This article explains how to create an EntraID application that will be used in the Cloudiway migration product.
The Cloudiway platform creates automatically the application for you. This step is only necessary if you want to have full control over the process and you want to create it manually.
The following steps will generate the Client Id, the Client Secret and Certificate needed in your Cloudiway connector.
Step 1: Create the Certificate for the new Application.
Using PowerShell, execute the following commands to create your certificate.
$certname = "{certificateName}" ## Replace {certificateName}
$cert = New-SelfSignedCertificate -Subject "CN=$certname" -CertStoreLocation "Cert:\CurrentUser\My" -KeyExportPolicy Exportable -KeySpec Signature -KeyLength 2048 -KeyAlgorithm RSA -HashAlgorithm SHA256
Export the certificate (.cer).
Export-Certificate -Cert $cert -FilePath "C:\Users\admin\Desktop\$certname.cer" ## Specify your preferred location
Step 2: Create the Private key with a Password for Cloudiway’s platform.
Execute the following command lines to define your password.
$mypwd = ConvertTo-SecureString -String "{myPassword}" -Force -AsPlainText ## Replace {myPassword}
Export the Private key (.pfx).
Export-PfxCertificate -Cert $cert -FilePath "C:\Users\admin\Desktop\$certname.pfx" -Password $mypwd ## Specify your preferred location
You can find the complete article here.
Step 3: Create a new Application.
Log in to the Azure portal using your Microsoft 365 administrator account.
- Go to https://portal.azure.com
- Select Microsoft Entra ID
- Click on App Registration
- Click on New Registration
Give a name to the application.
Supported Account types: Select Accounts in their Organizational directory Only
If you are migrating Microsoft Teams and plan to migrate direct messages you need to add these two redirect links in the source Application
- https://portal. cloudiway.com/teams/callback
- https://portal.cloudiway.com/connector
In other cases, the redirect URL is not used. Enter any value, for example https://notused
Click On Register.
Create a New Secret.
- Click on Certificates and Secrets
- Click On New Client Secret
Enter a description, an expiration date, and Click Add
Save the client’s secret!
Note: The secret is not used anymore. It’s still here only for the transition. But as part of the security push by Microsoft, it’s being replaced by the certificate for authenticating the application.
Let’s add the certificate.
- Click on Certificates and Secrets
- Click on Certificates
- Click on Upload Certificate
Next, Click on Authentication and enable “Allow public client flows“.
Step 4: Graph API Permissions
- Click On API Permissions
- Click on Add a permission
Permissions for Microsoft Graph API
| Connector | Graph API | Source | Target |
|---|---|---|---|
| GALSync | Microsoft Graph | Directory.Read.All Group.Read.All User.Read.All OrgContact.Read.All To enable the modification of Guest or Mail user: User.ReadWrite.All To create items as Guests: User.Invite.All | |
| Free/Busy | Microsoft Graph | Calendars.Read | |
| Microsoft Graph | Directory.Read.All Group.Read.All | Directory.Read.All Group.ReadWrite.All |
|
| Office 365 Exchange Online | full_access_as_app ** Exchange.ManageAsApp | full_access_as_app ** Exchange.ManageAsApp |
|
| OneDrive | Microsoft Graph | Directory.Read.All Files.Read.All Sites.Read.All Group.Read.All User.Read.All | Directory.Read.All Files.ReadWrite.All Sites.ReadWrite.All Sites.FullControl.All Group.ReadWrite.All User.Read.All |
| Teams | Microsoft Graph | ChannelMember.ReadWrite.All ChannelMessage.Read.All (Delegated) ChannelMessage.Read.All Chat.Read (Delegated) Chat.Read.All Directory.Read.All Files.Read.All (Delegated) Files.Read.All Group.Read.All (Delegated) Group.Read.All Group.ReadWrite.All * Group.ReadWrite.All GroupMember.Read.All (Delegated) Sites.Read.All (Delegated) Sites.Read.All User.Read.All Tasks.Read.All | Directory.Read.All Files.ReadWrite.All Group.ReadWrite.All Group.ReadWrite.All (Delegated) Sites.ReadWrite.All User.ReadWrite.All OrgContact.Read.All Calendars.Read User.Invite All Tasks. ReadWrite.All Channel.Create ChannelMember.ReadWrite.All ChannelSettings.ReadWrite.All Chat.Read (Delegated) ChatMember.Read (Delegated) Chat.Read.All Chat.ReadWrite (Delegated) ChatMember.ReadWrite.All Sites.FullControl.All Teamwork.Migrate.All TeamsTab.ReadWrite.All |
| Office 365 Exchange Online | full_access_as_app ** Exchange.ManageAsApp | full_access_as_app ** Exchange.ManageAsApp |
|
| SharePoint | Microsoft Graph | Directory.Read.All Files.Read.All Group.Read.All Group.ReadWrite.All * Sites.Read.All User.Read.All | Directory.Read.All Files.ReadWrite.All Group.ReadWrite.All Sites.ReadWrite.All User.ReadWrite.All |
| Signature | Microsoft Graph | User.Read.All Group.Read.All User.Read | |
| Google Groups | Office 365 Exchange Online | full_access_as_app ** Exchange.ManageAsApp |
|
| Intune | Microsoft Graph | Agreement.Read.All Application.Read.All DeviceManagementApps.Read.All DeviceManagementConfiguration.Read.All DeviceManagementManagedDevices.Read.All DeviceManagementRBAC.Read.All DeviceManagementServiceConfig.Read.All Directory.Read.All Group.Read.All Organization.Read.All Policy.Read.All Policy.Read.ConditionalAccess Policy.Read.PermissionGrant | Directory.AccessAsUser.All (Delegated) Agreement.ReadWrite.All Application.ReadWrite.All DeviceManagementApps.ReadWrite.All DeviceManagementConfiguration.Read.All DeviceManagementConfiguration.ReadWrite.All DeviceManagementManagedDevices.PrivilegedOperations.All DeviceManagementManagedDevices.ReadWrite.All DeviceManagementRBAC.ReadWrite.All DeviceManagementServiceConfig.Read.All DeviceManagementServiceConfig.ReadWrite.All Directory.Read.All Directory.ReadWrite.All Organization.Read.All Policy.Read.All Policy.Read.ConditionalAccess Policy.Read.PermissionGrant Policy.ReadWrite.AccessReview Policy.ReadWrite.ApplicationConfiguration Policy.ReadWrite.AuthenticationFlows Policy.ReadWrite.AuthenticationMethod Policy.ReadWrite.Authorization Policy.ReadWrite.ConditionalAccess Policy.ReadWrite.ConsentRequest Policy.ReadWrite.CrossTenantAccess Policy.ReadWrite.ExternalIdentities Policy.ReadWrite.FeatureRollout Policy.ReadWrite.PermissionGrant Policy.ReadWrite.SecurityDefaults Policy.ReadWrite.TrustFramework |
Permissions for SharePoint Online
| Connector | SharePoint API | Source | Target |
|---|---|---|---|
| Sharepoint | Sites.FullControl.All User.Read.All Sites.Read.All | User. ReadWrite.All Sites.FullControl.All TermStore.ReadWrite.All |
|
| OneDrive | Sites.FullControl.All User.Read.All Sites.Read.All | User.ReadWrite.All Sites.Read.All |
|
* The migration account needs to be the Owner and Member of the Group/Team in the source and the target. If it is not the Owner and Member of the Team, the migration engine will add it automatically with the permission Group.ReadWrite.All.
** The process for adding the EWS scopes is slightly different :
- select Add a permission.
- In the Request API permissions window, select APIs my organization uses, search for
Office 365 Exchange Online, and then select it.
- Select Application permissions.
- Under Select permissions, expand Other permissions and select full_access_as_app
Check out our video:
These are samples of how APIs permissions should look for source and target :
Source >
Target >
- To add permission, click on Microsoft Graph or SharePoint in the list, select Application permissions, and add the relevant permissions.
- When all the permissions are added, close the API select window, click on Grant admin consent.
Step 5: Assign Microsoft Entra roles to the application
Follow this step only if you are migrating Emails. These steps come from this article : https://learn.microsoft.com/en-us/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps
Add the following two roles:
- Exchange Administrator
- Exchange Recipient Administrator
Step 1: Navigate to go the Microsoft Entra roles and administrators page. For this, Open https://portal.azure.com/#view/Microsoft_AAD_IAM/AllRolesBlade
Step 2: Select the Exchange administrator role and edit it.
Step 3: Click on Add Assignment
Step 4: Find and select the app that you created.
If you are using the Automatic Cloudiway connectors, you need to add the following application ID:
For source: 5f7eb765-974a-45c6-8f93-43a417abdedd
For Target : ac1e5a45-2177-412c-ac06-09ba04df530a
Repeat the Above Steps for the Exchange Recipient Administrator Role.
You’re all set! All you need to do is provide the Client Id, the Client Secret, the certificate and the Password in your connector!
Product:
Cloudiway Cloud Migration Platform for Google Workspace to Microsoft 365
Cloudiway Cloud Migration Platform for Microsoft 365 to Google Workspace