Mailbox migration is a complex process which requires technical skills and knowledge of both the source and the target environment. One of the questions that comes up while planning the migration is roles and permissions required to successfully execute the migration. You could drop the subject by simply stating “get global admin if it’s Microsoft 365 (Office 365) and Organization Management role when on-premises”. However, your company might have a strict policy to follow the principle of least privilege. That’s when knowing the exact required permissions comes in handy.
Learn more about migration
Permissions are just one piece of a much bigger puzzle. If you want to learn about different migration types and a general migration plan, see this article.
Download a free copy of Conversational Microsoft 365 Migrations by J. Peter Bruzzese – a compact guide to moving your organization to the cloud.
Source environment roles
You should ensure that your processes are as secure as possible and don’t generate unnecessary risks. That’s why, whenever possible, you shouldn’t use accounts with the highest level of access for migration or any other process. Instead, you would use a dedicated account with the minimal required permissions. The exact permissions required for the source environment depend on the type of source environment and the migration type.
Migrating from on-premises Exchange
If you’re not looking into minimal required permissions, a member of Domain Admins Group in the local AD should be able to perform all the migration steps.
If you’re performing a cutover or staged migration, the basic steps that your migration account will need to do is creating a migration endpoint and migration batches. Either of the permissions below should let you successfully run the process:
- Full Access permissions for each mailbox you want to migrate. Additionally, if planning a staged Exchange migration, you will need the Write Property permission.
- Receive As permission on the on-prem mailbox database.
Hybrid Exchange Migration is a more complex process. It merges your on-prem and cloud environments, and requires you to use tools such as Hybrid Configuration Wizard and AAD Connect. That’s why it requires higher permission level, either:
- being a member of Exchange Recipients Administrators in the local AD, or
- being a member of the Organization Management or Recipients Management group if migrating from Exchange 2010+.
Migration from IMAP is a whole different story. What you need from your source environment is a CSV file with every mailbox username and password. In other words, you could say it’s complete access to source mailboxes.
This manual migration method is usually reserved for the smallest migration projects.
What you need from the source environment is a PST file for each mailbox you want to migrate. You could handle it without any roles or permissions if you ask users to generate their PST files, but in most cases, you will want to create PSTs yourself.
If your source environment is other than Exchange Server, the easiest way to get PST files would be to access each mailbox via Outlook and use the Outlook Import/Export tool.
For Exchange-based environments, you can generate PST files in bulk, using PowerShell. I’ve shown how to do it in this article. The permissions required to perform this task is having the Mailbox Import Export role. This role isn’t assigned to any role group by default.
Tenant to tenant migration
The native cross-tenant mailbox migration process is still in preview and might change. According to this Microsoft’s page, the exact management role needed to perform a migration is Move Mailboxes which can run the New-MigrationBatch cmdlet. As PowerShell is required for this method, you need to be able to start a remote PowerShell session and connect to Exchange Online.
Target environment roles
To understand which roles and permissions are required for the target Microsoft 365 tenant, let’s first take a look at some of the tasks that need to be done in the target environment.
- Creating and licensing mailboxes.
- Changing your domain’s MX record to point to the target server.
While the first task requires the Global, License or User admin role, the permissions to perform the second one are usually reserved for Global Admin only.
Migration made easy
If you don’t want to create elaborate migration plans and checklists, and spend days of research just to start moving to Microsoft 365, there is an alternative path.
CodeTwo Office 365 Migration lets you migrate to Microsoft 365 from any Exchange Server (including a hosted one), another Microsoft 365 tenant, or an IMAP server.
The software allows you to:
- Automatically assign the required permissions to the migration account when migrating from on-premises Exchange.
- Create and automatically match source and target mailboxes.
- Assign Microsoft 365 licenses.
- Apply filters to e.g. migrate only the latest mailbox items for quick migrations.
- Use the Run delta migration feature to sync remaining changes after the initial migration phase.
- Run the process using an easy UI from start to finish.