Chat now with support
Chat with Support

Preparing Migration 8.15 - System Requirements and Access Rights

Migration Manager Console Migration to Microsoft Office 365 License Server Migration Manager Database Servers Migration Manager Agent Servers Statistics Portal Server Resource Updating Manager Resource Updating Wizards Processed Platforms Additional Environment Security Configuration Ports Used by General Migration Manager Components Ports Used by Migration Manager for Exchange Components Ports Used by Migration Manager for Active Directory Components Ports Used by Resource Updating Manager Accounts Required for Migration Manager Operation Accounts Used by the Directory Synchronization Agent Source Accounts Used by Migration Manager for Exchange Agents Target Accounts Used by Migration Manager for Exchange Agents Agent Host Account Used by Legacy Migration Manager for Exchange Agents Agent Host Account Used by Migration Agent for Exchange (MAgE) Accounts Used for Migrating to Microsoft Office 365 Accounts Used by RUM Agent Service Accounts Used by RUM Controller Service Account Used by Statistics Collection Agent Service Accounts Used by Statistics Portal Accounts Accounts and Rights Required for Active Directory Migration Tasks Accounts and Rights Required for Exchange Migration Tasks Using the Exchange Processing Wizard with Exchange 2010 or later Appendix. How to Set the Required Permissions for Active Directory Migration

Agent Host Account Used by Legacy Migration Manager for Exchange Agents

Used To Where Specified Rights and Permissions
  • Install and run Migration Manager for Exchange agents on the agent host
  • Access the license server

Agent host account is specified when registering an agent host. It can be changed in Properties of the agent host in the Migration Manager Console.

Note: Agents installed automatically on the specified default agent host during creation of a synchronization job, use the default agent host account. The default agent host account can be changed on the General>Default agent host page of the Exchange server Properties. Changing the account also affects all agents already installed on the default agent host.

  • Membership in the local Administrators group on the license server (unless alternative credentials are used for the license server). If server is located in another trusted forest, the account should have local Administrator permissions on the license server.
  • Local Administrator permissions on the agent host server.

To learn how to grant rights and permissions required for this account, refer to dedicated Exchange environment preparation documents.

Agent Host Account Used by Migration Agent for Exchange (MAgE)

Used To Where Specified Rights and Permissions
  • Run the Migration Agent for Exchange service
  • Read and write Service Connection Point (SCP)
  • Access the SQL database if Windows authentication is selected in migration project properties

During the Migration Agent for Exchange setup in the Migration Manager for Exchange console

  • Local Administrator permissions on the agent host server where the corresponding MAgE instance is installed
  • Membership in the local Administrators group on the license server (unless alternative credentials are used for the license server). If server is located in another trusted forest, the account should have local Administrator permissions on the license server

  • In case Windows authentication is selected in the migration project settings: the db_owner role on the SQL server where the database resides
  • Permission to create, read and write SCP in domain where agent host resides. The SCP object is located in the CN=Exchange Migration Project,CN=QmmEx,CN=Migration Manager,CN=Quest Software,CN=System,DC=eternity,DC=<...> ,DC=<...> Active Directory container.

To learn how to grant rights and permissions required for this account, refer to the Setting Up Source Agent Host Account section of the Source Exchange 2013 Preparation document.

Accounts Used for Migrating to Microsoft Office 365

Accounts Required for Migration Manager for Active Directory Operation

Console account

Used To (By) Where Specified Rights and Permissions

The account under which the administrator is logged on when Migration Manager for Active Directory (Microsoft Office 365) console is started.

This account is used to connect to ADAM/AD LDS and open the migration project. The appropriate users should have Full Control permission in ADAM/AD LDS.

At administrator's logon

Membership in the local Administrators group on the computer where Migration Manager for Active Directory (Microsoft Office 365) console is installed.

ADAM/AD LDS administrative account

Used To (By) Where Specified Rights and Permissions
Connect to ADAM/AD LDS and create a new migration project During ADAM/AD LDS instance installation After ADAM/AD LDS instance installation, this account is granted Full Control permission over the whole ADAM/AD LDS instance.

Agent service account

Used To (By) Where Specified Rights and Permissions
By the Directory Migration Agent to run

In Migration Manager for Active Directory (Microsoft Office 365) console when installing a DMA instance.

This account can be later changed by modifying the DMA instance settings.

Full Control permission in ADAM/AD LDS project.

Active Directory account

Used To (By) Where Specified Rights and Permissions
By the Directory Migration Agent to connect to the source Active Directory domain In Migration Manager for Active Directory (Microsoft Office 365) console when creating and configuring a domain pair or a connection.

Membership in the Domain Admins group.

If this is not possible, or in case you use a single administrative account for source and target domains:

  • Full Control permissions on the Domain partition via ADSIEdit (ensure those permission are propagated/inherited)
  • Read permissions on the Configuration partition via ADSIEdit (ensure those permission are propagated/inherited)

Note that a Domain Admin account should not be used as an Exchange account as it conflicts with the default Exchange security model (Domain Admins group has Deny for Send As and Receive As).

Office 365 administrative account

Used To (By) Where Specified Rights and Permissions
By the Directory Migration Agent to access Microsoft Office 365 In Migration Manager for Active Directory (Microsoft Office 365) console when creating and configuring a domain pair or a connection.

The Exchange Administrator,

User Management Administrator user roles,

ApplicationImpersonation and Mail Recipients roles

in Microsoft Office 365.

Important: An Exchange Online license must be assigned to this account. This account must have the default UPN suffix <tenant_name>.onmicrosoft.com.

Related Documents