Mailbox migration is a complex process that requires technical skills and knowledge of both the source and target environments. One of the questions that comes up when planning the migration is roles and permissions required for the migration to be successful. You could delete the topic simply by saying “Get Global Admin if it’s Microsoft 365 (Office 365) and Organization Management role if on-premises”. However, your company may have a strict policy of complying with the principle of least privilege. Then it comes in handy to know the exact permissions required.
Learn more about migration
Permissions are just one piece of a much larger puzzle. If you want to learn more about different migration types and a general migration plan, read this article.
Download a free copy of J. Peter Bruzzese’s Conversational Microsoft 365 Migrations – a concise guide to moving your business to the cloud.
source environment roles
You should make sure that your processes are as secure as possible and do not generate any unnecessary risks. For this reason, whenever possible, you should not use accounts with the highest level of access for migration or other processes. Instead, you would use a dedicated account with the minimum required permissions. The exact permissions required for the source environment depend on the type of source environment and the type of migration.
Migration from on-premises Exchange
Unless you are concerned with the minimum permissions required, a member of the Domain Admins group in the local AD should be able to perform all migration steps.
When you run one conversion or staged Migration are the basic steps your migration account needs to perform, creating a migration endpoint and migration batches. With one of the following permissions, you should be able to run the process successfully:
- Full access Permissions for each mailbox that you want to migrate. If you are planning a staged Exchange migration, you will also need the write property Permission.
- Received as Permission for the local mailbox database.
Hybrid Exchange migration is a more complex process. It brings together your on-prem and cloud environments and requires the use of tools like Hybrid Configuration Wizard and AAD Connect. Because of this, either a higher permission level is required:
- to be a member Exchange recipient administrators in the local AD, or
- be a member of organizational management or recipient management Group if you are migrating from Exchange 2010+.
Learn how to assign permissions to mailboxes
Learn more about migration permissions on Microsoft’s site
IMAP migration
Migrating from IMAP is a whole different story. What you need from your source environment is a CSV file with each mailbox username and password. In other words, you could say it’s full access to source mailboxes.
PST migration
This manual migration method is typically reserved for the smallest migration projects.
What you need from the source environment is a PST file for each mailbox you want to migrate. You could handle it without roles or permissions when asking users to generate their PST files, but in most cases you want to create PSTs yourself.
If your source environment is not Exchange Server, the easiest way to retrieve PST files is to access each mailbox via Outlook and use Outlook Import/Export tool.
For Exchange-based environments, you can use PowerShell to generate PST files in bulk. I have shown how to do this in this article. Have the permissions required to perform this task Mailbox Import Export Role. By default, this role is not assigned to any role group.
Tenant-to-tenant migration
The native cross-tenant mailbox migration process is still in preview and is subject to change. Corresponding this page from Microsoftis the exact management role required to perform a migration Move mailboxes how can that work New-MigrationBatch cmdlet. Because this method requires PowerShell, you must be able to start a remote PowerShell session and connect to Exchange Online.
Roles of the target environment
To understand what roles and permissions are required for the target Microsoft 365 tenant, let’s first take a look at some of the tasks that need to be performed in the target environment.
- Create and license mailboxes.
- Change your domain’s MX record to point to the target server.
While the first task requires the Global, license or user Admin role, the permissions to run the second are usually reserved for the global admin only.
Migration made easy
If you don’t want to create tedious migration plans, checklists, and spend days researching just to start moving to Microsoft 365, there is an alternative way.
With CodeTwo Office 365 Migration you can migrate to Microsoft 365 from any Exchange Server (including a hosted one), another Microsoft 365 tenant or an IMAP server.
The software allows you to:
- Automatically assign the required permissions to the migration account when migrating from on-premises Exchange.
- Create and automatically match source and target mailboxes.
- Assign Microsoft 365 licenses.
- Apply filters to e.g. B. Migrate only the latest mailbox items for quick migrations.
- Use the perform delta migration feature to sync remaining changes after the initial migration phase.
- Complete the process from start to finish using a simple interface.