CloudM Migrate utilises Modern Authentication to authenticate with Microsoft 365 source and destination platforms.
Modern authentication is a method of authenticating users that relies on multiple factors to verify the identity of a user. In CloudM Migrate, Modern Authentication is used as Microsoft requires authorization from a third party trying to connect to a Microsoft domain, regardless of whether you are migrating from or to the platform. The benefit of Modern Authentication is that you do not need to prove your identity every time you connect to Microsoft, as it uses ADAL (Active Directory Authentication Library) and OAuth 2.0.
Using Modern Authentication for Microsoft 365, CloudM Migrate can connect to your Azure AD account using a certificate instead of a password. The certificate will only have access to the required permissions to perform migrations. Modern Authentication will soon be a requirement from Microsoft.
Authenticating CloudM Migrate
In order to grant CloudM Migrate permissions to your Microsoft 365 environment, you need to register an application into Azure AD. This can be automated by CloudM Migrate.
Authenticating via the CloudM Migrate application:
- Open your Microsoft 365 configuration in CloudM Migrate and go to the Source / Destination Platform step (1 or 2), where Microsoft 365 is the required platform, and click Add Settings.
- Ensure that you have entered an Admin Name and Admin Password. This must be a Global Administrator, it is only required to create the app and can be changed after that is complete or you can create the application using PowerShell (see below).
- Click the Create Azure AD Application button, and click the button again in the confirmation popup.
Copy the code presented, then click on the link presented in the popup to be directed to your M365 admin console
Enter the code you copied from Migrate
- Sign in with your global admin username and password
- Confirm your sign in to Microsoft graph command line tools
- Confirm the permissions requested
- You are now able to close the tab and return to Migrate
- The Client Id, Certificate Path and Certificate Password fields should now be set. Click the Next button to test the connection.
Authenticating manually using the powershell script
If ‘Rehydrate Teams Private Chats’ is enabled as part of the ‘Migrating Teams Private Chats’. The script should also be executed making a note of the ‘Delegated Permissions Client ID’ and ‘Delegated Permissions Client ID Secret’ to add to your configuration.
Download our powershell script here (right click and save link as) Ensure you open powershell as Administrator in windows (for example press the windows key and type powershell, then choose the Run as Administrator option).
From here, change to the directory where you downloaded the powershell script file (for example enter
Then, you can run the script by typing
.\CreateAzureADApplication.ps1. You will then be prompted to enter a certificate password (this is optional,and you can leave blank to skip). After entering the certificate password into the powershell, a login popup will appear. Sign into your account and approve the login with your MFA device.
After logging in, the script will generate the application in Azure AD and create certificate files in the same directory as the powershell script. The script will output the fields you will need to enter into your migration configuration. Copy the values for these fields into CloudM Migrate and click the Next button to test your connection.
Deleting the Azure app
If you wish to delete the app after the migration has completed, login to https://portal/azure.com with the admin credentials provided in the migration.
From here, open the hamburger menu and go to Azure Active Directory. The click App registrations in the navigation panel.
You should see an item named CloudM Migrate. This should be under the Owned applications tab. Click the application and it will open the overview. From here you can navigate to properties and click the delete button.
Source / Destination platform warnings
This message indicates that the migration was created on a build of CloudM Migrate before the modern authentication feature, and a client secret was entered. The secret was used to enable authentication of the Microsoft Graph API to allow group migrations (an admin username/password is not sufficient to allow access). This has been replaced with modern authentication. To continue performing group migrations, swap to modern authentication and use the Create Azure AD app feature.
- If you do not need to perform group migrations, this message can be dismissed and ignored.
- You will already have an Azure AD application that has the secret assigned to it. This is no longer used, and the Create Azure AD app feature will create a new one.
This message indicates that the Client ID and certificate have not been entered. Use the Create Azure AD Application feature to setup modern authentication.
This message that the application password has not been set. This means that if the admin credentials provided are for an account with Multi Factor Authentication enabled, migrations for sharepoint site assets and notebooks will be skipped (all other items will be migrated). If you wish to enable these migrations, an application password should be set up and provided. See here for more information.
Create Azure AD Application warnings
This message indicates that you have attempted to run the feature, but the provided account credentials were invalid. You should correct the admin name / password and try again.
Create Azure AD Application Issues
In this example, the user cannot open the Create Azure AD Application dialog. This is because the Admin Name / Password and Domain are required for this feature. In the above example, the password is not provided, so you will need to enter this before opening the dialog.
Note not all the fields marked as required on the form are required to use the dialog.
Test Connection warnings/errors
This message indicated that the migration provided a Test Microsoft 365 Email (and therefore intends to perform group migrations). Group migrations are only possible using Modern authentication, so you should set this up. If you do not intend to perform group migrations, simply remove the Test Microsoft 365 value under Advanced Settings.
This message indicates that the Client Id / Certificate could not be used to connect to the Microsoft Graph API. This could either mean that the values have not been entered correctly, or there is an issue with the Azure AD Application.
- Ensure the client id/certificate/password are entered correctly
- Check the Azure AD application exists, and has the required API permissions
- As a last resort, try deleting the Azure AD Application and re-creating it with the powershell script. Then, enter the new Client Id/Certificate/Password into the UI
This message indicated that the admin credentials provided have multi factor authentication enabled, and an application password has not been provided. This means that the migration will skip all sharepoint site assets and notebooks. If these are not required, this message can be ignored. If these are required, an application password should be created, and entered into the UI.
This message indicates that the application is running on an x86 installation, and cannot run the necessary powershell script to verify MFA settings. This warning can safely be ignored but users should keep in mind that if they do have MFA enabled on their admin account, that they will need to provide an application password in order to enable migrating sharepoint site assets and notebooks.
Viewing the Azure AD Application
To view an Azure AD application, login to https://portal.azure.com with the admin credentials provided in the migration (note that if MFA is enabled the account owner will need to approve the login).
From here, open the hamburger menu and go to Azure Active Directory. Then, click App registrations in the navigation panel.
If the Create Azure AD Application feature has been completed successfully, you should see an item named Microsoft Graph Command Line Tools. This should be under the Owned applications tab.
If it is only under the All applications tab, it means that the application was created with a different account. The account used to create the application should be used in the migration credentials.
After clicking on the application, you should see the overview. From here, you can see the Client Id.
From the navigation panel, click API Permissions. You should see a list of permissions as below.
The required permissions are:
All Platform Configuration and Provisioning options are not compatible with modern authentication.
This affects the following Microsoft 365 Destination options:-
- Run before the whole migration
- Create root public folder mailbox
- Provision OneDrive for Business for all licenced users
- License and provision OneDrive for Business for all users
- License Exchange and Microsoft Office for all Users
- Ensure Mailbox Archive for all users
- Run before each user migration
- Check user exists and create
- Provision OneDrive for Business per user
- License and provision OneDrive for Business per user
- License Exchange and Microsoft Office per user
- Enable Mailbox Archive per user