Modern Authentication for Microsoft 365

CloudM Migrate utilises Modern Authentication to authenticate with Microsoft 365 source and destination platforms.

Modern authentication is a method of authenticating users that relies on multiple factors to verify the identity of a user. In CloudM Migrate, Modern Authentication is used as Microsoft requires authorization from a third party trying to connect to a Microsoft domain, regardless of whether you are migrating from or to the platform. The benefit of Modern Authentication is that you do not need to prove your identity every time you connect to Microsoft, as it uses ADAL (Active Directory Authentication Library) and OAuth 2.0.

Using Modern Authentication for Microsoft 365, CloudM Migrate can connect to your Azure AD account using a certificate instead of a password. The certificate will only have access to the required permissions to perform migrations. Modern Authentication will soon be a requirement from Microsoft.

Authenticating CloudM Migrate

In order to grant CloudM Migrate permissions to your Microsoft 365 environment, you need to register an application into Azure AD. This can be automated by CloudM Migrate.

If you have a new tenant where region blocking is enabled by default and try to run the automated process of adding the Azure App, the process will fail with a "server error". Either turn off region blocking or run the script on the local Powershell. Once the app is manually created, the migration will continue to run with the setting re-enabled.

Authenticating via the CloudM Migrate application:

To authenticate:

  1. Open your Microsoft 365 configuration in CloudM Migrate and go to the Source / Destination Platform step (1 or  2), where Microsoft 365 is the required platform, and click Add Settings.
  2. Ensure that you have entered an Admin Name and Admin Password. This must be a Global Administrator, it is only required to create the app and can be changed after that is complete or you can create the application using PowerShell (see below).
  3. Click the Create Azure AD Application button, and click the button again in the confirmation popup.

Creat

  1. Copy the code presented, then click on the link presented in the popup to be directed to your M365 admin console
    create
  2. Enter the code you copied from Migrate
    entered
  3. Sign in with your global admin username and password signenter
  4. Confirm your sign in to Microsoft graph command line tools sign
  5. Confirm the permissions requested permissions
  6. You are now able to close the tab and return to Migrate return
  7. The Client Id, Certificate Path and Certificate Password fields should now be set. Click the Next button to test the connection.

mceclip14.png

Authenticating manually using the powershell script

If ‘Rehydrate Teams Private Chats’ is enabled as part of the ‘Migrating Teams Private Chats’. The script should also be executed making a note of the ‘Delegated Permissions Client ID’ and ‘Delegated Permissions Client ID Secret’ to add to your configuration.

The create application script is not supported on x86 installations of CloudM Migrate and will need to be run manually.
You may need to allow running of unsigned scripts before using the .\CreateAzureADApplication.ps1. powershell script. To do so, open Powershell as an admin and run Set-ExecutionPolicy Unrestricted

Download our powershell script here (right click and save link as) Ensure you open powershell as Administrator in windows (for example press the windows key and type powershell, then choose the Run as Administrator option).

mceclip0.png

From here, change to the directory where you downloaded the powershell script file (for example enter cd C:\Users\Username\Downloads).

Then, you can run the script by typing.\CreateAzureADApplication.ps1. You will then be prompted to enter a certificate password (this is optional,and you can leave blank to skip). After entering the certificate password into the powershell, a login popup will appear. Sign into your account and approve the login with your MFA device.

mceclip1.png

After logging in, the script will generate the application in Azure AD and create certificate files in the same directory as the powershell script. The script will output the fields you will need to enter into your migration configuration. Copy the values for these fields into CloudM Migrate and click the Next button to test your connection.

Note that when running the script against a tenant that already has an application named CloudM Migrate, the application will be updated with a new Certificate replacing any existing certificate. This means that all migrations setup using the old certificate will need to be updated to use the new one. If you need to use modern authentication for multiple migration configurations on the same azure account, you should use the powershell script to generate the certificate once. You can then use the certificate file that is generated in as many configurations as needed.

Deleting the Azure app

If you wish to delete the app after the migration has completed, login to https://portal/azure.com with the admin credentials provided in the migration.

From here, open the hamburger menu and go to Azure Active Directory. The click App registrations in the navigation panel.

Graph

You should see an item named CloudM Migrate. This should be under the Owned applications tab. Click the application and it will open the overview. From here you can navigate to properties and click the delete button.

Delete

 

Troubleshooting

Source / Destination platform warnings

mceclip18.png

This message indicates that the migration was created on a build of CloudM Migrate before the modern authentication feature, and a client secret was entered. The secret was used to enable authentication of the Microsoft Graph API to allow group migrations (an admin username/password is not sufficient to allow access). This has been replaced with modern authentication. To continue performing group migrations, swap to modern authentication and use the Create Azure AD app feature.

  • If you do not need to perform group migrations, this message can be dismissed and ignored.
  • You will already have an Azure AD application that has the secret assigned to it. This is no longer used, and the Create Azure AD app feature will create a new one.

mceclip19.png

This message indicates that the Client ID and certificate have not been entered. Use the Create Azure AD Application feature to setup modern authentication.

mceclip21.png

This message that the application password has not been set. This means that if the admin credentials provided are for an account with Multi Factor Authentication enabled, migrations for sharepoint site assets and notebooks will be skipped (all other items will be migrated). If you wish to enable these migrations, an application password should be set up and provided. See here for more information. 

Create Azure AD Application warnings

 

mceclip24.png

This message indicates that you have attempted to run the feature, but the provided account credentials were invalid. You should correct the admin name / password and try again.

Create Azure AD Application Issues

mceclip25.png

In this example,  the user cannot open the Create Azure AD Application dialog. This is because the Admin Name / Password and Domain are required for this feature. In the above example, the password is not provided, so you will need to enter this before opening the dialog.

Note not all the fields marked as required on the form are required to use the dialog.

Test Connection warnings/errors

mceclip26.png

This message indicated that the migration provided a Test Microsoft 365 Email (and therefore intends to perform group migrations). Group migrations are only possible using Modern authentication, so you should set this up. If you do not intend to perform group migrations, simply remove the Test Microsoft 365 value under Advanced Settings.

mceclip27.png

This message indicates that the Client Id / Certificate could not be used to connect to the Microsoft Graph API. This could either mean that the values have not been entered correctly, or there is an issue with the Azure AD Application.

  • Ensure the client id/certificate/password are entered correctly
  • Check the Azure AD application exists, and has the required API permissions
  • As a last resort, try deleting the Azure AD Application and re-creating it with the powershell script. Then, enter the new Client Id/Certificate/Password into the UI

 

mceclip28.png

This message indicated that the admin credentials provided have multi factor authentication enabled, and an application password has not been provided. This means that the migration will skip all sharepoint site assets and notebooks. If these are not required, this message can be ignored. If these are required, an application password should be created, and entered into the UI.

 

modern_auth_a.PNG

This message indicates that the application is running on an x86 installation, and cannot run the necessary powershell script to verify MFA settings. This warning can safely be ignored but users should keep in mind that if they do have MFA enabled on their admin account, that they will need to provide an application password in order to enable migrating sharepoint site assets and notebooks.

Viewing the Azure AD Application

To view an Azure AD application, login to https://portal.azure.com with the admin credentials provided in the migration (note that if MFA is enabled the account owner will need to approve the login).

From here, open the hamburger menu and go to Azure Active Directory. Then, click App registrations in the navigation panel.

Graph

If the Create Azure AD Application feature has been completed successfully, you should see an item named Microsoft Graph Command Line Tools. This should be under the Owned applications tab.

If it is only under the All applications tab, it means that the application was created with a different account. The account used to create the application should be used in the migration credentials.

command

 

After clicking on the application, you should see the overview. From here, you can see the Client Id.

From the navigation panel, click API Permissions. You should see a list of permissions as below.

permissions

The required permissions are:

Microsoft Graph

  • offline_access
  • openid
  • profile
  • Application.ReadWrite.All
  • Organization.Read.All
  • Directory.Read.All
  • RoleManagement.Read.Directory
  • AppRoleAssignment.ReadWrite.All

Feature Deprecation

All Platform Configuration and Provisioning options are not compatible with modern authentication.

This affects the following Microsoft 365 Destination options:-

  • Run before the whole migration
    • Create root public folder mailbox
    • Provision OneDrive for Business for all licenced users
    • License and provision OneDrive for Business for all users
    • License Exchange and Microsoft Office for all Users
    • Ensure Mailbox Archive for all users
  • Run before each user migration
    • Check user exists and create
    • Provision OneDrive for Business per user
    • License and provision OneDrive for Business per user
    • License Exchange and Microsoft Office per user
    • Enable Mailbox Archive per user

 

Was this article helpful?
4 out of 5 found this helpful