-
标题
Domain Rewrite - Required accounts and permissions explained -
说明
The On Demand Migration (ODM) Domain Rewrite feature requires additional accounts and permissions. -
解决办法
When creating a new Domain Rewrite project, you will need to "Connect" the source and target tenant. The account used for this "consent granting" process will need to have Global Administrator rights and can have MFA enabled. However, much like the ODM data migration "consent granting" admin account, Global Administrator rights can be removed from this account after consent is granted. You could use the same account to connect/grant consent to Domain Rewrite that was used for the ODM data migration, if desired. The only time Global Administrator rights would be needed again if if you needed to "re-connect" the tenants due to token expiry at some point in the future.
During the Domain Rewrite setup process, three new accounts will be created in both the source and target tenants:
1 - BinaryTreePowerShellUser.xxxxxxxx - This user is automatically given Exchange Admin rights and an M365 license during the setup process. This account is used for the initial Discovery of the source and target environments. This user account cannot have MFA enabled and needs to be excluded from any Conditional Access Policies that require MFA.
2 - BinaryTreeCDSPowerShell.xxxxxxx - These use two accounts are given Teams Admin, Exchange Admin and User Admin rights during the setup process. These are the workhorse accounts that will actually modify mail-enabled object attributes in the cloud to support Domain Rewrite. This these accounts cannot have MFA enabled and need to be excluded from any Conditional Access Policies that require MFA.