1. CloudM
  2. Migrate 4
  3. Configure your Connections
  4. Connection Setup
  5. Environment Configuration Guides

Azure AD Application - Limited Scopes - Manual Method (Source only)

Shaun Richards
Updated

Purpose

CloudM Migrate utilizes Modern Authentication to connect to Microsoft 365 source and destination platforms. This approach replaces passwords with certificates, which only have permissions necessary for migration.

This documentation outlines how to manually configure:

  • An Azure AD Application with limited scopes

  • A PFX certificate

  • Scoped permissions using security groups

Note:

  • This guide is specific to export scenarios from Microsoft 365. Additionally, it is recommended to use the PowerShell method detailed in the below article.Azure AD Application - Limited Scopes - PowerShell Method
  • As scopes are being limited, CloudM Migrate’s connection tests will show warnings/errors regarding the missing scopes, but these may be ignored as the migration will still work.

Prerequisites

CloudM Migrate Source Administrator Configuration

Our documentation suggests that a Global Administrator is required to configure the authentication to an Office 365 source or destination, however, when you are limiting scopes the following applies:

  • A Global Administrator is required only to create the Azure AD application

  • The below field within the source connection in CloudM Migrate can contain any admin address (not GA) once you have the other required criteria to authenticate.

    • Note: If you are migrating Microsoft Teams a Global Admin account is required.

Certificate Generation

To create a new certificate and key, launch PowerShell as an administrator and run the below commands.

$certName = "MyAzureADAppCert"
$certPath = "$env:USERPROFILE\Desktop\$certName.pfx"
$certPassword = ConvertTo-SecureString -String "YourStrongPassword123!" -Force -AsPlainText

$cert = New-SelfSignedCertificate `
  -Subject "CN=$certName" `
  -CertStoreLocation "cert:\CurrentUser\My" `
  -KeyExportPolicy Exportable `
  -KeySpec Signature `
  -KeyLength 2048 `
  -NotAfter (Get-Date).AddYears(2) `
  -HashAlgorithm "SHA256"

Export-PfxCertificate `
  -Cert $cert `
  -FilePath $certPath `
  -Password $certPassword

# Export public certificate
$publicPath = "$env:USERPROFILE\Desktop\$certName.cer"
Export-Certificate -Cert $cert -FilePath $publicPath

Exchange Online

Restricting app access to Exchange Online cannot be done through the Microsoft 365 user interface. This section explains how to achieve it using PowerShell, specifically with the ExchangeOnlineManagement module and the New-ApplicationAccessPolicy cmdlet.

SharePoint Online

SharePoint Online does not provide a user interface for restricting app access. This section outlines how to configure access using PowerShell, leveraging the New-MgSitePermission cmdlet along with the following Microsoft Graph modules:

  • Microsoft.Graph.Identity.DirectoryManagement

  • Microsoft.Graph.Applications

  • Microsoft.Graph.Files

  • Microsoft.Graph.Sites

Create Microsoft Azure AD Application

  1. Go to: Azure AD Application Registration

  2. Choose Accounts in this organizational directory only (Single tenant).

  3. Click Register.

  4. Under Application ID URI.

  5. click Add, then Save.

  6. In Overview, click Add Certificate or Secret

  7. Click Certificates > Upload Certificate

  8. Upload the certificate previously created then click on Add.

API Permissions

  1. Click on API Permissions
  2. Remove default permission User.Read
  3. Add a Permission (SharePoint)
    1. Under Microsoft APIs select SharePoint
    2. Application Permissions
    3. Select “Sites.Selected”
    4. Add Permissions
  4. Click on API Permissions
    1. Add a Permission (Microsoft Graph)
    2. Under Microsoft Graph select Application Permissions
    3. Select Files.Read.All and User.Read.All
    4. Add Permissions
  5. Click on API Permissions
    1. Add a Permission (Exchange)
    2. Select APIs my Organization uses
    3. Select Office 365 Exchange Online
    4. Application Permissions
    5. Select ‘full_access_as_app’

Once the permissions are added, click on Grant Admin Consent. You should now see the below. Note, these are the minimum scopes required. User.Read.All is required to check that the user exists in the source and Files.Read.All to resolve the users OneDrive Url/Sites Url

Exchange Online

  1. Go to: Microsoft Exchange Admin Center

  2. Create a Mail-enabled Security Group:

    • Assign Owners

    • Add Members : This will be the users you are migrating data from.

    • Note the group's email address

  3. Run the following PowerShell, replacing the AppId and PolicyScopeGroupId with your Application Id (Client Id) and group email address.

Note: When running the below PowerShell commands, please make sure to authenticate with a Global Admin account.

Import-Module ExchangeOnlineManagement
Connect-ExchangeOnline

New-ApplicationAccessPolicy `
  -AppId <Application_Client_ID> `
  -PolicyScopeGroupId <Group_Email> `
  -AccessRight RestrictAccess `
  -Description "Restricted policy for App"

Disconnect-ExchangeOnline

OneDrive and SharePoint Online

Requirements

  • Executing user must be a Site Collection Administrator

  • Site ID is required (can be retrieved via PowerShell or Microsoft Graph Explorer)

  • If a 403 error is returned, it will be required to add the user running the script as a site collection administrator to then add the permission using the New-MgSitePermission command. The user can then be removed from the site collection.

OneDrive Example Script

This example script get's the site collection for user@domain.com and grants the appropriate permissions in order to migrate. You will need to replace the $ClientAppId variable with your application client ID and the $user variable with your users email address.

$Environment = "Global"
$ClientAppId = "c38c5334-ae03-4a18-a3a9-7ba9c441e07b"
$user = "user@domain.com"
$neededScopes = @("Group.Read.All", "Sites.FullControl.All")

Connect-MgGraph -Environment $Environment -Scope $neededScopes -NoWelcome

$params = @{
  roles = @("FullControl")
  grantedToIdentities = @(
    @{
      application = @{
        id = $ClientAppId
        displayName = "CloudM-Limited-$($ClientAppId)"
      }
    }
  )
}

$drive = Get-MgUser -UserId $user -Property "mySite"
$uri = [System.Uri]::new($drive.MySite)
$siteId = (Invoke-MgGraphRequest -Uri "v1.0/sites/$($uri.Host):$($uri.AbsolutePath)").Id

$permission = New-MgSitePermission -SiteId $siteId -BodyParameter $params

Write-Host "Site ID: $siteId"
Write-Host "Permission ID: $($permission.Id)"

 

SharePoint Example Script

The below example script get's the site collection of a specific site ID and grants the appropriate permissions in order to migrate. You will need to set the $siteId variable to the ID of the site you wish to grant access to and the $ClientAppId variable to your application client ID.

$Environment = "Global"
$ClientAppId = "c38c5334-ae03-4a18-a3a9-7ba9c441e07b"
$neededScopes = @("Group.Read.All", "Sites.FullControl.All")
$siteId = <Site ID Goes here>

Connect-MgGraph -Environment $Environment -Scope $neededScopes -NoWelcome

$params = @{
  roles = @("FullControl")
  grantedToIdentities = @(
    @{
      application = @{
        id = $ClientAppId
        displayName = "CloudM-Limited-$($ClientAppId)"
      }
    }
  )
}

$permission = New-MgSitePermission -SiteId $siteId -BodyParameter $params

Write-Host "Site ID: $siteId"
Write-Host "Permission ID: $($permission.Id)"

Examples

The below images show examples of entities being migrated. The successful entities are items that the app registration has been granted access to with limited scopes.

User Email

User Drive

Sites

Was this article helpful?
0 out of 0 found this helpful