Cloud Commander – App Registration – Service Account Requirements

Service account permissions

Depending on your project, you may also need to provide some service accounts with certain rights. 

This document includes the most common requirements.  If you are using custom scripts, you will need to ensure the service account has the rights to execute these scripts. 

Exchange Mailbox Permissions

 

Note:  If you are only migrating Exchange data, and not migrating permissions, a Service Account is not needed for Exchange Online to Exchange Online Migrations.

In order to migrate Mailbox Permissions, we will need to execute commands in PowerShell using our Powershell modules.  To do this we will need up to 5 service accounts with proper permissions to execute the migration commands. 

To see the requirements for the PowerShell Execution Module, click here.

Exchange Online Service Accounts

The account needs to be able to run these commands 

Source 

  • Get-Mailbox 
  • Get-MailUser 
  • Get-DistributionGroup 
  • Get-MailboxPermission 
  • Get-RecipientPermission 

Target 

  • Add-MailboxPermission 
  • Add-RecipientPermission 
  • Set-Mailbox 

By default these roles have these permissions 

  • Exchange Admin 
  • Global Admin 

Note: To avoid complications with domain moves, please give service accounts a UPN that is not tied a custom domain.  This is best accomplished by assigning the UPN to the .onmicrosoft.com domain in your tenant.

Exchange OnPrem Service Accounts

The account needs to be able to run these commands: 

Source 

  • Get-Mailbox 
  • Get-MailUser 
  • Get-DistributionGroup 
  • Get-MailboxPermission 
  • Get-ADPermission 

Target 

  • Add-MailboxPermission 
  • Add–ADPermission 
  • Set-Mailbox 

By default these roles have these permissions 

  • Organizational Management 
  • Exchange Organization Administrator

Teams

During the chat migration, the chats will be written from a service account.  The display name of this service account will be visible to the users, so it should be selected carefully.  For Example “Migration Administrator” or “Administrator” are good choices.  

This account needs to have a Teams License. 

Note: This user will also become the owner during migration so the user can write to the teams. 

Note: To avoid complications with domain moves, please give service accounts a UPN that is not tied to a custom domain.  This is best accomplished by assigning the UPN to the .onmicrosoft.com domain in your tenant.

SharePoint

Some functions, like creating the SharePoint Online site and setting an owner, must be done by a SharePoint Administrator.   

All SharePoint Migrations Require a Service Account with SharePoint Administrator rights 

Note: To avoid complications with domain moves, please give service accounts a UPN that is not tied to a custom domain.  This is best accomplished by assigning the UPN to the .onmicrosoft.com domain in your tenant.

OneDrive for Business

At this time all functions for One Drive For Business Migrations do not require a service account. 

I have a suggestion/request!

Is there something you are looking for on these pages that doesn’t seem to be here?

Is there information and content that you would like to see on the Readiness pages?

Or perhaps you want to see a change to the layout, or there is something here that doesn’t seem to be in the right place?

Then please tell us about it in the box below!

Please make as detailed as possible!
Click or drag a file to this area to upload.
A screenshot may help us in what you suggest, so if you have one upload it here!