MFA Compliance During Cloud Migration
Understand Microsoft's mandatory MFA requirements and the specific scenarios where authentication exceptions are technically necessary for migration operations.
Overview
Cloudiway aligns with Microsoft's mandatory multifactor authentication requirements as detailed in their official documentation. The platform implements robust authentication methods that align with Microsoft's guidelines to protect administrative access.
Microsoft MFA Mandate
Microsoft requires MFA for all administrative access to Microsoft 365 tenants. Cloudiway supports modern authentication methods including OAuth 2.0 and app-based authentication to maintain compliance.
MFA Exceptions for Migration Operations
Certain migration scenarios require legacy authentication methods due to technical limitations. In these cases, MFA must be temporarily configured on source or target systems to allow migration operations to complete successfully.
Important Security Note
When MFA exceptions are required, Cloudiway recommends using dedicated migration accounts with limited scope, and re-enabling MFA immediately after migration completes.
Mail Migration Scenarios
The following mail migration operations may require MFA exceptions:
| Operation | Environment | Requirement |
|---|---|---|
| PowerShell Operations | Exchange (no App auth) | MFA disabled |
| Get List / Audit | Source | MFA disabled |
| Migrate Permissions | Source & Target | MFA disabled |
| Pre-processing (Shared Mailboxes) | Target | MFA disabled |
| Pre-processing (Distribution Lists) | Target | MFA disabled |
Modern Authentication Alternative
When Exchange roles support App authentication setup, you can use app-only authentication instead of disabling MFA for PowerShell operations.
File Migration Scenarios
OneDrive Migration
- OneDrive retrieval and pre-processing
- Large file downloads (Basic Auth required)
SharePoint Migration
- Large file transfers (Basic Auth needed)
- Classic webpart migration operations
Collaboration & Chat Migration
Operations Requiring MFA Exceptions
Messaging Migration (Non-API Mode)
Slack, Teams, and Google Space messaging when not using native APIs
Office 365 User Chat
User chat list retrieval operations
GALSync Operations
Pull and push synchronization when Exchange lacks App authentication
Cross-Tenant Scenarios
Mail setup, user provisioning, and group establishment
Security Best Practices
When MFA exceptions are required for migration operations, follow these security best practices:
Create specific service accounts for migration with only the permissions required.
As soon as migration completes, restore MFA requirements on all accounts.
Enable audit logging to track all actions performed by migration accounts.
Configure Azure App Registration for operations that support modern authentication.
Plan migrations to minimize the duration that MFA is disabled.
Azure App Registration
Using Azure App Registration with application permissions allows many operations to proceed without requiring MFA exceptions. See our Azure App Registration guide for setup instructions.