To allow Cloudiway to access your Microsoft 365 tenant and perform migrations (emails, files, Teams), you need to create an EntraID application (formerly Azure AD) with the appropriate permissions. This guide walks you through this configuration step by step.
Who is this guide for?
Prerequisites
Before you begin, make sure you have:
- Global Administrator or Application Administrator rights on the Microsoft 365 tenant
- Access to the Azure Portal
- An active Cloudiway account
Step 1: Access the Azure Portal
- Log in to the Azure Portal with an administrator account
- In the search bar, type "App registrations"
- Click on Microsoft Entra ID > App registrations
Quick shortcut
Step 2: Create the Application
- Click on "+ New registration"
- Fill in the following information:
- Name:
Cloudiway Migration(or a descriptive name of your choice) - Supported account types: Select "Accounts in this organizational directory only (Single tenant)"
- Redirect URI: Leave blank for now
- Name:
- Click on "Register"
Important
Step 3: Configure API Permissions
The required permissions depend on the type of migration you are performing. Here are the most common configurations:
For Mailbox Migration (Mail)
- In the left menu, click on "API permissions"
- Click on "Add a permission"
- Select "Microsoft Graph"
- Choose "Application permissions"
- Search and add the following permissions:
Mail.ReadWriteMailboxSettings.ReadWriteUser.Read.AllGroup.Read.All
For OneDrive/SharePoint Migration (Files)
Also add:
Files.ReadWrite.AllSites.ReadWrite.All
For Teams Migration
Also add:
Team.ReadBasic.AllChannel.ReadBasic.AllChannelMessage.Read.AllChat.Read.All
| Migration Type | Required Permissions |
|---|---|
| Mail.ReadWrite, MailboxSettings.ReadWrite, User.Read.All | |
| OneDrive | Files.ReadWrite.All, Sites.ReadWrite.All, User.Read.All |
| SharePoint | Sites.ReadWrite.All, Sites.FullControl.All |
| Teams | Team.ReadBasic.All, Channel.*, Chat.*, User.Read.All |
Step 4: Generate a Client Secret
- In the left menu, click on "Certificates & secrets"
- In the "Client secrets" section, click on "+ New client secret"
- Add a description:
Cloudiway Migration Secret - Select an expiration period (we recommend 24 months to avoid interruptions)
- Click on "Add"
Attention - Immediate action required
Step 5: Grant Admin Consent
For the application to use the granted permissions:
- Go back to "API permissions"
- Click on "Grant admin consent for [your organization]"
- Confirm by clicking "Yes"
All permissions should now display a green checkmark in the "Status" column.
Configuration in Cloudiway
Now that your application is created, configure it in Cloudiway:
- Log in to the Cloudiway Portal
- Navigate to your project and open the Connector Settings
- Enter the following information:
- Tenant ID: The Directory (tenant) ID noted earlier
- Application ID: The Application (client) ID
- Client Secret: The secret generated in Step 4
- Test the connection to validate the configuration
Common Troubleshooting
"Insufficient privileges" Error
This error indicates that:
- Admin consent has not been granted
- Permissions are missing
- The secret has expired
Solution: Check in "API permissions" that all permissions have "Granted" status and that the secret is still valid.
"AADSTS700016: Application not found" Error
The Application ID is incorrect or the application has been deleted.
Solution: Verify the Application ID in the Azure portal and in the Cloudiway configuration.
"Invalid client secret" Error
The client secret is incorrect or has expired.
Solution: Generate a new secret and update the configuration in Cloudiway.