Create a SharePoint‐Only application and use it instead of browser‐based authentication
For simplicity, by default, we are using the browser for authenticating against websites. But you can try authenticating with a SharePoint-only app. You have to be a SharePoint Online Tenant admin to make it work. You may choose to only use this approach on the tenant that fails with the 401 or 403 error during the migration. But if you want to - there is nothing wrong with using two separate SharePoint Apps. The topic may sound complicated if you never worked with SharePoint Apps (App-only authentication). But if you read and follow these steps, you can make it work:
- Related Microsoft article: Granting access using SharePoint App-Only
- Related Video: Tenant level App-Only rights in SharePoint Online
- Create a new App Principal by opening this URL: https://TENANT.sharepoint.com/_layouts/15/appregnew.aspx
-
Click Generate button against the Client ID textbox
-
Click Generate button against the Client Secret textbox
-
App domain: you can specify anything. It does not affect anything. You can specify www.sample.com
-
Redirect URI: you can specify anything. It does not affect anything. You can specify http://deployment
-
Get Client ID and Client Secret (on the next screen). Store them in a safe place
-
Grant tenant-wide permissions. See full list of permissions. To do it open this URL https://TENANT-admin.sharepoint.com/_layouts/15/appinv.aspx
-
Paste your App ID and click Lookup.
-
Paste this XML to the App's Permission request XML
<AppPermissionRequests AllowAppOnlyPolicy="true">
<AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl" />
</AppPermissionRequests>
- Click Create
- When asked, click "Trust It."
If you are migrating between two different SharePoint tenants, you can repeat the same steps above for the second SharePoint Online tenant.
If you managed to connect to the SharePoint site(s) using PowerShell and the SharePoint-Only App Id (Client Id) and App Secret (Client Secret), then you can apply this approach in the Migrator:
Open the config\migrator-config.json file. Fill out the following properties:
{
"source-site-url": "",
"target-site-url": "",
"source-site-app-id":"",
"source-site-app-secret":"",
"target-site-app-id":"",
"target-site-app-secret":""
}
Example of the populated config file:
{
"source-site-url": "https://contoso.sharepoint.com/sites/Modern-Communication",
"target-site-url": "https://contoso.sharepoint.com",
"source-site-app-id":"0789bce3-cd45-4668-a20e-91e730c70861",
"source-site-app-secret":"xRYj4s+2zBosk04X+AS+SQGKha/2BS4iek0mfd2PHsg=",
"target-site-app-id":"0789bce3-cd45-4668-a20e-91e730c70861",
"target-site-app-secret":"xRYj4s+2zBosk04X+AS+SQGKha/2BS4iek0mfd2PHsg="
}