Part one of “Notes from the Field” for a home drive to OneDrive for Business migration using Microsoft Migration Manager, covering migration tool considerations, architecture and access requirements.
TOOL SELECTION
Migration Manager comes from the Microsoft purchase of Mover.io in 2019. It is presented as an Enterprise migration tool that puts more structure around the migration process than the more basic SharePoint Migration Tool. However, be prepared for limited configuration and customisation options. As a basic guide consider the following tool choices for file share migration:
- SharePoint Migration Tool : Ad hoc data migrations
- Migration Manager : Large scale migrations using repetitive process
- 3rd Party Tool : When you need a lot of control or have a complex process
WHAT ARE COMPLEX REQUIREMENTS?
Migration Manager focuses on the data migration, but for most companies, this is only part of the story. Consider the following:
- How to move off folder redirection and offline files
- Removing the home drive mapping
- Cleaning-up or restricting access to home drives
A 3rd-party tool, could be more suitable if you are looking to automate as much of the process as possible.For example, ShareGate Migration Tool provides a PowerShell interface.
Migration Manager is still attractive as it’s effectively free as part of an enterprise M365 license.
ARCHITECTURE
Migration Manager consists of the following components:
Agents
Migration Manager agents run on-premises and perform the data migration, reading data from home drives and copying it to OneDrive for Business.
The agent can be installed directly on a file server (assuming it is a Windows Server), but the recommended deployment is on a dedicated server.
The agent sends heartbeat information to the SharePoint Online (SPO) Admin Portal and downloads scanning and migration tasks in return.
SharePoint Online Admin Portal
The SPO Admin Portal is used to manage the agents and assign migration tasks to them. The “Migration” blade has tabs for scanning, agents and migrations.
File shares
File shares are host the data being migrated. The migration agent service account needs read access to the data and acceses it over SMB.
Proxy server
The migration agent communicates with an SPO Admin portal endpoint and the Azure blob service over HTTPs. If the company does not have an Express Route, traffic is likely to go through an enterprise proxy server.
A LOT OF ELEVATED ACCESS
If you work with strict security controls, be prepared for Migraton Manager’s privileged access requirements:
| Account | Permission | Purpose |
|---|---|---|
| Cloud service account | SharePoint Administrator | Agent communication with SPO Admin portal |
| Cloud service account | OD4B Site Collection Admin | Agent write access to OneDrives |
| On-prem service account | Read Access to Home Drives | Agent read access to home drives |
| I.T. admin account | SharePoint Administrator | Scheduling scans and migrations in the SPO Admin portal |
Why SharePoint Administrator?
Under the hood, OneDrive for Business is a personal SharePoint site and from an administrative perspective, Microsoft has done very little to separate OneDrive for Business from SharePoint Online.
There is no OneDrive-specific RBAC. To manage OD4B, you need to be a SharePoint Administrator, and Migration Manager is operated through a blade in the SharePoint Online Admin Console. The technicians managing and monitoring the data migrations will need the SharePoint Administrator role and so will the Service Account used by the migration agent.
SharePoint Administrator role is not enough
A SharePoint Administrator cannot copy data to OneDrive by default, but they can grant themselves the additional rights needed
By default, only the owner (user) has access to OneDrive for Business. One option is to define a OD4B Secondary Admin group at the tenant level, but this will only apply to new OneDrives as they are provisioned.
SPO Admin Portal > Advanced > More Features > Setup My Sites > Secondary Owner
For already provisioned OneDrives, use a script to grant the SiteCollectionAdmin permission on each OneDrive to a group containing the Migration Manager cloud service account.
Connect-SPOService -URL $AdminURL
Set-SPOUser -Site $UsersOneDriveURL -LoginName $CloudServiceAccountorGroup -IsSiteCollectionAdmin $True
NOTE: This command normally expects a user account as the LoginName. If using a group name, it must be in claims encoded format.
Part two in this series will look at network routing, multi-geo considerations and scheduling issues.
This article was originally posted on Write-Verbose.com