Service account permissions
Depending on your project, you may also need to provide some service accounts with certain rights.
This document includes the most common requirements. If you are using custom scripts, you will need to ensure the service account has the rights to execute these scripts.
Exchange Mailbox Permissions
In order to migrate Mailbox Permissions, we will need to execute commands in PowerShell using our Powershell modules. To do this we will need up to 5 service accounts with proper permissions to execute the migration commands.
To see the requirements for the PowerShell Execution Module, click here.
Exchange Online Service Accounts
The account needs to be able to run these commands
Source
- Get-Mailbox
- Get-MailUser
- Get-DistributionGroup
- Get-MailboxPermission
- Get-RecipientPermission
Target
- Add-MailboxPermission
- Add-RecipientPermission
- Set-Mailbox
By default these roles have these permissions
- Exchange Admin
- Global Admin
Note: To avoid complications with domain moves, please give service accounts a UPN that is not tied a custom domain. This is best accomplished by assigning the UPN to the .onmicrosoft.com domain in your tenant.
Exchange OnPrem Service Accounts
The account needs to be able to run these commands:
Source
- Get-Mailbox
- Get-MailUser
- Get-DistributionGroup
- Get-MailboxPermission
- Get-ADPermission
Target
- Add-MailboxPermission
- Add–ADPermission
- Set-Mailbox
By default these roles have these permissions
- Organizational Management
- Exchange Organization Administrator
Teams
During the chat migration, the chats will be written from a service account. The display name of this service account will be visible to the users, so it should be selected carefully. For Example “Migration Administrator” or “Administrator” are good choices.
This account needs to have a Teams License.
Note: This user will also become the owner during migration so the user can write to the teams.
Note: To avoid complications with domain moves, please give service accounts a UPN that is not tied to a custom domain. This is best accomplished by assigning the UPN to the .onmicrosoft.com domain in your tenant.
SharePoint
Some functions, like creating the SharePoint Online site and setting an owner, must be done by a SharePoint Administrator.
All SharePoint Migrations Require a Service Account with SharePoint Administrator rights
Note: To avoid complications with domain moves, please give service accounts a UPN that is not tied to a custom domain. This is best accomplished by assigning the UPN to the .onmicrosoft.com domain in your tenant.
OneDrive for Business
At this time all functions for One Drive For Business Migrations do not require a service account.
I have a suggestion/request!
Is there something you are looking for on these pages that doesn’t seem to be here?
Is there information and content that you would like to see on the Readiness pages?
Or perhaps you want to see a change to the layout, or there is something here that doesn’t seem to be in the right place?
Then please tell us about it in the box below!