Microsoft are in the process of deprecating the Basic Authentication method that has historically been used to authorize CloudM Migrate to connect to the tenant’s Azure AD account, due to vulnerabilities in the process. CloudM recommends configuring the Modern Authentication method (as detailed below) as it will make connections more secure. Additional security processes (such as creating customer secrets and keys) are now included as part of Modern Authentication, instead of as a separate process. |
Warning: After upgrading to CloudM Migrate v3.22 or later, and updating / creating a new configuration, it will not be possible to downgrade to a previous release. This is because the configuration will contain new parameters that are not compatible with older versions of CloudM Migrate. |
The Internet Explorer Enhanced Security Configuration must be disabled prior to use, due to issues with the login popup. |
When using Modern Authentication, the Credential Method, set in the Advanced Settings of the source and destination platforms, must be set to Impersonation. Therefore, this setting will be overwritten to when Modern Authentication is enabled. |
What is Modern Authentication?
Modern authentication is a method of authenticating users that relies on multiple factors to verify the identity of a user. In CloudM Migrate, Modern Authentication is used as Microsoft requires authorization from a third party trying to connect to a Microsoft domain, regardless of whether you are migrating from or to the platform. The benefit of Modern Authentication is that you do not need to prove your identity every time you connect to Microsoft, as it uses ADAL (Active Directory Authentication Library) and OAuth 2.0.
Using Modern Authentication for Microsoft 365, CloudM Migrate can connect to your Azure AD account using a certificate instead of a password. The certificate will only have access to the required permissions to perform migrations. Modern Authentication will soon be a requirement from Microsoft.
Authenticating CloudM Migrate
In order to grant CloudM Migrate permissions to your Microsoft 365 environment, you need to register an application into Azure AD. This can be automated by CloudM Migrate.
In order to grant CloudM Migrate permissions to migrate Sharepoint site assets (including Notebooks), you need either an account password, or an application password.
If you have a new tenant where region blocking is enabled by default and try to run the automated process of adding the Azure App, the process will fail with a "server error". Either turn off region blocking or run the script on the local Powershell. Once the app is manually created, the migration will continue to run with the setting re-enabled. |
Authenticating via the CloudM Migrate application:
Before authenticating, ensure that the relevant API Permissions are enabled. Use this link to jump to the Azure AD Application section of this article that will explain how to enable the permissions.
To authenticate:
- Open your Microsoft 365 configuration in CloudM Migrate
- Go to the Source / Destination Platform step (1 or 2), where Microsoft 365 is the required platform, and click Add Settings.
- Ensure that you have set Authentication Method to Modern.
- Ensure that you have entered an Admin Name and Admin Password.
- Click the Create Azure AD Application button, and click the button again in the confirmation popup.
- Copy the code presented, then click on the link presented in the popup to be directed to your M365 admin console
- Enter the code you copied from Migrate
- Sign in with your global admin username and password
- Confirm your sign in to Microsoft graph command line tools
- Confirm the permissions requested
- You are now able to close the tab and return to Migrate
- The Client Id, Certificate Path and Certificate Password fields should now be set. Click the Next button to test the connection.
Authenticating manually using the powershell script:
If ‘Rehydrate Teams Private Chats’ is enabled as part of the ‘Migrating Teams Private Chats’. The script should also be executed making a note of the ‘Delegated Permissions Client ID’ and ‘Delegated Permissions Client ID Secret’ to add to your configuration.
The create application script is not supported on x86 installations of CloudM and will need to be run manually. |
You need to allow running of unsigned scripts. Set-ExecutionPolicy Unrestricted before using the .\CreateAzureADApplication.ps1. powershell script. To do so:
|
Download our powershell script here. Ensure you open powershell as Administrator in windows (for example press the windows key and type powershell, then choose the Run as Administrator option).
From here, change to the directory where you downloaded the powershell script file (for example enter cd C:\Users\Username\Downloads).
Then, you can run the script by typing .\CreateAzureADApplication.ps1. You will then be prompted to enter a certificate password (this is optional,and you can leave blank to skip). After entering the certificate password into the powershell, a login popup will appear. Sign into your account and approve the login with your MFA device.
After logging in, the script will generate the application in Azure AD and create certificate files in the same directory as the powershell script. The script will output the fields you will need to enter into your migration configuration. Copy the values for these fields into CloudM Migrate and click the Next button to test your connection.
Note that when running the script against a tenant that already has an application named CloudM Migrate, the application will be updated with a new Certificate replacing any existing certificate. This means that all migrations setup using the old certificate will need to be updated to use the new one. If you need to use modern authentication for multiple migration configurations on the same azure account, you should use the powershell script to generate the certificate once. You can then use the certificate file that is generated in as many configurations as needed. |
Deleting the Azure app
Login to https://portal/azure.com with the admin credentials provided in the migration (note that if MFA is enabled the account owner will need to approve the login).
From here, open the hamburger menu and go to Azure Active Directory. The click App registrations in the navigation panel.
You should see an item named CloudM Migrate. This should be under the Owned applications tab. Click the application and it will open the overview. From here you can navigate to properties and click the delete button.
Troubleshooting
Source / Destination platform warnings
This message indicates that the migration was created on a build of CloudM Migrate before the modern authentication feature, and a client secret was entered. The secret was used to enable authentication of the Microsoft Graph API to allow group migrations (an admin username/password is not sufficient to allow access). This has been replaced with modern authentication. To continue performing group migrations, swap to modern authentication and use the Create Azure AD app feature.
- If you do not need to perform group migrations, this message can be dismissed and ignored.
- You will already have an azure ad application that has the secret assigned to it. This is no longer used, and the Create Azure AD app feature will create a new one.
-
This message indicates that the authentication method is set to modern, but the Client ID and certificate have not been set. Use the Create Azure AD Application feature to setup modern authentication.
This message indicates that the authentication method is set to modern, but the application password has not been set. This means that if the admin credentials provided are for an account with Multi Factor Authentication enabled, migrations for sharepoint site assets and notebooks will be skipped. To enable these migrations, an application password should be set up and provided.
Create Azure AD Application warnings
This message indicates that you have attempted to run the feature, but the provided account credentials were invalid. You should correct the admin name / password and try again.
Create Azure AD Application Issues
In this example, the user cannot open the Create Azure AD Application dialog. This is because the Admin Name / Password and Domain are required for this feature. In the above example, the password is not provided, so you will need to enter this before opening the dialog.
Note not all the fields marked as required on the form are required to use the dialog.
Test Connection warnings/errors
This message indicated that the migration provided a Test Microsoft 365 Email (and therefore intends to perform group migrations). Group migrations are only possible using Modern authentication, so you should set this up. If you do not intend to perform group migrations, simply remove the Test Microsoft 365 value under Advanced Settings.
This message indicates that the Client Id / Certificate could not be used to connect to the Microsoft Graph API. This could either mean that the values have not been entered correctly, or there is an issue with the Azure AD Application.
- Ensure the client id/certificate/password are entered correctly
- Check the Azure AD application exists, and has the required API permissions
- As a last resort, try deleting the Azure AD Application and re-creating it with the powershell script. Then, enter the new Client Id/Certificate/Password into the UI
This message indicated that the admin credentials provided have multi factor authentication enabled, and an application password has not been provided. This means that the migration will skip all sharepoint site assets and notebooks. If these are not required, this message can be ignored. If these are required, an application password should be created, and entered into the UI.
This message indicates that the application is running on an x86 installation, and cannot run the necessary powershell script to verify MFA settings. This warning can safely be ignored but users should keep in mind that if they do have MFA enabled on their admin account, that they will need to provide an application password in order to enable migrating sharepoint site assets and notebooks.
Azure AD Application
To view an Azure AD application, login to https://portal.azure.com with the admin credentials provided in the migration (note that if MFA is enabled the account owner will need to approve the login).
From here, open the hamburger menu and go to Azure Active Directory. Then, click App registrations in the navigation panel.
If the Create Azure AD Application feature has been completed successfully, you should see an item named Microsoft Graph Command Line Tools. This should be under the Owned applications tab.
If it is only under the All applications tab, it means that the application was created with a different account. The account used to create the application should be used in the migration credentials.
After clicking on the application, you should see the overview. From here, you can see the Client Id.
From the navigation panel, click API Permissions. You should see a list of permissions as below.
The required permissions are:
Microsoft Graph
- offline_access
- openid
- profile
- Application.ReadWrite.All
- Organization.Read.All
- Directory.Read.All
- RoleManagement.Read.Directory
- AppRoleAssignment.ReadWrite.All
Feature Deprecation
All Platform Configuration and Provisioning options are not compatible with modern authentication.
This affects the following Microsoft 365 Destination options:-
- Run before the whole migration
- Create root public folder mailbox
- Provision OneDrive for Business for all licenced users
- License and provision OneDrive for Business for all users
- License Exchange and Microsoft Office for all Users
- Ensure Mailbox Archive for all users
- Run before each user migration
- Check user exists and create
- Provision OneDrive for Business per user
- License and provision OneDrive for Business per user
- License Exchange and Microsoft Office per user
- Enable Mailbox Archive per user