← Guides/Planning

Set up an Azure App Registration

Create and configure the Azure App Registration that TheMigrator uses to access your M365 tenant data.

Beginner·20–30 minutes·6 steps

Prerequisites

  • Global Admin access on the M365 tenant
  • Access to portal.azure.com
1

Create the app registration

Action

Navigate to Azure Active Directory → App registrations → New registration.

  • Name: use something descriptive, e.g. "TheMigrator – Source" or "TheMigrator – Destination".
  • Supported account types: Accounts in this organizational directory only.
  • Redirect URI: leave blank. Click Register.
  • Copy the Application (client) ID and Directory (tenant) ID from the overview page.
2

Create a client secret

Action

In the app registration, go to Certificates & secrets → Client secrets → New client secret. Set an expiry and click Add. Copy the Value immediately — it will not be shown again after you navigate away.

  • Recommended expiry: 24 months.
  • Store the secret value in a password manager immediately.
3

Add API permissions

Action

Go to API permissions → Add a permission → Microsoft Graph → Application permissions. Add the permissions for every workload you intend to migrate.

  • Email: Mail.ReadWrite, Calendars.ReadWrite, Contacts.ReadWrite, User.Read.All, Organization.Read.All
  • SharePoint: Sites.FullControl.All, User.Read.All, Organization.Read.All
  • OneDrive: Files.ReadWrite.All, User.Read.All, Organization.Read.All
  • Teams Channels: TeamSettings.ReadWrite.All, ChannelMessage.Read.All, User.Read.All, Organization.Read.All
  • Teams Chat (optional): add Chat.Read.All if you want to migrate private and group chat history
4

Grant admin consent

Action

On the API permissions page, click "Grant admin consent for [your tenant]". This requires a Global Admin. Every permission should show a green tick with "Granted for [tenant]" status after clicking.

  • If the button is greyed out, you are not signed in as a Global Admin.
  • All permissions must show green ticks — any red or pending status means the migration will get 403 Forbidden errors.
5

Connect in TheMigrator

Action

In TheMigrator → Tenants → Connect tenant, choose "Use your own Azure App Registration". Enter the tenant domain, Client ID, and Client Secret from the steps above. Click Validate & Connect.

6

Verify the connection

Verify

After connecting, TheMigrator will discover the tenant's users and sites. Confirm the mailbox count and site count are correct. If discovery shows 0 users, the permissions are missing or admin consent was not granted.

Related guides

PlanningBeginner

Pre-migration assessment

6 steps · 2–4 hours
PlanningIntermediate

Resolving storage & licensing check failures

8 steps · 30–60 minutes

Ready to start migrating?

25 free seats included. No credit card required.

Start for free →More guides