How to deal with the "Make sure you have FULL CONTROL at the source site" Issue
You might encounter the "Make sure you have FULL CONTROL at the source site" or other nonsense errors. Sometimes it has nothing to do with the lack of permissions. It could be MFA, Internet Explorer browser cache, some security policy, or any number of things. I will add several options you can try to resolve or troubleshoot it a little further.
Try setting the CLEAR_CREDENTIALS_CACHE flag to True while running the migrator.
Migrator is using the legacy version of the PnP PowerShell Module. Let's try to install it and connect to your site.
Open PowerShell and run this command:
Install-Module SharePointPnPPowerShellOnline -Scope CurrentUser
Test Connection to SharePoint Online
Connect-PnPOnline -Url <Your SharePoint site> -UseWebLogin -WarningAction Ignore
Get-PnPList -Includes Views, Fields, DefaultView
Things to look out for:
- Do you have a pop-up window that briefly opens and immediately closes?
- Does it throw a 401 or 403 error?
- Can you get past MFA to log in?
- Can you try other accounts?
- Can you connect to a few other SharePoint sites?
- Can you connect to a completely different tenant?
For simplicity, by default, we are using the browser for authenticating against websites. But you can try authenticating with a SharePoint-only app. You have to be a SharePoint Online Tenant admin to make it work. You can only use it on the tenant that doesn't let you log in. But if you want to - there is nothing wrong with using two separate SharePoint Apps. The topic may sound complicated if you never worked with SharePoint Apps (App-only authentication). But if you read and follow these steps, you can make it work:
- Related Microsoft article: Granting access using SharePoint App-Only
- Related Video: Tenant level App-Only rights in SharePoint Online
- Create a new App Principal by opening this URL: https://TENANT.sharepoint.com/_layouts/15/appregnew.aspx
-
Click Generate button against the Client ID textbox
-
Click Generate button against the Client Secret textbox
-
App domain: you can specify anything. It does not affect anything. You can specify www.sample.com
-
Redirect URI: you can specify anything. It does not affect anything. You can specify http://deployment
-
Get Client ID and Client Secret (on the next screen). Store them in a safe place
-
Grant tenant-wide permissions. See full list of permissions. To do it open this URL https://TENANT-admin.sharepoint.com/_layouts/15/appinv.aspx
-
Paste your App ID and click Lookup.
-
Paste this XML to the App's Permission request XML
<AppPermissionRequests AllowAppOnlyPolicy="true">
<AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl" />
</AppPermissionRequests>
- Click Create
- When asked, click "Trust It."
If you are migrating between two different SharePoint tenants, you can repeat the same steps above for the second SharePoint Online tenant.
If you managed to connect to the SharePoint site(s) using PowerShell and the SharePoint-Only App Id (Client Id) and App Secret (Client Secret), then you can apply this approach in the Migrator:
Open the config\migrator-config.json file. Fill out the following properties:
{
"source-site-url": "",
"target-site-url": "",
"source-site-app-id":"",
"source-site-app-secret":"",
"target-site-app-id":"",
"target-site-app-secret":""
}
Example of the populated config file:
{
"source-site-url": "https://contoso.sharepoint.com/sites/Modern-Communication",
"target-site-url": "https://contoso.sharepoint.com",
"source-site-app-id":"0789bce3-cd45-4668-a20e-91e730c70861",
"source-site-app-secret":"xRYj4s+2zBosk04X+AS+SQGKha/2BS4iek0mfd2PHsg=",
"target-site-app-id":"0789bce3-cd45-4668-a20e-91e730c70861",
"target-site-app-secret":"xRYj4s+2zBosk04X+AS+SQGKha/2BS4iek0mfd2PHsg="
}
- Try opening Internet Explorer. Open the site that gives you access denied error. Then re-run the Migrator. Of course, in 2023, there is almost 100% chance that your IE Browser is already gone.