Migrating OneDrive for Business Enterprise Users

One of the new features added in Simply Migrate version 4.4 is the ability to migrate OneDrive for Business users using a service account rather than relying on individual user consent. Now with some additional configuration steps in your Office 365 tenant (or On-Premise / Hybrid environment) you can perform scripted migration of all users using Simply Migrate in the same way that you would bulk migrate any other data such as user mailboxes.

This article sets out the configuration required to achieve this.

Requirements

The scenario we will focus on here will be an Office 365 to Office 365 tenant OneDrive for Business migration, hybrid scenarios have identical requirements and should also work with only a few alterations to these steps.

  • Simply Migrate v4.4.0.3993 or higher
  • A Global Administrator account to the Office 365 Tenant (for both tenants if moving between two)
  • A list of users to migrate (user UPN or AzureAD Guid is required)

Note: A Global Administrator Office 365 account is required for Step 2 below, at the time of writing this step cannot be completed via a delegated admin account. (Ref: Set-SPOUser TechNet)

We will need to complete the following steps:

1. Create an Azure AD application registration for the Office365 tenant (first tenant only)
2. Grant permissions to each OneDrive for Business user’s drive contents
3. Configure Simply Migrate OAuthApplications
4. Create a refresh token using your migration account
5. Create migration jobs

Step 1 – Create an Azure AD application registration

Using your Global Admin user login to the new Azure Portal at: https://portal.azure.com

If you’ve not used Azure AD before and don’t want to sign-up for an Azure tenant, the good news is that you no longer need to. As long as you use the new Azure Portal using your Office365 Global Administrator credentials you should have access to “Azure Active Directory” without requiring a subscription:

Azure Active Directory Admin

Go to App registrations, and create a new application registration:

New application registration

Make certain to select Web app / API under type and fill in the other details.

Now you can open the newly created app and from Settings and configure the Reply URL as: http://localhost/auth/callback

Note: this URL doesn’t have to exist as we’ll use our PowerShell cmdlets to intercept the callback

Next, under permissions select Add API access and choose Microsoft Graph, then select the required permissions (under delegated permissions):

  • Have full access to user files
  • Access user’s data anytime
  • View users’ basic profile

Now open the Keys configuration and create a key to use, take note of the secret on save as you will need this.

Key configuration

Finally, in our scenario we have two different O365 tenants, as such we need to configure this app as a “Multi-tenanted” app in order to use it in both tenants. Skip this if only using one tenant.

(optionally) Enable Multi-tenancy

Now close the settings page and before we finish take note of the following information:

Application Id: A GUID
Secret Key: A secret key
Reply URL: The URL your app uses

Step 2 – Grant permissions to OneDrive drives

At the time of writing the OneDrive API does not allow delegated app level permissions and as such we need to explicitly grant permissions to each user’s drive that will be migrated. This can be done directly via the Office 365 Admin portal or by using a PowerShell script.

In this step we will grant access to each user’s OneDrive to the current or logged in user, as such for Option 1 that is the account with which you login to the admin portal, for option 2 that is the account credential which you provide explicitly.

Finally, this step must be completed for all users in both the source and target tenants, so unless you have an account with access to both tenants you will need to use two different accounts.

Note: If you use two different accounts, then ensure that you also generate two separate tokens in step 4 below.

Option 1 – Manually per user in the Office 365 Admin Center

1. Open the Admin Center as a Global Admin, and go to Users -> Active Users

2. Locate and select the user you want to update

O365 User Config

3. Expand OneDrive Settings, click on Access files

Grant access to OneDrive

4. Wait a moment and once the permissions are set you will be shown the URL to the user’s OneDrive, e.g. https://something-my.sharepoint.com/personal/joe_something_onmicrosoft_com

5. Repeat for other users.

Option 2 – Using PowerShell to grant access to multiple users

If you have more than just a few users to migrate then ideally you want to script the assignment of permissions in one go, fortunately there is a PowerShell script available for that.

The script utilises the SharePoint Online PowerShell Management Shell, so if you do not have that installed, install it now from the PowerShell Gallery:

Install-Module MSOnline

 

Reference: https://docs.microsoft.com/en-us/powershell/azure/active-directory/install-msonlinev1?view=azureadps-2.0

Add Secondary MySite Admin Script

Import-module MSOnline
Write-Host "Please input credential of administrator"
$cred = Get-Credential
Connect-MsolService -Credential $cred
Write-Host "Please enter tenant"
$tenant = Read-Host
$adminsite = "https://"+ $tenant +"-admin.sharepoint.com"
Connect-SPOService -Credential $cred -url $adminsite
Write-Host "Please specify the administrator user principal name which will be the admin member for all personal sites"
$admin = Read-Host
$usersLogin = Get-MsolUser |ForEach-Object {$_.UserPrincipalName}
foreach($user in $usersLogin)
{
    $account,$domain = $user.Split("@",2)
    if ( $account.Contains("."))
    {
        $account= $account.Replace(".","_")
    }
    ElseIf ( $domain.Contains("."))
    {
        $domain= $domain.Replace(".","_")
    }
    $site = "https://" + $tenant + "-my.sharepoint.com/personal/"+ $account +"_" + $domain

    Set-SPOUser -Site $site -LoginName $admin -IsSiteCollectionAdmin $true
    Write-Host $admin " has been added as an administrator for personal site " $site`n
}

Original Source:
https://stackoverflow.com/questions/36385349/administrative-access-to-users-file-via-onedrive-for-business-api

Run this script against each user in both source and target tenants before continuing.

Step 3 – Configure Simply Migrate OAuth Applications

Now that we have all of our requirements in place, it’s time to configure our migration. First off we need to configure our Azure AD application in Simply Migrate.

To do this we have introduced some new cmd-let’s in Simply Migrate:

Get-SMOAuthConfig

NAME
    Get-SMOAuthConfig

SYNTAX
    Get-SMOAuthConfig [[-Type] {NotSpecified | UsernamePassword | OneDrive | OneDriveBusiness | Dropbox | Google |
    GoogleDrive | Apple | BoxNet | SharePoint}]  []


ALIASES
    None


REMARKS
    None

New-SMOAuthConfig

NAME
    New-SMOAuthConfig

SYNTAX
    New-SMOAuthConfig -Type {NotSpecified | UsernamePassword | OneDrive | OneDriveBusiness | Dropbox | Google |
    GoogleDrive | Apple | BoxNet} -ApplicationId  -ClientSecret  [-CallbackUrl ] [-ExtraData
    ]  []


ALIASES
    None


REMARKS
    None

Set-SMOAuthConfig

NAME
    Set-SMOAuthConfig

SYNTAX
    Set-SMOAuthConfig [[-Type] {NotSpecified | UsernamePassword | OneDrive | OneDriveBusiness | Dropbox | Google |
    GoogleDrive | Apple | BoxNet}] [-ExistingAuthApplication ] [-ApplicationId ]
    [-ClientSecret ] [-CallbackUrl ] [-ExtraData ]  []


ALIASES
    None


REMARKS
    None

Remove-SMOAuthConfig

NAME
    Remove-SMOAuthConfig

SYNTAX
    Remove-SMOAuthConfig [[-Type] {NotSpecified | UsernamePassword | OneDrive | OneDriveBusiness | Dropbox | Google |
    GoogleDrive | Apple | BoxNet}] [-ExistingAuthApplication ]  []


ALIASES
    None


REMARKS
    None

Creating an Azure AD OAuthConfiguration for SimplyMigrate

Using our AzureAD application settings configured above create a new OAuthConfiguration with the following command line:

New-SMOAuthConfig -Type OneDriveBusiness -ApplicationId [APPLICATION_ID_GUID] -ClientSecret [CLIENT_SECRET_KEY] -CallbackUrl [REPLY_URL]

The command will return the configuration object created, as below. To double check you can always view the configured OAuth configurations via the following:

Get-SMOAuthConfig


Type          : OneDriveBusiness
ApplicationId : [APPLICATION_ID_GUID]
ClientSecret  : [CLIENT_SECRET_KEY]
CallbackUrl   : [REPLY_URL]
ExtraData     :

(Please replace the enclosed [TEXT] with your values from Step 1 above)

Step 4 – Create a refresh token

In order to complete the migration of users we will need to generate a refresh token for authentication to use in all job, this token will be linked to the Azure AD application created previously and the user account used to create the token. The token(s) provide us with long term access our O365 tenants all all users to which we were granted access previously.

Note: Refresh Tokens last for a maximum of 90 days or will expire after 2 weeks of inactivity, however we can always repeat these steps to create a new one.

To generate a token run the following PowerShell command (Note you’ll need Chrome browser installed to run this command as it opens a browser window to complete the login):

New-SMAuthToken -Type OneDriveBusiness -GetRefreshToken

A browser window will be opened to the Microsoft account login page:

Microsoft login page

Login using your service account that was granted access previously, then Accept the permissions request.

Approve access

Once accepted, the browser window will close and our cmd-let will get the Refresh Token:

Refresh Token in PowerShell

Now either copy / paste that very long text string somewhere, or better yet save this to a variable by prefixing the command with “$refreshtoken = ” then use it directly in the next step.

Note: If in Step 2 above you granted permissions to two different accounts, one for the source and one for the target tenant, then you must create two separate tokens using the respective accounts.

Step 5 – Migrate OneDrive for Business users

Create remaining jobs via script using the following new job template:

New-SMJob -Source OneDriveBusiness -SourceInput user1@tenantA.com -SourceRefreshToken [REFRESH_TOKEN] -Target OneDriveBusiness -TargetOutput user1@tenantB.com -TargetRefreshToken [REFRESH_TOKEN]

In order to use this script snippet, update the refresh tokens or ideally use variables for each.

Final Words

With the ability to Migrate OneDrive for Business (*ahem* and Dropbox, Box, Google Drive …) now fully integrated into Simply Migrate PowerShell module, adding these migration tasks to your script tool-kit couldn’t be easier.

No Comments

Be the first to start a conversation

Leave a Comment