Skip to main content

Modern Authentication for Microsoft 365

  • Updated
Exclamation.png

Microsoft are in the process of deprecating the Basic Authentication method that has historically been used to authorize CloudM Migrate to connect to the tenant’s Azure AD account, due to vulnerabilities in the process. 

CloudM recommends configuring the Modern Authentication method (as detailed below) as it will make connections more secure. Additional security processes (such as creating customer secrets and keys) are now included as part of Modern Authentication, instead of as a separate process. 

 

Exclamation.png

Warning: After upgrading to CloudM Migrate v3.22 or later, and updating / creating a new configuration, it will not be possible to downgrade to a previous release. This is because the configuration will contain new parameters that are not compatible with older versions of CloudM Migrate.

 

Exclamation.png

The Internet Explorer Enhanced Security Configuration must be disabled prior to use, due to issues with the login popup.

 

Exclamation.png

When using Modern Authentication, the Credential Method, set in the Advanced Settings of the source and destination platforms, must be set to Impersonation.

Therefore, this setting will be overwritten to when Modern Authentication is enabled.

 

What is Modern Authentication? 

When you go to the airport, you have to show that you are really who you say you are (using your passport), and that you have permission (your ticket) to get on the plane.

Modern Authentication, in CloudM Migrate, is essentially the same as Microsoft requires authorization from a third party trying to connect to a Microsoft domain, regardless of whether you are migrating from or to the platform. The benefit of Modern Authentication is that you do not need to prove your identity every time you connect to Microsoft, as it uses ADAL (Active Directory Authentication Library) and OAuth 2.0.

Using Modern Authentication for Microsoft 365, CloudM Migrate can connect to your Azure AD account using a certificate instead of a password. The certificate will only have access to the required permissions to perform migrations. Modern Authentication will soon be a requirement from Microsoft.

 

What is MFA?

Multi-factor authentication is a policy that can be applied to a Microsoft 365 account. This policy requires the account owner to verify login attempts with a second device of their choosing.

 

Authenticating CloudM Migrate

In order to grant CloudM Migrate permissions to your Microsoft 365 environment, you need to register an application into Azure AD. This can be automated by CloudM Migrate.

In order to grant CloudM Migrate permissions to migrate Sharepoint site assets (including Notebooks), you need either an account password (for accounts without MFA enabled), or an application password (for accounts with MFA enabled).

 

Exclamation.png

If you have a new tenant where region blocking is enabled by default and try to run the automated process of adding the Azure App, the process will fail with a "server error".

Either turn off region blocking or run the script on the local Powershell. Once the app is manually created, the migration will continue to run with the setting re-enabled.

 

If you have Modern Factor Authentication (MFA) enabled, authenticate using the powershell script:

If ‘Rehydrate Teams Private Chats’ is enabled as part of the ‘Migrating Teams Private Chats’. The script should also be executed making a note of the ‘Delegated Permissions Client ID’ and ‘Delegated Permissions Client ID Secret’ to add to your configuration.

 

Exclamation.png

The create application script is not supported on x86 installations of CloudM and will need to be run manually.

 

Exclamation.png

You need to allow running of unsigned scripts. Set-ExecutionPolicy Unrestricted before using the .\CreateAzureADApplication.ps1. powershell script.

To do so:

  1. Select Start > All Programs > Windows PowerShell version > Windows PowerShell.
  2. Type Set-ExecutionPolicy Unrestricted
  3. Type Exit

 

Download our powershell script here. Ensure you open powershell as Administrator in windows (for example press the windows key and type powershell, then choose the Run as Administrator option).

mceclip0.png

From here, change to the directory where you downloaded the powershell script file (for example enter cd C:\Users\Username\Downloads).

Then, you can run the script by typing .\CreateAzureADApplication.ps1. You will then be prompted to enter a certificate password (this is optional,and you can leave blank to skip). After entering the certificate password into the powershell, a login popup will appear. Sign into your account and approve the login with your MFA device.

mceclip1.png

After logging in, the script will generate the application in Azure AD and create certificate files in the same directory as the powershell script. The script will output the fields you will need to enter into your migration configuration. Copy the values for these fields into CloudM Migrate and click the Next button to test your connection.

 

Exclamation.png

Note that when running the script against a tenant that already has an application named CloudM Migrate, the application will be updated with a new Certificate replacing any existing certificate. This means that all migrations setup using the old certificate will need to be updated to use the new one.

If you need to use modern authentication for multiple migration configurations on the same azure account, you should use the powershell script to generate the certificate once. You can then use the certificate file that is generated in as many configurations as needed. 

 

If you do not have Modern Factor Authentication (MFA) enabled, authenticate using the web application

User accounts with MFA enabled will not be able to use the web application to create the Azure AD application. Please use the Powershell method.

Before authenticating, ensure that the relevant API Permissions are enabled. Use this link to jump to the Azure AD Application section of this article that will explain how to enable the permissions.

 

To authenticate:

  1. Open your Microsoft 365 configuration in CloudM Migrate

mceclip8.png

  1. Go to the Source / Destination Platform step (1 or  2), where Microsoft 365 is the required platform, and click Add Settings.

mceclip9.png

  1. Ensure that you have set Authentication Method to Modern.

mceclip10.png

  1. Ensure that you have entered an Admin Name and Admin Password.

mceclip11.png

  1. Click the Create Azure AD Application button, and click the button again in the confirmation popup.

mceclip12.png

mceclip13.png

  1. The Client Id, Certificate Path and Certificate Password fields should now be set. Click the Next button to test the connection.

mceclip14.png

 

Deleting the Azure app

Login to https://portal/azure.com with the admin credentials provided in the migration (note that if MFA is enabled the account owner will need to approve the login).

From here, open the hamburger menu and go to Azure Active Directory. The click App registrations in the navigation panel.

mceclip0.png

You should see an item named CloudM Migrate. This should be under the Owned applications tab. Click the application and it will open the overview. From here you can click the delete button.

mceclip1.png


mceclip2.png

 

Troubleshooting

Source / Destination platform warnings

mceclip18.png

This message indicates that the migration was created on a build of CloudM Migrate before the modern authentication feature, and a client secret was entered. The secret was used to enable authentication of the Microsoft Graph API to allow group migrations (an admin username/password is not sufficient to allow access). This has been replaced with modern authentication. To continue performing group migrations, swap to modern authentication and use the Create Azure AD app feature.

  • If you do not need to perform group migrations, this message can be dismissed and ignored.
  • You will already have an azure ad application that has the secret assigned to it. This is no longer used, and the Create Azure AD app feature will create a new one.
      •  

 

mceclip19.png

This message indicates that the authentication method is set to modern, but the Client ID and certificate have not been set. Use the Create Azure AD Application feature to setup modern authentication.

 

mceclip21.png

This message indicates that the authentication method is set to modern, but the application password has not been set. This means that if the admin credentials provided are for an account with Multi Factor Authentication enabled, migrations for sharepoint site assets and notebooks will be skipped. To enable these migrations, an application password should be set up and provided.

 

Create Azure AD Application warnings

mceclip22.png

This message is always shown to remind users that the feature cannot be used on the web platform for accounts with multi factor authentication enabled. You will need to use our powershell script.

 

mceclip23.png

This message indicates that the you have attempted to run the feature, but your account has multi factor authentication enabled. You will need to use our powershell script.

 

mceclip24.png

This message indicates that you have attempted to run the feature, but the provided account credentials were invalid. You should correct the admin name / password and try again.

 

Create Azure AD Application Issues

mceclip25.png

In this example,  the user cannot open the Create Azure AD Application dialog. This is because the Admin Name / Password and Domain are required for this feature. In the above example, the password is not provided, so you will need to enter this before opening the dialog.

Note not all the fields marked as required on the form are required to use the dialog.

 

Test Connection warnings/errors

mceclip26.png

This message indicated that the migration provided a Test Microsoft 365 Email (and therefore intends to perform group migrations). Group migrations are only possible using Modern authentication, so you should set this up. If you do not intend to perform group migrations, simply remove the Test Microsoft 365 value under Advanced Settings.

mceclip27.png

This message indicates that the Client Id / Certificate could not be used to connect to the Microsoft Graph API. This could either mean that the values have not been entered correctly, or there is an issue with the Azure AD Application.

        • Ensure the client id/certificate/password are entered correctly
        • Check the Azure AD application exists, and has the required API permissions
        • As a last resort, try deleting the Azure AD Application and re-creating it with the powershell script. Then, enter the new Client Id/Certificate/Password into the UI

 

mceclip28.png

This message indicated that the admin credentials provided have multi factor authentication enabled, and an application password has not been provided. This means that the migration will skip all sharepoint site assets and notebooks. If these are not required, this message can be ignored. If these are required, an application password should be created, and entered into the UI.

 

modern_auth_a.PNG

This message indicates that the application is running on an x86 installation, and cannot run the necessary powershell script to verify MFA settings. This warning can safely be ignored but users should keep in mind that if they do have MFA enabled on their admin account, that they will need to provide an application password in order to enable migrating sharepoint site assets and notebooks.

 

Azure AD Application

To view an Azure AD application, login to https://portal.azure.com with the admin credentials provided in the migration (note that if MFA is enabled the account owner will need to approve the login).

From here, open the hamburger menu and go to Azure Active Directory. Then, click App registrations in the navigation panel.

mceclip29.png

If the Create Azure AD Application feature has been completed successfully, you should see an item named Cloud Migrator (or CloudM Migrate). This should be under the Owned applications tab.

If it is only under the All applications tab, it means that the application was created with a different account. The account used to create the application should be used in the migration credentials.

mceclip30.png

 

After clicking on the application, you should see the overview. From here, you can see the Client Id.

From the navigation panel, click Certificates & Secrets. You should see at least one certificate with an expiry date in the year 9999.

mceclip31.png

 

From the navigation panel, click API Permissions. You should see a list of permissions as below, and all items should be approved by the admin with a green tickazure_scopes.png.

 

The required permissions are:

Azure Active Directory Graph

        • Directory.ReadAll

Exchange

        • Full_access_as_app

Microsoft Graph

        • AuditLog.ReadAll
        • Files.ReadWrite.All
        • Group.Read.All
        • Group.ReadWrite.All
        • Mail.ReadWrite
        • Notes.ReadAll
        • Place.ReadAll
        • Sites.ReadWrite.All
        • User.Read.All

Sharepoint

        • Sites.FullControl.All
        • User.ReadWrite.All

 

Feature Deprecation

All Platform Configuration and Provisioning options are not compatible with modern authentication.

This affects the following Microsoft 365 Destination options:-

        • Run before the whole migration
          • Create root public folder mailbox
          • Provision OneDrive for Business for all licenced users
          • License and provision OneDrive for Business for all users
          • License Exchange and Microsoft Office for all Users
          • Ensure Mailbox Archive for all users
        • Run before each user migration
          • Check user exists and create
          • Provision OneDrive for Business per user
          • License and provision OneDrive for Business per user
          • License Exchange and Microsoft Office per user
          • Enable Mailbox Archive per user

 

Comments

0 comments

Please sign in to leave a comment.