Welcome to the AAD App Registration page. The types of permission you need will vary from workload to workload, most of which are seen on this page. It’s up to us when deploying the solution to find out which workloads are involved, and, copy and paste the appropriate sections from the text below to inform the customer of the requirements for their particular migration. If they’re not migrating a particular workload, don’t include that in your communication as it can sometimes lead the customer to raise questions on aspects that are not relevant to them. Essentially, fit this page to yours and the customers needs, and take what is relevant to you.

This section is for creating your own applications. If you’d like to trust Quadrotech owned applications, check our article here.

Check out the video below for a detailed walkthrough

AzureAD App Registration

Go to Azure Portal -> Azure Active Directory -> App registrations and create a new application.

Fill in all the required fields:

• name of application
• supported account type
• redirect URI (optional)

Certificate

Once the application is registered, you have to upload the certificate. This can be found in the Cloud Commander deploy repository ( server_cer.cer ).

Note: If this is a production environment, you must use a unique certificate for each user.

Go to Certificate & Secrets and upload the certificate.

Once it is uploaded, it will now be on the page.

Required Permissions

You have to add and grant permissions (on the bottom of the page) to be able to migrate a particular workload.

For all workloads supported by Cloud Commander currently (Exchange Online, OneDrive, SharePoint, Microsoft Teams), API permissions look like this:

Teams workload

Required permissions for MS Graph API :

• Application.ReadWrite.All | Read and write all applications
• ChannelMessage.Read.All | Read all channel messages
• Chat.Read.All | Read all chat messages
• Directory.ReadWrite.All | Read and write directory data
• Domain.ReadWrite.All | Read and write domains
• Group.ReadWrite.All | Read and write all groups
• Mail.ReadWrite | Read and write mail in all mailboxes
• MailboxSettings.Read | Read all user mailbox settings
• Member.Read.Hidden | Read all hidden memberships
• Notes.ReadWrite.All | Read and write all notebooks
• People.Read.All | Read all users’ relevant people lists
• Sites.Manage.All | Create, edit, and delete items and lists in all site collections
• Sites.ReadWrite.All | Read and write items in all site collections (preview)
• TeamMember.ReadWrite.All | Add team members/owners to source/target.
• User.ReadWrite.All | Read and write all users’ full profiles

Teams Application Registration

Microsoft Team Migrations has some functions that require user delegated features and a Application Secret.

User Delegated Permissions

In additional to Application Delegated Rights, an account will and users Delegated Rights for some functions.

To do this, first add the following User Delegated Permissions to the application registration in the Application Registration View:

1. Login to the Microsoft Azure Portal (https://portal.azure.com)
2. Go to Application Registrations
3. Open the Registered Application
4. Go to API Permissions
5. Choose Add Permissions
6. Choose Microsoft Graph
   1. ChannelMessage.Delete
   2. ChannelMessage.Read.All
   3. ChannelMessage.send
   4. Chat.ReadWrite
   5. Group.ReadWrite.All
   6. User.Read

In order to create channels and chat content, we need a migration account. This account will be the temporary owner of all Teams and is the account that will post chat messages that have been migrated.  You should pick the name of this account carefully as users will see it in chats.

This account has the following requirements:

• This account needs a Microsoft Teams License
• This account cannot be enabled for MFA
• The UPN and Password will need to be shared with Quadrotech
• The account cannot be part of a conditional access policy or the Azure function IP Addresses need to be allowed

This account also needs to be added to the Application Registration.

1. Authorize the Teams Migration Application above
2. Login to the Microsoft Azure Portal (https://portal.azure.com)
3. Go to Enterprise Applications
4. Find the Application ‘Cloud Commander Teams v2’
5. Open this Application and go to Users and Groups
6. Click Add User
7. Select the User and then click assign

App Secret

To create a App Secret, please follow these instructions.  You will need to provide this App Secret to Quadrotech in a secure manner.

1. Login to the Microsoft Azure Portal (https://portal.azure.com)
2. Go to Application Registrations
3. Open the Registered Application
4. Go to Certificates & Secrets
5. Choose Client Secrets
6. Click New Client Secret
   1. You must capture this before leaving this screen.  You cannot read this value once you leave the screen and will have to generate another one.
   2. Treat this Client Secret in the same manner as you do for a privileged account password.
   3. Please provide this to Quadrotech in a secure manner

Protect API Registration

The ability to migrate chat content is restricted by Microsoft. In addition to granting the rights, you also need register the application with Microsoft.  This request takes 1-2 weeks to process.  Please submit the request form found on this page:  https://docs.microsoft.com/en-us/graph/teams-protected-apis

Exchange workload

Required permissions for Ms Graph API :

• full_access_as_app | Use Exchange Web Services with full access to all mailboxes

If you are migrating Office 365 Group Mailboxes, please contract product as this has specific migration requirements and requires a Privilege Service Account with Basic Authentication.

OneDrive workload

Required permissions for Ms Graph API :

• Files.Read.All | Read files in all site collections
• Files.ReadWrite.All | Read and write files in all site collections
• Notes.ReadWrite.All | Read and write all notebooks

Sharepoint workload

Required permissions for MS Sharepoint API :

• Sites.FullControl.All | Have full control of all site collections
• Sites.Manage.All | Read and write items and lists in all site collections
• Sites.Read.All | Read items in all site collections
• Sites.ReadWrite.All | Read and write items in all site collections
• TermStore.Read.All | Read managed metadata
• TermStore.ReadWrite.All | Read and write managed metadata
• User.Read.All | Read user profiles
• User.ReadWrite.All | Read and write user profiles

Deployment wizard data required for deployment of Core CC components:

• Subscription ID
• Subscription Name
• Tenant Name
• Tenant ID
• Resource group name (used for Azure deployment)
• Application Name (used for Azure deployment)
• App ID (used for Azure deployment)
• Source Certificate
• Source Certificate Password

Frontend registration (UI:)

• App ID
• Tenant Name
• Tenant ID
• Object ID

Exchange workload

 Deployment wizard required data:

• Source Application ID
• Source Application Thumbprint
• Source Certificate
• Source Certificate Password

• Target Application ID
• Target Application Thumbprint
• Target Certificate
• Target Certificate Password

• Managed Application ID
• Managed Application Certificate
• Managed Application Certificate Password

Credentials for an Exchange server administrative account which has ApplicationImpersonation role assigned.

Service accounts

Requirements for service accounts are described here.

Here are the documents being prepared in the coming months –

• Core Requirements (Quadrotech hosted or client hosted)
• Exchange Online to Exchange Online
• Exchange on-premises to Exchange online
• Exchange on-premises PowerShell connector
• OneDrive For Business to One Drive For Business
• Agent requirements (MAC and PC)
• Teams to Teams
• SharePoint Online to SharePoint Online

I have a suggestion/request!

Is there something you are looking for on these pages that doesn’t seem to be here?

Is there information and content that you would like to see on the Readiness pages?

Or perhaps you want to see a change to the layout, or there is something here that doesn’t seem to be in the right place?

Then please tell us about it in the box below!