Organizations and Regions
When you sign up for the On Demand service for the first time, you create an organization and you become the On Demand organization administrator. You can add additional organization administrators.
For more information about managing your organization see Organizations and regions section in On Demand Global Settings User Guide.
Tenants
Each On Demand migration project needs a source and target tenant. These are Commercial tenants. For users in the United States deployment region, On Demand Migration offers two options depending on the type of Microsoft 365 tenant that you want to add:
- Commercial or GCC Tenant - choose this option if you want to add either a Microsoft 365 commercial tenant hosted on the Azure public cloud or a Microsoft 365 GCC (Government Community Cloud) tenant with moderate cyber-security and compliance standards hosted on the Azure Government cloud.
- GCC High Tenant - choose this option if you want to add a Microsoft 365 GCC High tenant with advanced cyber-security and compliance standards like NIST 800-171, FedRAMP High and ITAR hosted on the Azure Government cloud.
|
NOTE: When you create a migration project, a GCC or GCC High tenant can be used as the target tenant only. |
For steps to add tenants to the On Demand organization, see Adding a Tenant in the On Demand Global Settings Current User Guide.
Role Based Access Control (RBAC)
The following are some key roles that users will need to access and authorize tenant assets and work with On Demand Migration.
On Demand Administrator
This role is assigned to users who have full access to the Quest On Demand application. They can initiate the migration of tenant assets, manage licenses, audit records and perform many other functions through the Quest On Demand application.
Predefined On Demand roles
Quest On Demand is shipped with many predefined roles. On Demand Administrator, Migration Administrator, Audit Administrator, License Management Administrator and Recovery Administrator are some examples.
Custom On Demand roles
You can create more roles with specific permissions to allow other users to work with On Demand Migration. See the On Demand Global Settings Current User Guide for more information about setting up roles.
Create, Rename and Delete projects |
Required permission to create, rename and delete migration projects from the Projects Dashboard |
On Demand Migration |
View projects and manage selected services |
This permission must be select to activate the individual permissions to view and manage services. Services selected for this permission will be inherited by all child permissions |
On Demand Migration |
View projects |
Required permission to be able to view objects tasks and events for the selected services. Only the tiles for the selected services will be shown in the project dashboards.
Always inherited from parent permission |
On Demand Migration |
Edit project properties |
Permission to edit properties associated with project services. E.g Enables access to Accounts Configure Connections and SharePoint Configure Project. |
On Demand Migration |
Run a full discovery |
Permission to enable the action that allows users to run the task that will discover all available objects. |
Accounts, Teams, SharePoint, Public Folders |
Run a scoped discovery with CSV file |
Permission to enable the actions that allows users to run the task that will discover objects based on a list contained in a prepared CSV file. |
Accounts, Teams, SharePoint |
Run a scoped discovery from security group |
Permission to enable the actions that allows users to run the task that will discover objects based on selected security group. |
Accounts |
Run content discovery tasks |
Permission to enable the actions that allows users to discover content and statistics about selected objects. |
Mailboxes, OneDrive, SharePoint |
Run match and map tasks |
Permission to enable the actions that allows users to find matching objects on the target for selected objects and to map objects on source and target based on prepared CSV file. |
Accounts, Teams, SharePoint |
Run provision and migration tasks |
Permission to enable the actions that allow user to provision and migrate selected objects to the target. |
Accounts, Mailboxes, OneDrive, Teams, SharePoint, Public Folders |
Manage collections |
Permission to enable actions for creating and manage the Collection feature. |
Accounts, Mailboxes, OneDrive, Teams, SharePoint, Public Folders, Desktop Update Agent |
Update and delete migration objects |
Permission to enable the action that allows the user to remove selected objects form the list of services object grid. |
Accounts, Mailboxes, OneDrive, Teams, SharePoint, Public Folders, Desktop Update Agent |
Acknowledge and clear task events |
Permission to enable the action that allows the user to acknowledge and clear events from the Events grid. |
Accounts, Mailboxes, OneDrive, Teams, SharePoint, Public Folders, Desktop Update Agent |
Manage Desktop Update Agent |
Permission to enable all management actions in Desktop Update Agent. |
Desktop Update Agent |
Multi-factor authentication
Multi-factor authentication (MFA) is supported for tenant administrators. For On Demand users, MFA support depends on how your organization has set up your access.
If you sign-in with your email and password, MFA has not been activated. If you click Sign in with Microsoft, MFA has been activated. If your organization requires multi-factor authentication and you receive an authorization error, your conditional access policy may not be configured correctly. You can do one of two things:
- Contact your IT administrator to deactivate MFA for during migrations.
- Contact "Azure Identity" support for help with configuring conditional access policies.
Consents and Permissions
To use On Demand Migration, the tenant administrator (a user account with the Global administrator security role) for each tenant in a project must grant Azure consents and permissions to the On Demand Migration service principals.
Typical user accounts
Tenant Administrator
In this document the term Tenant Administrator refers to the Azure active directory user account that is assigned the Global administrator security role and has full access to a tenant. Each tenant that you add to a project requires the credentials of the tenant administrator. The tenant administrator requires additional roles to grant the necessary consents to the On Demand service principals that are created in the tenant to access various assets in the tenant during the migration lifecycle. See Consents and Permissions for more details. For more information about user and service principals see the Microsoft article Application and service principal objects in Azure Active Directory.
Tenant administrator accounts must have a mailbox with a valid Microsoft Exchange Online license.
Migration Manager
You can use a temporary user account to migrate On Demand assets. In this document the term Migration Manager refers to the Azure active directory user who has temporary access to a tenant through the Global administrator security role. Depending on the On Demand asset that is being migrated, this temporary user account must be granted specific Azure AD roles. For example, to migrate Teams see the roles required for Teams migration.
If you choose to work with a temporary account, you must login to the tenant and regrant the consents and permissions for the On Demand asset being migrated.
When you are done with the migration, it is recommended that you delete the temporary account for security reasons. See Finalizing the Migration for more details.
Granting Consent
Whenever you add tenants to your organization, you must log in as the tenant administrator. You will be redirected to the Azure consent page as shown below.
- Click Accept to allow the addition of the Quest On Demand - Core - Basic application service principal to the tenant and grant the initial Core - Basic consent to the service principal.
- The Edit Consents page automatically opens when you add a new tenant. Otherwise, click the Tenants link in On Demand. Then click Edit consents from the tenant tile.
- For each asset class, click Grant consent or Regrant consent.
- Provide the tenant administrator credentials.
- Click Accept in the consents page.
When you have granted the consents, you can verify that the service principals were successfully created in the tenant. You must verify both source and target tenants.
- Log in to the Azure admin portal.
- Click Enterprise applications from the navigation pane. Then click All applications.
- Filter the list if necessary and verify the list of service principals.
This section lists the minimum consents and permissions required by the various On Demand Migration service principals for managing tenants, Microsoft 365 objects and other migration services.
For initial tenant setup
Add and configure tenants, and grant consent |
Core-Basic consent from both Source and Target tenant administrator accounts.
Global Administrator role from both source and target tenant administrator accounts. |
For Account migration
All tasks including discover and migrate accounts |
Migration - Basic consent from both Source and Target tenant administrator accounts. |
Migrate hybrid accounts |
Global Administrator role for both Source and Target tenant administrator accounts.
|
IMPORTANT:You must provide explicit credentials using Configure Connections. | |
Migrate Guest Users |
Guest Inviter role for both Source and Target tenant administrator accounts.
|
IMPORTANT:You must provide explicit credentials using Configure Connections. | |
Process Resources |
Guest Inviter role for Source and Target tenant administrator accounts.
|
IMPORTANT:You must provide explicit credentials using Configure Connections. | |
For Mailbox migration
All tasks |
Migration - Basic consent from both Source and Target tenant administrator accounts. |
Migrate mailboxes |
Mailbox Migration consent from both Source and Target tenant administrator accounts. |
Migrate Public Folders |
Migration - Mailbox Migration consent from both Source and Target tenant administrator accounts.
Exchange Administrator role for both Source and Target tenant administrator accounts.
Owner permission for the root Public Folder of the target tenant must also be granted to the target tenant administrator account.
|
IMPORTANT:You must provide explicit credentials using Configure Connections. | |
For OneDrive migration
All tasks |
Migration - Basic consent from both Source and Target tenant administrator accounts. |
Migrate OneDrive |
Migration - SharePoint consent from both Source and Target tenant administrator accounts. |
Provision OneDrive |
SharePoint Administrator role for provisioning OneDrive on the target tenant.
|
IMPORTANT:You must provide explicit credentials using Configure Connections. | |
For SharePoint migration
All tasks |
Migration - Basic consent from both Source and Target tenant administrator accounts. |
Migrate SharePoint |
Migration - SharePoint consent from both Source and Target tenant administrator accounts. The target tenant should already have the fully configured SharePoint with the active license plan. See Prerequisites for details. |
For Teams migration
All tasks |
Migration - Basic consent from both Source and Target tenant administrator accounts. |
Migrate Teams and Microsoft 365 Groups with Teams functionality |
Mailbox Migration, Migration - SharePoint and Migration - Teams consents.
Global Administrator or Teams Administrator Azure AD role, and the ApplicationImpersonation Microsoft Exchange Server role for both Source and Target tenant administrator accounts. In addition to these roles, the tenant administrator account that grants the consents to the Migration -Teams service also requires the following:
- an active Microsoft 365 license
- Microsoft Teams app enabled within the Microsoft 365 license
- the account must remain active for the duration of the migration
|
If the Teams license check fails, verify that the source and target tenants are valid. Then run the PowerShell commands in Quest KB article 337302 to confirm that the tenant administrator account used to grant consent has TeamspaceAPI activated.