenant
  1. Log in to On Demand using the credentials you used to sign up for On Demand.
  2. If you have multiple organizations you must select an organization. If you have a single organization it will be automatically selected.
  3. If there are no tenants in your organization, click Add Tenant.

    -or-

    In the navigation panel on the left, click Tenants. The Office 365 Tenants page opens. Then click Add Tenant.

  4. The Add Tenant page opens.
    •   If you are in the US region, you must select the type of tenant that you are adding:
      • Click Add Commercial or GCC Tenant
        - or -
      • Click Add GCC High Tenant
      You are redirected to the Azure sign in page.
    • If you are in any region other than the US region, such as Europe, United Kingdom, Canada, or Australia, you are immediately redirected to the Microsoft login page.
  5. Enter your Azure AD Global Administrator credentials for the source tenant and click Next. A page opens with the list of permissions that you are granting.
  6. Click Accept to grant consent to the initial Core - Basic permission set to the On Demand service principal.
  7. The Office 365 Tenants page opens with the tenant added as a new tile.
  8. Repeat the steps to add a target tenant.

Consents and Permissions

The ability for On Demand service principals to access and operate with tenant assets requires explicit permissions. The Tenant Administrator grants these permissions through consents. Multi-factor authentication (MFA) is supported for tenant administrators when granting consents.

Each tenant that is added has granted consent to the initial Core - Basic permission set to the On Demand service principal. Additional consents are required to work with different features of On Demand Migration

In this topic:

Granting Consents
  1. Click Tenants from the navigation pane.
  2. Select a tenant and click Edit Consents from the tenant tile.
  3. Click Grant Consent or Regrant Consent for the permissions type. Then click Accept in the Microsoft consents dialog.

When you have granted the consents, you can verify that the service principals were successfully created in the tenant. You must verify both source and target tenants.

  1. Log in to the Azure admin portal.
  2. Open the Microsoft Entra ID service page.
  3. Click Enterprise applications from the navigation panel. Then click All applications.
  4. Filter the list if necessary and verify the list of Quest On Demand service principals. Your list may differ from the image below.

This section lists the minimum consents and permissions required by the various On Demand Migration service principals for managing tenants, Microsoft 365 objects and other migration services. For more details about permissions used by each service principal, see the On Demand Migration Permissions Reference Guide.

Consents for initial tenant setup
Task Minimum consents and permissions
Add and configure tenants, and grant consent

Core-Basic consent from both Source and Target tenant administrator accounts.

Global Administrator role from both source and target tenant administrator accounts.

Each tenant that is added is granted consent to the initial Core - Basic permission set to the On Demand service principal. Additional consents are required to work with different features of On Demand Migration.

Consents for Account migration
Task Minimum consents and permissions
All tasks including discover and migrate accounts Migration - Basic consent from both Source and Target tenant administrator accounts.
Migrate hybrid accounts

Global Administrator role for both Source and Target tenant administrator accounts.

Migrate Guest Users

Guest Inviter role for both Source and Target tenant administrator accounts.

Process Resources

Guest Inviter role for Source and Target tenant administrator accounts.

Consents for Mailbox migration
Task Minimum consents and permissions
All tasks Migration - Basic consent from both Source and Target tenant administrator accounts.
Migrate mailboxes Mailbox Migration consent from both Source and Target tenant administrator accounts.
Migrate Public Folders

Migration - Mailbox Migration consent from both Source and Target tenant administrator accounts.

Exchange Administrator role for both Source and Target tenant administrator accounts.

Owner permission for the root Public Folder of the target tenant must also be granted to the target tenant administrator account.

IMPORTANT: You must provide explicit credentials using Configure Connections. Multi-factor authentication (MFA) is not supported for accounts whose credentials are entered explicitly.

Consents for OneDrive migration
Task Minimum consents and permissions
All tasks Migration - Basic consent from both Source and Target tenant administrator accounts.
Migrate OneDrive

Migration - OneDrive - Minimal consent from Source tenant administrator accounts.

Migration - OneDrive - Full consent from both Source and Target tenant administrator accounts.
Provision OneDrive

SharePoint Administrator role for provisioning OneDrive on the target tenant.

IMPORTANT: You must provide explicit credentials using Configure Connections. Multi-factor authentication (MFA) is not supported for accounts whose credentials are entered explicitly.

Consents for SharePoint migration
Task Minimum consents and permissions
All tasks Migration - Basic consent from both Source and Target tenant administrator accounts.
Migrate SharePoint

Migration - SharePoint - Minimal consent from Source tenant administrator accounts.

Migration - SharePoint - Full consent from both Source and Target tenant administrator accounts.
Consents for Teams migration
Task Minimum consents and permissions
All tasks Migration - Basic consent from both Source and Target tenant administrator accounts.
Migrate Teams and Microsoft 365 Groups with Teams functionality

Mailbox Migration, Migration - SharePoint - Minimal or Migration - SharePoint - Full, and Migration - Teams consents.

Global Administrator or Teams Administrator Azure AD role, and the ApplicationImpersonation Microsoft Exchange Server role for both Source and Target tenant administrator accounts. In addition to these roles, the tenant administrator account that grants the consents to the Migration -Teams service also requires the following:

  • an active Microsoft 365 license
  • Microsoft Teams app enabled within the Microsoft 365 license
  • the account must remain active for the duration of the migration

If the Teams license check fails, verify that the source and target tenants are valid. Then run the PowerShell commands in Quest KB article 337302 to confirm that the tenant administrator account used to grant consent has TeamspaceAPI activated.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating