Chat now with support
Chat with Support

Preparing Migration 8.15 - System Requirements and Access Rights

Migration Manager Console Migration to Microsoft Office 365 License Server Migration Manager Database Servers Migration Manager Agent Servers Statistics Portal Server Resource Updating Manager Resource Updating Wizards Processed Platforms Additional Environment Security Configuration Ports Used by General Migration Manager Components Ports Used by Migration Manager for Exchange Components Ports Used by Migration Manager for Active Directory Components Ports Used by Resource Updating Manager Accounts Required for Migration Manager Operation Accounts Used by the Directory Synchronization Agent Source Accounts Used by Migration Manager for Exchange Agents Target Accounts Used by Migration Manager for Exchange Agents Agent Host Account Used by Legacy Migration Manager for Exchange Agents Agent Host Account Used by Migration Agent for Exchange (MAgE) Accounts Used for Migrating to Microsoft Office 365 Accounts Used by RUM Agent Service Accounts Used by RUM Controller Service Account Used by Statistics Collection Agent Service Accounts Used by Statistics Portal Accounts Accounts and Rights Required for Active Directory Migration Tasks Accounts and Rights Required for Exchange Migration Tasks Using the Exchange Processing Wizard with Exchange 2010 or later Appendix. How to Set the Required Permissions for Active Directory Migration

Accounts Required for Migration Manager for Exchange Operation

Exchange account

Used To (By) Where Specified Rights and Permissions
Access local mailboxes and mail during migration to Microsoft Office 365 On the General>Connection page of the source Exchange server Properties in the Migration Manager for Exchange console

See the Source Accounts Used by Migration Manager for Exchange Agents topic.

Active Directory account

Used To (By) Where Specified Rights and Permissions
Work with the source Active Directory On the General>Associated domain controller page of the source Exchange server Properties in the Migration Manager for Exchange console See the Source Accounts Used by Migration Manager for Exchange Agents topic.

Office 365 administrative account

Used To (By) Where Specified Rights and Permissions

By Migration Agent for Exchange to access the corresponding Microsoft Office 365 tenant

For mailbox and calendar synchronization: during an Office 365 mailbox migration or calendar synchronization collection creation in the Migration Manager for Exchange console

  • User Management Administrator account
  • ApplicationImpersonation role
  • Mail Recipients role
  • Microsoft Exchange Online license
  • Default UPN
  • By legacy Migration Manager for Exchange agents to synchronize public folders with Office 365
  • For public folder synchronization: when adding Office 365 tenant in the Migration Manager for Exchange console

    • User Management Administrator account
    • ApplicationImpersonation role
    • Mail Recipients role
    • Microsoft Exchange Online license
    • Default UPN
    • The account should be associated with the primary hierarchy public folder mailbox
    • The account should be granted by Owner permissions on all public folders

    Note: Rights and permissions for the agent host account used by Migration Agent for Exchange (MAgE) are listed in Agent Host Account Used by Migration Agent for Exchange (MAgE) topic.

    Refer to the Migrating to Microsoft Office 365 document for more details.

    Account Required for Migration Manager to Access Tenant Data

    Migration Manager for Active Directory (Office 365) uses Microsoft Graph API to access Azure Active Directory. Administrative consent is required in order to grant the "Quest Migration Manager for Active Directory" application access to the tenant data.

    Microsoft Graph account

    Used To (By) Where Specified Rights and Permissions

    Grant the application access to the tenant data.

    Consent can be granted at the time of adding a Migration Pair or in advance using this hyperlink https://login.microsoftonline.com/###-####-###-####/adminconsent?client_id=8edd986e-2f01-4f62-84d2-34576b05fc01 where ###-#####-###-##### must be replaced with an actual tenant id (which can be obtained via the Azure Admin console).

    • Global Administrator or Privileged Role Administrator role

    • Once the Application has been granted access, the Migration Manager service account can function with the following minimal set of roles:

      • For Matching only: Exchange Administrator role

      • For Migration, the following minimal set of roles: Exchange Administrator, Directory Readers, Directory Writers

    Accounts Used by RUM Agent Service

    Migration Manager RUM Agent service account

    Used To (By) Where Specified Rights and Permissions

    Run the Migration Manager RUM Agent service on the computers to be processed

    For Migration Manager RUM agents installed using the Resource Updating Manager console, the Project | Manage Domains Credentials option should be used. If the account is not specified, the Local System account (default) is used.

    When creating agents setup to deploy agents using Group Policy or SMS, specify this account using the Project | Create Agent Setup option in the Resource Updating Manager console menu. If the account is not specified, the Local System account (default) is used.

    You can use either the Local System account (default) or a specified account.

    If you specify an account explicitly, make sure that it has sufficient privileges to create and remove computer accounts as part of the move operation. One way to do this is to give the account administrative rights in both the source and target domains (membership in the Domain Admins group of the source domain and in the domain local Administrators group of the target domain, or vice versa).

    However, if you prefer privileges to be more granular, you can give the account the following specific permissions:

    • Create All Child Objects on the target domain object
    • Delete All Child Objects on the source domain object

    Important: If computer running Migration Manager RUM Controller Service (in fact, computer running Migration Manager console) and computers running Migration Manager RUM Agent Service (workstations and servers to be processed) are located in different domains of different forests without trusts established between them then you should specify account for Migration Manager RUM Agent service account explicitly. The Local System account (default) cannot be used.

    Accounts Used by RUM Controller Service

    Migration Manager RUM Controller service account

    Used To (By) Where Specified Rights and Permissions
    • Run the Migration Manager RUM Controller Service on the console computer
    • Access a computer to install or uninstall the Resource Updating Agent (only if no other account is explicitly specified for domain using the Project | Manage Domains Credentials option in the Resource Updating Manager console menu)
    Project | Manage Controller Credentials option in the Resource Updating Manager console menu.
    • Must be a member of the local Administrators group on the computer running the Resource Updating Manager.
    • Must have Full Admin access rights on ADAM/AD LDS database.

    Local account

    Used To (By) Where Specified Rights and Permissions
    This account must be created only if computer running Migration Manager RUM Controller Service (in fact, computer running Migration Manager console) and computers running Migration Manager RUM Agent Service (workstations and servers to be processed) are located in different domains of different forests without trusts established between them.

    On computer running Migration Manager RUM Controller Service.

    Create local account with the same name and password as Migration Manager RUM Agent service account has.

    Must be a member of the local Administrators group on the computer running the Resource Updating Manager.
    Related Documents

    The document was helpful.

    Select Rating

    I easily found the information I needed.

    Select Rating