Gone are the days of having complete access to a tenant through a global administrator account for migration. As organizations become more security conscious, security and compliance are a growing factor, even for migration projects. Traditionally, migration tools required full access to every SharePoint site and Exchange mailbox in a tenant through permissions such as Sites.FullControl.All, full_access_as_app and other “write” permissions, even in the source environment, despite not making any changes to source content. While convenient, granting such elevated permissions to a tenant also introduces potential security risks.
To solve this, Microsoft created permission models that provide more flexibility in how you control the access of Microsoft Graph applications when working with resources in SharePoint and Exchange Online. Microsoft introduced Sites.Selected for scoping SharePoint sites and introduced RBAC for Applications for scoping Exchange mailboxes. Now, Quest On Demand Migration fully supports migrations using these permissions, allowing organizations a more secure and compliant way to handle their migrations.
What is Sites.Selected?
Sites.Selected is an application permission in Microsoft Graph that enables administrators to grant access only to specific SharePoint sites. Unlike Sites.FullControl.All, which allows an application to interact with all sites within the tenant, Sites.Selected follows the principle of least privilege, ensuring only the sites relevant to a migration project are accessible.
What is RBAC for Applications?
RBAC for Applications in Exchange Online enables administrators to grant access only to specific mailboxes within the tenant using a resource scope and allows administrators to create specific role assignments that limit the permissions of an application. RBAC for Applications follows the principle of least privilege and replaces Application Access Policies for ensuring only the mailboxes relevant to a migration project are accessible.
Why use Sites.Selected and RBAC for Applications?
Using scoped permissions such as Sites.Selected and RBAC for Applications when migrating content with a third-party application between Microsoft 365 tenants offers many advantages:
- Stronger security
- Minimal access, maximum protection: Grants access only to approved SharePoint sites and Exchange mailboxes, lowering security risks such as unauthorized data access
- No blanket tenant-wide permissions: These controls do not automatically grant control over all sites and mailboxes
- Better compliance & governance
- Helps meet security policies and regulatory standards by limiting access scope
- Reduces the risk of accidental data exposure during migration, ensuring compliance with internal and external regulations
- More granular control
- Administrators can assign access only to the required sites and mailboxes, ensuring better control over permissions
- Improves visibility and oversight during migrations
- Easier auditing & access management
- Makes it simpler to track and log migration activity on a tenant level
- Ensures quick removal of permissions once migration is complete, preventing lingering broad permissions that could pose a security risk post-migration
- Aligns with Microsoft’s zero trust security model
- Supports a just-in-time, just-enough-access approach
- Enables secure third-party integrations without unnecessary exposure
Quest On Demand now supports Sites.Selected and RBAC for Applications for migrations
We are excited to announce that Quest On Demand Migration now fully supports Sites.Selected and RBAC for Applications. Organizations can migrate data while keeping security tight and permissions under more control than ever before.
What this means for you
- No need for full tenant-wide access: Migrate without over-permissioning
- Simple setup: Configure Sites.Selected and RBAC for Applications easily with PowerShell
- More secure migrations: Only the necessary SharePoint sites and Exchange mailboxes are accessible
- Easy cleanup: Revoke access once the migration is complete
How to set up Sites.Selected for SharePoint and Teams migrations
Getting started with Sites.Selected in Quest On Demand is straightforward:
- Register the Quest On Demand Migration application in Microsoft Entra (formerly Azure AD) by granting consent through the On Demand Portal
- Revoke default permissions of the application in Microsoft Entra and assign the Sites.Selected permission via PowerShell*
- Grant access to specific SharePoint sites using Graph Explorer*
- Start your migration in Quest On Demand with precise access control
- Remove access after migration for better security
*Further details, including the PowerShell and Graph Explorer scripts for steps 2 & 3, can be found in our knowledge-base article on Quest.com.
How to set up RBAC for Applications for mailbox migrations
Getting started with RBAC for Applications in Quest On Demand is straightforward:
- Register the Quest On Demand Migration application in Microsoft Entra (formerly Azure AD) by granting consent through the On Demand Portal, which does not include any Exchange permissions
- Create a service principal in Exchange Online for the On Demand Migration application via PowerShell*
- Create a management scope in Exchange Online that is filtered to specific mailboxes via PowerShell*
- Create management role assignments that connect the service principal to the management scope and assign minimal permissions via PowerShell*
- Start your migration in Quest On Demand with precise access control
- Remove access after migration for better security
*Further details, including the PowerShell scripts for steps 2-4, can be found in our knowledge-base article on Quest.com.
Conclusion
With Sites.Selected and RBAC for Applications, organizations can now migrate SharePoint, Teams and Exchange Online data with Quest On Demand while ensuring top-tier security and compliance. These permissions eliminate the risks of granting full access to tenant resources, making migrations safer, smarter and more controlled.
Ready to take your Microsoft 365 migration security to the next level? Try Quest On Demand today and leverage the benefits of Sites.Selected and RBAC for Applications!
For more details, check out our documentation or reach out to our support team.
