Download Buy Now

Manually Register an App in Azure AD for SharePoint / OneDrive / Teams Migration

EdbMails supports Modern Authentication using OAuth 2.0, which requires an application to be registered in Microsoft 365 (Office 365) Azure Active Directory. This app registration enables secure authentication to access SharePoint, OneDrive, and Microsoft Teams data during migration.

EdbMails supports two methods to register the required Azure AD application:

Automatic Registration Method – Requires a Global Administrator account to sign in to Microsoft 365. EdbMails automatically creates and configures the Azure AD app with the required permissions.
Manual Registration Method – Administrators can manually register the Azure AD application and then sign in to Microsoft 365 using an Admin account or any other user account with full access rights, without requiring a Global Administrator account to establish the Office 365 connection in EdbMails.

To complete the manual app registration and authentication process, follow the steps outlined in the sections below.

Prepare CA Certificate or Self-Signed Certificate
A certificate is required to securely authenticate the Azure AD application during the migration process. You can either use a CA-issued certificate or generate a self-signed certificate based on your organization’s security requirements.
Execute the following Windows PowerShell commands by running PowerShell as an Administrator to generate the .cer and .pfx files.
Commands:
Command: Copy & Paste it
$cert = New-SelfSignedCertificate `
-Subject "CN=SPO-Migration-Tool" `
-CertStoreLocation "Cert:\LocalMachine\My" `
-KeyExportPolicy Exportable `
-KeySpec Signature `
-KeyLength 2048 `
-HashAlgorithm SHA256 `
-NotAfter (Get-Date).AddYears(1)
$pwd = ConvertTo-SecureString "password123" -AsPlainText -Force
Export-Certificate `
-Cert $cert `
-FilePath "D:\SPO_App.cer"
Export-PfxCertificate `
-Cert $cert `
-FilePath "D:\SPO_App.pfx" `
-Password $pwd
Note:
- Replace "password123" with a strong password before exporting the PFX file.
- If D: does not exist on your system, change the FilePath
Register App in Azure AD
- Log in to Microsoft Entra Admin Center.
- Navigate to 'Entra ID' from the left-hand menu, select 'App registrations', and then click '+ New registration'.
- Now, enter the name for the application and select 'Accounts in this organizational directory only (EdbMails only – Single tenant)', and then click the ‘Register’ button.
Configure the application permissions
- On the application’s ‘Overview’ page, click ‘View API permissions’ to access and manage the app’s permission settings.
- Click the ‘+ Add a permission’ button on the API permissions page.
- Next, in the Request API permissions window, select ‘Microsoft Graph’ from the Microsoft APIs section.
- Then, choose ‘Application permissions’ from the available options.
- Choose the following permissions from the list and click ‘Add permissions’ to apply them.
  - ChannelMember.Read.All
  - ChannelMessage.Read.All
  - Chat.Read.All
  - Directory.Read.All
  - Files.ReadWrite.All
  - Group.ReadWrite.All
  - Sites.FullControl.All
  - User.Read
  - User.Read.All
  - User.ReadBasic.All
  - User.ReadWrite.All
- Again, click the ‘+ Add a permission’ button.
- Navigate to the ‘APIs my organization uses’ tab, search for ‘Office 365 SharePoint Online’, and select it from the results.
- Then, choose ‘Application permissions’ from the available options.
- Choose the following permissions from the list and click ‘Add permissions’ to apply them.
  - Sites.FullControl.All
  - TermStore.ReadWrite.All
- On the API permissions page, click ‘Grant admin consent’.
- Click ‘Yes’ to confirm the admin consent.
- The selected permissions are granted with admin consent
Upload certificate
Follow the steps below to upload the certificate that is generated using PowerShell commands:
- Navigate to ‘Certificates & secrets’ and click the ‘Certificates’ tab.
- Click on ‘Upload certificate’.
- Browse and select the .cer file, enter the description for the certificate, and then click the ‘Add’ button.
  
  Note: The certificate is uploaded with a default validity of one year. After it expires, a new certificate must be uploaded.
- Navigate to the 'Overview' section and note the 'Application (Client) ID' and 'Directory (Tenant) ID'. These details need to be then pasted in the EdbMails application later.
Permissions for target SharePoint Server
Note:
- Repeat the same steps for the target server except the permissions. Target Permissions are mentioned below.
- You can use the same .cer file to upload the certificate in the Target environment.
- Navigate to ‘Microsoft Graph’ and choose the permissions
  - Channel.Create
  - Channel.ReadBasic.All
  - ChannelMember.ReadWrite.All
  - ChannelMessage.Read.All
  - Chat.Read.All
  - Directory.Read.All
  - Files.ReadWrite.All
  - Group.ReadWrite.All
  - Sites.FullControl.All
  - TeamMember.Read.All
  - User.Read
  - User.Read.All
  - User.ReadBasic.All
  - User.ReadWrite.All
  - The permissions that need to be selected under ‘Office 365 SharePoint Online’ are:
    Sites.FullControl.All
    TermStore.ReadWrite.All
  - Once the permissions are assigned, grant admin consent. Next, navigate to the ‘Overview’ section, copy the ‘Application (client) ID’ and ‘Directory (tenant) ID’, and use them for the target connection in the EdbMails application.
Connect to SharePoint Server in EdbMails
- Select the option 'Manual Registration' and click the 'Next' button.
- Enter the ‘Application (Client) ID’, ‘Directory (Tenant) ID’, and then click the ‘Import’ button.
  Note: Ensure the certificate is installed in the correct certificate store before entering the thumbprint; otherwise, import it using the ‘Import’ button.
- Browse the PFX file, enter the ‘Password’ (the password you set when exporting the PFX file using PowerShell Commands), and then click the ‘Continue’ button.
  
  Note: You can also directly copy the value for certificate thumbprint from the ‘Entra admin center’ under the ‘Certificates & secrets’ section.
- Click the ‘Login’ button to continue.
  
  Note: If you choose to use the manual registration method for both the source and target servers, register the application separately for each server by following the steps outlined above.