Microsoft are in the process of deprecating the Basic Authentication method that has historically been used to authorize CloudM Migrate to connect to the tenant’s Azure AD account, due to vulnerabilities in the process.
CloudM recommends configuring the Modern Authentication method (as detailed below) as it will make connections more secure. Additional security processes (such as creating customer secrets and keys) are now included as part of Modern Authentication, instead of as a separate process.
Warning: After upgrading to CloudM Migrate v3.22 or later, and updating / creating a new configuration, it will not be possible to downgrade to a previous release. This is because the configuration will contain new parameters that are not compatible with older versions of CloudM Migrate.
The Internet Explorer Enhanced Security Configuration must be disabled prior to use, due to issues with the login popup.
When using Modern Authentication, the Credential Method, set in the Advanced Settings of the source and destination platforms, must be set to Impersonation.
Therefore, this setting will be overwritten to when Modern Authentication is enabled.
What is Modern Authentication?
Using modern authentication for Office 365, CloudM Migrate can connect to your Azure AD account using a certificate instead of a password. The certificate will only have access to the required permissions to perform migrations. Modern authentication will soon be a requirement from Microsoft.
What is MFA?
Multi-factor authentication is a policy that can be applied to an Office 365 account. This policy requires the account owner to verify login attempts with a second device of their choosing.
Authenticating CloudM Migrate
In order to grant CloudM Migrate permissions to your Office 365 environment, you need to register an application into Azure AD. This can be automated by CloudM Migrate.
In order to grant CloudM Migrate permissions to migrate Sharepoint site assets (including Notebooks), you need either an account password (for accounts without MFA enabled), or an application password (for accounts with MFA enabled).
Authenticate using the powershell script
The create application script is not supported on x86 installations of CloudM and will need to be run manually.
You need to allow running of unsigned scripts. Set-ExecutionPolicy Unrestricted before using the .\CreateAzureADApplication.ps1. powershell script.
To do so:
Download our powershell script here. Ensure you open powershell as Administrator in windows (for example press the windows key and type powershell, then choose the Run as Administrator option).
From here, change to the directory where you downloaded the powershell script file (for example enter cd C:\Users\Username\Downloads).
Then, you can run the script by typing .\CreateAzureADApplication.ps1. You will then be prompted to enter a certificate password (this is optional,and you can leave blank to skip). After entering the certificate password into the powershell, a login popup will appear. Sign into your account and approve the login with your MFA device.
After logging in, the script will generate the application in Azure AD and create certificate files in the same directory as the powershell script. The script will output the fields you will need to enter into your migration configuration. Copy the values for these fields into CloudM Migrate and click the Next button to test your connection.
Note that when running the script against a tenant that already has an application named CloudM Migrate, the application will be updated with a new Certificate replacing any existing certificate. This means that all migrations setup using the old certificate will need to be updated to use the new one.
If you need to use modern authentication for multiple migration configurations on the same azure account, you should use the powershell script to generate the certificate once. You can then use the certificate file that is generated in as many configurations as needed.
Authenticate using the web application
NB: Users accounts with MFA enabled will not be able to use the web application to create the Azure AD application
- Open your Office 365 configuration in CloudM Migrate
- Go to the Source/Destination Platform step (1 or 2) and click Add Settings
- Ensure that you have set Authentication Method to Modern
- Ensure that you have entered an Admin Name and Admin Password.
- Click the Create Azure AD Application button, and click the button again in the popup.
- The Client Id, Certificate Path and Certificate Password fields should now be set. Click the Next button to test the connection.
Creating an application password
You can create and delete app passwords from the Additional security verification page for your work or school account.
Sign in to the Additional security verification page, and then select App passwords.
- Select Create, type the name of the app that requires the app password, and then select Next.
- Copy the password from the Your app password page, and then select Close.
- From the App passwords page, make sure your app is listed.
- Open the app you created the app password for (for example, Outlook 2010), and then paste the app password when asked for it. You should only have to do this once per app.
Deleting the Azure app
Login to https://portal/azure.com with the admin credentials provided in the migration (note that if MFA is enabled the account owner will need to approve the login).
From here, open the hamburger menu and go to Azure Active Directory. The click App registrations in the navigation panel.
You should see an item named CloudM Migrate. This should be under the Owned applications tab. Click the application and it will open the overview. From here you can click the delete button.
Source / Destination platform warnings
This message indicates that the migration was created on a build of CloudM Migrate before the modern authentication feature, and a client secret was entered. The secret was used to enable authentication of the Microsoft Graph API to allow group migrations (an admin username/password is not sufficient to allow access). This has been replaced with modern authentication. To continue performing group migrations, swap to modern authentication and use the Create Azure AD app feature.
- If you do not need to perform group migrations, this message can be dismissed and ignored.
- You will already have an azure ad application that has the secret assigned to it. This is no longer used, and the Create Azure AD app feature will create a new one.
This message indicates that the authentication method is set to modern, but the Client ID and certificate have not been set. Use the Create Azure AD Application feature to setup modern authentication.
This message indicates that the authentication method is set to modern, but the application password has not been set. This means that if the admin credentials provided are for an account with Multi Factor Authentication enabled, migrations for sharepoint site assets and notebooks will be skipped. To enable these migrations, an application password should be set up and provided.
Create Azure AD Application warnings
This message is always shown to remind users that the feature cannot be used on the web platform for accounts with multi factor authentication enabled. You will need to use our powershell script.
This message indicates that the you have attempted to run the feature, but your account has multi factor authentication enabled. You will need to use our powershell script.
This message indicates that you have attempted to run the feature, but the provided account credentials were invalid. You should correct the admin name / password and try again.
Create Azure AD Application Issues
In this example, the user cannot open the Create Azure AD Application dialog. This is because the Admin Name / Password and Domain are required for this feature. In the above example, the password is not provided, so you will need to enter this before opening the dialog.
Note not all the fields marked as required on the form are required to use the dialog.
Test Connection warnings/errors
This message indicated that the migration provided a Test Office 365 Email (and therefore intends to perform group migrations). Group migrations are only possible using Modern authentication, so you should set this up. If you do not intend to perform group migrations, simply remove the Test Office 365 value under Advanced Settings.
This message indicates that the Client Id / Certificate could not be used to connect to the Microsoft Graph API. This could either mean that the values have not been entered correctly, or there is an issue with the Azure AD Application.
- Ensure the client id/certificate/password are entered correctly
- Check the Azure AD application exists, and has the required API permissions
- As a last resort, try deleting the Azure AD Application and re-creating it with the powershell script. Then, enter the new Client Id/Certificate/Password into the UI
This message indicated that the admin credentials provided have multi factor authentication enabled, and an application password has not been provided. This means that the migration will skip all sharepoint site assets and notebooks. If these are not required, this message can be ignored. If these are required, an application password should be created, and entered into the UI.
This message indicates that the application is running on an x86 installation, and cannot run the necessary powershell script to verify MFA settings. This warning can safely be ignored but users should keep in mind that if they do have MFA enabled on their admin account, that they will need to provide an application password in order to enable migrating sharepoint site assets and notebooks.
Azure AD Application
To view an Azure AD application, login to https://portal.azure.com with the admin credentials provided in the migration (note that if MFA is enabled the account owner will need to approve the login).
From here, open the hamburger menu and go to Azure Active Directory. Then, click App registrations in the navigation panel.
If the Create Azure AD Application feature has been completed successfully, you should see an item named Cloud Migrator (or CloudM Migrate). This should be under the Owned applications tab.
If it is only under the All applications tab, it means that the application was created with a different account. The account used to create the application should be used in the migration credentials.
After clicking on the application, you should see the overview. From here, you can see the Client Id.
From the navigation panel, click Certificates & Secrets. You should see at least one certificate with an expiry date in the year 9999.
From the navigation panel, click API Permissions. You should see a list of permissions as below, and all items should be approved by the admin with a green tick.
The required permissions are:
Azure Active Directory Graph
All Platform Configuration and Provisioning options are not compatible with modern authentication.
This affects the following Office 365 Destination options:-
- Run before the whole migration
- Create root public folder mailbox
- Provision OneDrive for Business for all licenced users
- License and provision OneDrive for Business for all users
- License Exchange and Office for all Users
- Ensure Mailbox Archive for all users
- Run before each user migration
- Check user exists and create
- Provision OneDrive for Business per user
- License and provision OneDrive for Business per user
- License Exchange and Office per user
- Enable Mailbox Archive per user