Chat now with support
Chat with Support

On Demand Migration Current - User Guide

About On Demand Migration Working with On Demand Migration Account Migration Mailbox Migration OneDrive Migration Microsoft Teams Migration Microsoft 365 Groups Migration SharePoint Migration Public Folders Migration Troubleshooting Finalizing the Migration Appendix A: Working with PowerShell

Roles

Quest On Demand uses the Role-based Access Control (RBAC) security policy that restricts information system access to authorized users. Subscribers can create specific roles based on job functions, with the permissions to perform needed operations on the assets of the organization. When users are assigned to On Demand roles, they inherit the authorizations or permissions defined for those roles. RBAC simplifies permission administration for subscribers because permissions are not assigned directly to every user (which can be a significant number of individuals for mid- to large-size organizations) but are instead acquired through role assignments.

The following are some key Quest On Demand and tenant roles that you will need to work with On Demand Migration.

On Demand Administrator

This role is assigned to users who have full access to the Quest On Demand application. They can manage organizations and tenants, initiate the migration of tenant assets, manage licenses, audit records and perform many other functions through the Quest On Demand application. Some of the key permissions associated with this role are as follows:

Permission Description Service Scope
Create, Rename and Delete projects Required permission to create, rename and delete migration projects from the Projects Dashboard On Demand Migration
View projects and manage selected services This permission must be select to activate the individual permissions to view and manage services. Services selected for this permission will be inherited by all child permissions On Demand Migration
View projects Required permission to be able to view objects tasks and events for the selected services. Only the tiles for the selected services will be shown in the project dashboards.

Always inherited from parent permission

 On Demand Migration
Edit project properties Permission to edit properties associated with project services. E.g Enables access to Accounts Configure Connections and SharePoint Configure Project. On Demand Migration
Run a full discovery

Permission to enable the action that allows users to run the task that will discover all available objects.

 Accounts, Teams, SharePoint, Public Folders
Run a scoped discovery with CSV file

Permission to enable the actions that allows users to run the task that will discover objects based on a list contained in a prepared CSV file.

 Accounts, Teams, SharePoint
Run a scoped discovery from security group Permission to enable the actions that allows users to run the task that will discover objects based on selected security group. Accounts
Run content discovery tasks

Permission to enable the actions that allows users to discover content and statistics about selected objects.

 Mailboxes, OneDrive, SharePoint
Run match and map tasks

Permission to enable the actions that allows users to find matching objects on the target for selected objects and to map objects on source and target based on prepared CSV file.

 Accounts, Teams, SharePoint
Run provision and migration tasks

Permission to enable the actions that allow user to provision and migrate selected objects to the target.

 Accounts, Mailboxes, OneDrive, Teams, SharePoint, Public Folders
Manage collections

Permission to enable actions for creating and manage the Collection feature.

 Accounts, Mailboxes, OneDrive, Teams, SharePoint, Public Folders, Desktop Update Agent
Update and delete migration objects

Permission to enable the action that allows the user to remove selected objects form the list of services object grid.

 Accounts, Mailboxes, OneDrive, Teams, SharePoint, Public Folders, Desktop Update Agent
Acknowledge and clear task events

Permission to enable the action that allows the user to acknowledge and clear events from the Events grid.

 Accounts, Mailboxes, OneDrive, Teams, SharePoint, Public Folders, Desktop Update Agent
Manage Desktop Update Agent Permission to enable all management actions in Desktop Update Agent. Desktop Update Agent
On Demand predefined roles

Quest On Demand is shipped with many predefined roles. On Demand Administrator, Migration Administrator, Audit Administrator, License Management Administrator and Recovery Administrator are some examples.

On Demand custom roles

You can create more roles with specific permissions to allow other users to work with On Demand Migration. See the On Demand Global Settings Current User Guide for more information about setting up roles.

Tenant Administrator

In this document the term Tenant Administrator refers to the Azure active directory user account for the source or target tenant that is assigned the Global administrator security role and has full access to the tenant. Each tenant that you add to a project requires the credentials of the tenant administrator. The tenant administrator requires additional roles to grant the necessary consents to the On Demand service principals that are created in the tenant to access various assets in the tenant during the migration lifecycle. See Consents and Permissions for more details. For more information about user and service principals see the Microsoft article Application and service principal objects in Azure Active Directory.

Tenant administrator accounts must have a mailbox with a valid Microsoft Exchange Online license.

To use On Demand Migration, the tenant administrator for each tenant in a project must grant Azure consents and permissions to the On Demand Migration service principals.

Migration Manager

You can use a temporary tenant user account to operate on tenant assets. In this document the term Migration Manager refers to the source or target Azure active directory user account that has temporary access to the tenant through the Global administrator security role. Depending on the tenant asset that is being migrated, this temporary user account must grant specific consents. For example, to migrate Teams see the roles required for Teams migration.

If you choose to work with this temporary account, you must login to the tenant as the Migration Manager and grant the consents and permissions to the On Demand service principal.

When you are done with the migration, it is recommended that you delete the temporary account for security reasons. See Finalizing the Migration for more details.

Multi-factor authentication

Multi-factor authentication (MFA) is supported for tenant administrators. For On Demand users, MFA support depends on how your organization has set up your access.

If you sign-in with your email and password, MFA has not been activated. If you click Sign in with Microsoft, MFA has been activated. If your organization requires multi-factor authentication and you receive an authorization error, your conditional access policy may not be configured correctly. You can do one of two things:

  • Contact your IT administrator to deactivate MFA for during migrations.
  • Contact "Azure Identity" support for help with configuring conditional access policies.

Working with On Demand Migration

On Demand Migration provides intuitive project management for migrating accounts and content from one tenant to another. You can create a migration project that provides a full range of migration features, and track accounts and content migration in one comprehensive migration project dashboard. You can create multiple migration projects and use the My Projects list view for a summarized list of all your migration projects.

Migration steps

Stage # Step
Preparation 1 Add source and target tenants
2 Grant consents
3 [optional] Upgrade throttling policies, install a Desktop Update Agent, plan a test or pilot migration
4 Create a migration project
Account migration 5 Discover accounts
6 Match source accounts with the existing target accounts
7 Migrate accounts
8 Start Address Rewriting for Domain Coexistence
Mailbox migration 9 Migrate mailboxes
10 Grant access to source user's resources to target users
OneDrive migration 11 Migrate OneDrive
Teams and Groups migration 12 Migrate Microsoft Teams and other Microsoft 365 Groups
SharePoint migration 13 Migrate SharePoint
Private Folders migration 14 Migrate Public Folders
Management 15 Monitor the progress and track issues
16 Finalize the migration
17 Troubleshooting

Tenants

Each On Demand migration project needs a source and target tenant. These are Commercial tenants. For users in the United States deployment region, On Demand Migration offers two options depending on the type of Microsoft 365 tenant that you want to add:

  • Commercial or GCC Tenant - choose this option if you want to add either a Microsoft 365 commercial tenant hosted on the Azure public cloud or a Microsoft 365 GCC (Government Community Cloud) tenant with moderate cyber-security and compliance standards hosted on the Azure Government cloud.
  • GCC High Tenant - choose this option if you want to add a Microsoft 365 GCC High tenant with advanced cyber-security and compliance standards like NIST 800-171, FedRAMP High and ITAR hosted on the Azure Government cloud.

NOTE: When you create a migration project, a GCC or GCC High tenant can be used as the target tenant only. Currently, only the On Demand Migration module supports GCC and GCC High tenants.

For more information about adding, removing and managing tenants, see Managing your Azure tenants and on-premises domains in the On Demand Global Settings Current User Guide.

Adding a tenant
  1. Log in to On Demand using the credentials you used to sign up for On Demand.
  2. If you have multiple organizations you must select an organization. If you have a single organization it will be automatically selected.
  3. If there are no tenants in your organization, click Add Tenant.

    -or-

    In the navigation panel on the left, click Tenants. The Office 365 Tenants page opens. Then click Add Tenant.

  4. The Add Tenant page opens.
    •   If you are in the US region, you must select the type of tenant that you are adding:
      • Click Add Commercial or GCC Tenant
        - or -
      • Click Add GCC High Tenant
      You are redirected to the Azure sign in page.
    • If you are in any region other than the US region, such as Europe, United Kingdom, Canada, or Australia, you are immediately redirected to the Microsoft login page.
  5. Enter your Azure AD Global Administrator credentials for the source tenant and click Next. A page opens with the list of permissions that you are granting.
  6. Click Accept to grant consent to the initial Core - Basic permission set to the On Demand service principal.
  7. The Office 365 Tenants page opens with the tenant added as a new tile.
  8. Repeat the steps to add a target tenant.

Consents and Permissions

The ability for On Demand service principals to access and operate with tenant assets requires explicit permissions. The Tenant Administrator grants these permissions through consents.

Each tenant that is added has granted consent to the initial Core - Basic permission set to the On Demand service principal. Additional consents are required to work with different features of On Demand Migration.

Granting Consent
  1. Click Tenants from the navigation pane.
  2. Select a tenant and click Edit Consents from the tenant tile.
  3. Click Grant Consent or Regrant Consent for the permissions type.
  4. Click Accept in the consents page.

When you have granted the consents, you can verify that the service principals were successfully created in the tenant. You must verify both source and target tenants.

  1. Log in to the Azure admin portal.
  2. Click Enterprise applications from the navigation pane. Then click All applications.
  3. Filter the list if necessary and verify the list of service principals.

This section lists the minimum consents and permissions required by the various On Demand Migration service principals for managing tenants, Microsoft 365 objects and other migration services.

For initial tenant setup
Task Minimum consents and permissions
Add and configure tenants, and grant consent

Core-Basic consent from both Source and Target tenant administrator accounts.

Global Administrator role from both source and target tenant administrator accounts.

For Account migration
Task Minimum consents and permissions
All tasks including discover and migrate accounts Migration - Basic consent from both Source and Target tenant administrator accounts.
Migrate hybrid accounts

Global Administrator role for both Source and Target tenant administrator accounts.

Migrate Guest Users

Guest Inviter role for both Source and Target tenant administrator accounts.

Process Resources

Guest Inviter role for Source and Target tenant administrator accounts.

For Mailbox migration
Task Minimum consents and permissions
All tasks Migration - Basic consent from both Source and Target tenant administrator accounts.
Migrate mailboxes Mailbox Migration consent from both Source and Target tenant administrator accounts.
Migrate Public Folders

Migration - Mailbox Migration consent from both Source and Target tenant administrator accounts.

Exchange Administrator role for both Source and Target tenant administrator accounts.

Owner permission for the root Public Folder of the target tenant must also be granted to the target tenant administrator account.

IMPORTANT:You must provide explicit credentials using Configure Connections.

For OneDrive migration
Task Minimum consents and permissions
All tasks Migration - Basic consent from both Source and Target tenant administrator accounts.
Migrate OneDrive Migration - SharePoint consent from both Source and Target tenant administrator accounts.
Provision OneDrive

SharePoint Administrator role for provisioning OneDrive on the target tenant.

IMPORTANT:You must provide explicit credentials using Configure Connections.

For SharePoint migration
Task Minimum consents and permissions
All tasks Migration - Basic consent from both Source and Target tenant administrator accounts.
Migrate SharePoint Migration - SharePoint consent from both Source and Target tenant administrator accounts. The target tenant should already have the fully configured SharePoint with the active license plan. See Prerequisites for details.
For Teams migration
Task Minimum consents and permissions
All tasks Migration - Basic consent from both Source and Target tenant administrator accounts.
Migrate Teams and Microsoft 365 Groups with Teams functionality

Mailbox Migration, Migration - SharePoint and Migration - Teams consents.

Global Administrator or Teams Administrator Azure AD role, and the ApplicationImpersonation Microsoft Exchange Server role for both Source and Target tenant administrator accounts. In addition to these roles, the tenant administrator account that grants the consents to the Migration -Teams service also requires the following:

  • an active Microsoft 365 license
  • Microsoft Teams app enabled within the Microsoft 365 license
  • the account must remain active for the duration of the migration

If the Teams license check fails, verify that the source and target tenants are valid. Then run the PowerShell commands in Quest KB article 337302 to confirm that the tenant administrator account used to grant consent has TeamspaceAPI activated.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating