Modern Authentication for Microsoft 365

CloudM Migrate utilises Modern Authentication to authenticate with Microsoft 365 source and destination platforms.

Modern authentication is a method of authenticating users that relies on multiple factors to verify the identity of a user. In CloudM Migrate, Modern Authentication is used as Microsoft requires authorization from a third party trying to connect to a Microsoft domain, regardless of whether you are migrating from or to the platform. The benefit of Modern Authentication is that you do not need to prove your identity every time you connect to Microsoft, as it uses ADAL (Active Directory Authentication Library) and OAuth 2.0.

Using Modern Authentication for Microsoft 365, CloudM Migrate can connect to your Azure AD account using a certificate instead of a password. The certificate will only have access to the required permissions to perform migrations.

Authenticating CloudM Migrate

In order to grant CloudM Migrate permissions to your Microsoft 365 environment, you need to register an application into Azure AD. This can be automated by CloudM Migrate.

If you have a new tenant where region blocking is enabled by default and try to run the automated process of adding the Azure App, the process will fail with a "server error". Either turn off region blocking or run the PowerShell script provided below. Once the app is manually created, the migration will continue to run with the setting re-enabled.

Authenticating via the CloudM Migrate application:

To authenticate:

  1. Open your Microsoft 365 configuration in CloudM Migrate and go to the Source / Destination Platform step (1 or  2), where Microsoft 365 is the required platform, and click Add Settings.
  2. Ensure that you have entered an Admin Username. This must be a Global Administrator. This is a requirement in order for CloudM to obtain the token to migrate Teams and Groups.
  3. Click the Create Azure AD Application button, and click the button again in the confirmation popup.


  1. Copy the code presented, then click on the link presented in the popup to be directed to your M365 admin console
  2. Enter the code you copied from Migrate
  3. Sign in with your global admin username and password signenter
  4. Confirm your sign in to Microsoft graph command line tools sign
  5. Confirm the permissions requested permissions
  6. You are now able to close the tab and return to Migrate return
  7. The Client Id, Certificate Path and Certificate Password fields should now be set. Click the Next button to test the connection.

Authenticating manually using the powershell script

If ‘Rehydrate Teams Private Chats’ is enabled as part of the ‘Migrating Teams Private Chats’. The Delegated Application script should also be executed making a note of the ‘Delegated Permissions Client ID’ and ‘Delegated Permissions Client ID Secret’ to add to your configuration.

The create application script is not supported on x86 installations of CloudM Migrate and will need to be run manually.
You may need to allow running of unsigned scripts before using the .\CreateAzureADApplication.ps1. powershell script. To do so, open Powershell as an admin and run Set-ExecutionPolicy Unrestricted

Download the following powershell scripts into a working directory eg c:\CloudM

Ensure you open powershell as Administrator in windows (for example press the windows key and type powershell, then choose the Run as Administrator option).


From here, change directory to the working directory where the above scripts are saved (for example enter cd  c:\CloudM).

Then, you can run the script by typing .\CreateAzureADApplication.ps1. You will then be prompted to enter:

  • Certificate Password (optional) Press enter to skip
  • Location to save certificate e.g. “c:\cloudm\certificates”
  • Application Name e.g. “My Migration” (Application will appear with prefix ‘CloudM-’)
  • Cloud Deployment
  • Scope (default scopes or limited scopes). For information on using limited scopes, please review the limited scopes article here.

Sign into your account.


After logging in, the script will generate the application in Azure AD and create certificate files in the directory specified above eg  “c:\cloudm\certificates”  The script will output the fields and also create a text file with the details you will need to enter into your migration configuration. Copy the values for these fields into CloudM Migrate and click the Next button to test your connection.

Note that when running the script against a tenant that already has an application with the same name specified, the application will be updated with a new certificate replacing any existing certificate. This means that all migrations setup using the old certificate will need to be updated to use the new one. If you need to use modern authentication for multiple migration configurations on the same Azure account, you should use the powershell script to generate the certificate once. You can then use the certificate file that is generated in as many configurations as needed.

Deleting the Azure app

If you wish to delete the app after the migration has completed, login to https://portal/ with the admin credentials provided in the migration.

From here, open the hamburger menu and go to Azure Active Directory. The click App registrations in the navigation panel.


You should see an item named CloudM Migrate. This should be under the Owned applications tab. Click the application and it will open the overview. From here you can navigate to properties and click the delete button.



Viewing the Azure AD Application

To view an Azure AD application, login to with the admin credentials provided in the migration (note that if MFA is enabled the account owner will need to approve the login).

From here, open the hamburger menu and go to Azure Active Directory. Then, click App registrations in the navigation panel.


If the Create Azure AD Application feature has been completed successfully, you should see an item named Microsoft Graph Command Line Tools. This should be under the Owned applications tab.

If it is only under the All applications tab, it means that the application was created with a different account. The account used to create the application should be used in the migration credentials.



After clicking on the application, you should see the overview. From here, you can see the Client Id.

From the navigation panel, click API Permissions. You should see a list of permissions as below.


The required permissions are:

Microsoft Graph

        • offline_access
        • openid
        • profile
        • Application.ReadWrite.All
        • Organization.Read.All
        • Directory.Read.All
        • RoleManagement.Read.Directory
        • AppRoleAssignment.ReadWrite.All


Was this article helpful?
4 out of 6 found this helpful