Office 365 Migration Using App-Only Authentication
App-only authentication is the recommended authentication method for connecting applications to Microsoft 365 without relying on administrator usernames and passwords. Instead, it uses OAuth 2.0 and Microsoft Entra ID to establish a secure, token-based connection between the application and Microsoft 365 services. This authentication model is designed for applications that perform administrative operations, automation, and migration tasks without requiring an interactive user sign-in.
As Microsoft has retired Basic Authentication for Exchange Online, organizations must use Modern Authentication to securely access Microsoft 365 workloads. App-only authentication supports this requirement while helping organizations strengthen security through features such as Multifactor Authentication (MFA), Conditional Access, and least privilege access.EdbMails supports App-only authentication for Microsoft 365 migration. Depending on your organization's requirements, you can either allow EdbMails to automatically register the required Microsoft Entra ID application or use an application that has already been registered and configured in your tenant. Both options use Microsoft's authentication framework to establish secure connections with Exchange Online and other supported Microsoft 365 services.
EdbMails supports App-only authentication for Microsoft 365 migration. Depending on your organization's requirements, you can either allow EdbMails to automatically register the required Microsoft Entra ID application or use an application that has already been registered and configured in your tenant. Both options use Microsoft's authentication framework to establish secure connections with Exchange Online and other supported Microsoft 365 services.
What is App-only Authentication?
App-only authentication is an OAuth 2.0 authentication flow that allows an application to authenticate as its own identity instead of acting on behalf of a signed-in user. Unlike delegated authentication, where permissions are based on the signed-in user's privileges, App-only authentication uses application permissions that are granted by a Microsoft 365 administrator through Microsoft Entra ID.
When an application is registered in Microsoft Entra ID, it receives a unique Application (Client) ID. A corresponding service principal is also created within the tenant to represent the application and manage the permissions assigned to it. During authentication, Microsoft Entra ID validates the application's identity and issues a time-limited OAuth access token. Microsoft 365 services verify this token before allowing access to protected resources. Depending on the migration scenario, the application may be granted Microsoft Graph permissions to access directory information and mailbox resources, Exchange Online permissions to perform migration-related operations, or both. The permissions assigned to the application determine which Microsoft 365 resources it can access.
Because authentication is based on the application's identity rather than an administrator's credentials, App-only authentication is well suited for long-running and unattended migration jobs where secure, uninterrupted access to Microsoft 365 is required.
App Registration Options in EdbMails
Before EdbMails can authenticate with Microsoft 365 using App-only authentication, a Microsoft Entra ID application must be available. To accommodate different administrative and security requirements, EdbMails provides two ways to configure the required application.
Automatic App Registration
Automatic App Registration simplifies the authentication process by creating and configuring the required Microsoft Entra ID application during setup. After a Microsoft 365 Global Administrator signs in and grants the requested permissions, EdbMails completes the application registration automatically. This option reduces manual configuration, minimizes the possibility of setup errors, and is recommended for organizations that want to deploy Microsoft 365 migrations quickly without manually configuring application permissions.
Manual App Registration
Some organizations prefer to manage Microsoft Entra ID applications according to their internal security and governance policies. In these environments, administrators can create the application manually, assign the required Microsoft Graph and Exchange Online application permissions, grant administrator consent, and then use the application's details when configuring EdbMails. Manual App Registration gives administrators complete control over application ownership, permission management, auditing, and lifecycle management while allowing EdbMails to authenticate securely with Microsoft 365 using the organization's existing application.
Benefits of App-only Authentication
App-only authentication provides a secure and efficient way to connect EdbMails to Microsoft 365 while complying with Microsoft's Modern Authentication requirements.
- Eliminates the need to store administrator usernames and passwords within the migration application.
- Supports organizations that enforce Multifactor Authentication (MFA) for administrator accounts.
- Uses short-lived OAuth access tokens instead of long-term credentials, reducing security risks.
- Enables unattended and scheduled migration jobs without requiring administrators to remain signed in.
- Allows administrators to grant only the permissions required for the migration by following the principle of least privilege.
- Centralizes application permissions and administrator consent within Microsoft Entra ID, simplifying security reviews and auditing.
- Provides a scalable authentication method for large mailbox, shared mailbox, public folder, and tenant-to-tenant migration projects.
App-Only Authentication vs. Delegated Authentication
| Feature | App-only authentication | Delegated authentication |
| Authentication identity | Application | Signed-in user |
| User sign-in required | No | Yes |
| MFA dependency | Not required after configuration | Depends on user sign-in |
| Permissions | Application permissions | Delegated user permissions |
| Credentials | OAuth application identity | User credentials |
| Best suited for | Automated migrations and administration | Interactive administrative tasks |
| Scheduled migrations | Supported | May require user authentication |
| Security | Does not depend on stored administrator passwords | Depends on protecting user credentials |
How App-only Authentication Works
After the application has been registered and the required permissions have been granted, EdbMails authenticates with Microsoft 365 by using the OAuth 2.0 client credentials flow. Microsoft Entra ID verifies the application's identity, issues an access token, and authorizes access to Microsoft 365 resources based on the permissions assigned to the application. The following steps describe how the authentication process works during a migration.
Step 1: Grant Administrator Consent
Before EdbMails can access Microsoft 365 resources, a Microsoft 365 Global Administrator must review and approve the permissions requested by the application. Administrator consent authorizes the application to access the approved Microsoft Graph and Exchange Online resources within the tenant.
Step 2: Validate the Application
When EdbMails initiates a connection, Microsoft Entra ID validates the application's identity and confirms that the required application permissions have been granted. If the validation is successful, Microsoft Entra ID proceeds with the authentication process.
Step 3: Generate an OAuth Access Token
After successful validation, Microsoft Entra ID issues a time-limited OAuth 2.0 access token. This token represents the application's identity and includes the application permissions that have been approved by the administrator. Since OAuth access tokens expire after a predefined period, Microsoft Entra ID automatically issues new tokens whenever required during long-running migration jobs. This allows EdbMails to continue the migration without requiring repeated administrator sign-ins.
Step 4: Authorize Requests to Microsoft 365
EdbMails includes the OAuth access token in requests sent to Microsoft Graph and Exchange Online. Each service validates the token by checking its signature, expiration time, and assigned permissions before processing the request. If the token is valid and the application has the necessary permissions, Microsoft 365 authorizes the requested operation.
Step 5: Perform Migration Operations
Once authentication is complete, EdbMails can securely perform supported migration tasks such as discovering mailboxes, validating mailbox access, reading mailbox data, creating destination mailboxes where applicable, and migrating mailbox content between Microsoft 365 environments.
Prerequisites for App-Only Authentication
Before configuring App-only authentication in EdbMails, verify that your Microsoft 365 environment meets the following requirements.
- An active Microsoft 365 tenant.
- A Microsoft Entra ID application configured through either Automatic App Registration or Manual App Registration.
- A Microsoft 365 Global Administrator account to grant administrator consent.
- The required Microsoft Graph and Exchange Online application permissions are assigned to the application.
- Administrator consent granted for all required application permissions.
- Internet connectivity to Microsoft Entra ID, Microsoft Graph, and Exchange Online services.
- Appropriate Exchange Online administrative roles for the migration scenario, where applicable.
Before starting the migration, validate the Microsoft 365 connection in EdbMails and confirm that the application has the required permissions to access the source and destination environments.
Common Migration Scenarios in App-Only Authentication
App-only authentication is suitable for migration projects that require secure, uninterrupted access to Microsoft 365. EdbMails uses Modern Authentication to establish secure connections with Exchange Online for supported migration operations, making it a reliable choice for enterprise and unattended migrations.
Exchange Online Mailbox Migration
App-only authentication enables EdbMails to securely connect to Exchange Online and migrate user mailboxes without repeatedly prompting administrators to sign in. Once authenticated, the application can perform supported mailbox migration tasks based on the permissions granted in Microsoft Entra ID.
Tenant-to-Tenant Migration
During Microsoft 365 tenant-to-tenant migrations, EdbMails can securely connect to both the source and destination tenants using App-only authentication. This allows administrators to migrate mailbox data while maintaining separate authentication and permission boundaries for each tenant.
Shared Mailbox Migration
Shared mailboxes do not require separate user credentials for migration. With the appropriate application permissions, EdbMails can discover and migrate supported shared mailboxes while maintaining secure access through Microsoft Entra ID.
Public Folder Migration
Public folder migrations often involve large datasets and extended migration windows. App-only authentication allows EdbMails to maintain authenticated sessions using OAuth access tokens, reducing the likelihood of interruptions caused by password changes or expired user sessions.
Scheduled Migration Jobs
Many organizations schedule migrations outside business hours to minimize user disruption. App-only authentication enables EdbMails to run unattended migration jobs without requiring administrators to remain signed in throughout the migration.
Common Issues and Troubleshooting
The following issues may prevent App-only authentication from connecting to Microsoft 365 successfully. Verifying the application configuration and assigned permissions usually resolves most authentication-related problems.
Insufficient Application Permissions
Cause
The application does not have the required Microsoft Graph or Exchange Online application permissions for the selected migration.
Solution
Review the API permissions assigned to the application in Microsoft Entra ID and ensure that all required application permissions have been added. If new permissions are assigned, grant administrator consent before reconnecting EdbMails.
Administrator Consent Not Granted
Cause
The required API permissions have been configured, but administrator consent has not been granted for the tenant.
Solution
Sign in with a Microsoft 365 Global Administrator account and grant administrator consent for all required application permissions. After consent is completed, reconnect to Microsoft 365 from EdbMails.
Authentication Fails
Cause
The Microsoft Entra ID application, tenant information, or application configuration is incorrect.
Solution
Verify the Tenant ID, Application (Client) ID, and application configuration. Confirm that the application exists in Microsoft Entra ID and validate the Microsoft 365 connection again from EdbMails.
Exchange Online Permission Errors
Cause
The application does not have the required Exchange Online application permissions or the necessary administrative role assignments.
Solution
Confirm that the required Exchange Online application permissions have been assigned and verify that the application has the permissions necessary to perform the selected migration operation.
Microsoft Graph Permission Errors
Cause
The application attempts to access Microsoft Graph resources without the required application permissions.
Solution
Review the Microsoft Graph API permissions assigned to the application, grant administrator consent if required, and reconnect before starting the migration.
Unable to Discover Mailboxes
Cause
Authentication succeeds, but the application lacks sufficient permissions to enumerate mailboxes.
Solution
Verify that the assigned Microsoft Graph and Exchange Online permissions match the migration requirements and ensure that administrator consent has been successfully granted.
Best Practices
Follow these recommendations to improve security and ensure successful Microsoft 365 migrations using App-only authentication.
- Use App-only authentication instead of legacy authentication methods for Microsoft 365 migrations.
- Grant only the application permissions required for the migration by following the principle of least privilege.
- Review application permissions periodically and remove permissions that are no longer required.
- Validate the Microsoft 365 connection in EdbMails before loading mailboxes or starting a migration.
- Perform a pilot migration with a small number of mailboxes before migrating production data.
- Monitor Microsoft Entra ID sign-in logs and audit logs to identify authentication failures or permission-related issues.
- Remove unused Microsoft Entra ID applications after the migration if they are no longer required.
- Review your organization's authentication and security policies regularly to ensure continued compliance with Microsoft recommendations.
Conclusion
App-only authentication is the recommended approach for connecting migration applications to Microsoft 365 because it provides secure, OAuth 2.0-based authentication without relying on administrator passwords. By using application permissions managed through Microsoft Entra ID, organizations can perform migrations while supporting Modern Authentication, Multifactor Authentication (MFA), and least privilege access.
EdbMails supports App-only authentication for Microsoft 365 migration, allowing administrators to authenticate using either automatic or manually managed Microsoft Entra ID applications. After the required permissions and administrator consent have been configured, EdbMails can securely connect to Exchange Online and perform supported migration operations with minimal administrative intervention.




