Using MFA for migration service account is getting pretty common nowadays. But how do you work with MFA if you need to process multiple migrations to e.g. OneDrive without reauthenticating for each new drive. This post outlines the approach and also explains a gotcha to avoid reauthentication.
Setting the scene
Imagine you need to migrate the personal files and folders from on-premises network shares to OneDrive for Business sites. And the tenant is configured to use Multi-Factor Authentication (MFA). A pretty common scenario.
If you choose ShareGate as the preferred migration tool, MFA is actually supported. Both via the application UI and through PowerShell, where I feel most comfortable with.
With PowerShell you would connect to a site using the ‘following ‘Connect-Site’ cmdlet and parameters:
Connect-Site -Url 'https://contoso.sharepoint.com/sites/mysitecollection' -Browser
You could consider also adding the ‘DisableSSO’ parameter if you need to login with a different account.
Bulk connections
So migrations often require multiple jobs to be processed in an automated way. With MFA, you could in theory expect a new authentication challenge for each new connection. However, you can connect to SharePoint Online once and re-use that connection for the bulk connections.
$connection = Connect-Site -Url "https://contoso.sharepoint.com/sites/somesite" `
-Browser `
-DisableSSO
foreach ($site in $sites) {
Connect-Site -Url "https://contoso.sharepoint.com/sites/$site" `
-UseCredentialsFrom $connection
}
There’s one catch to consider for this approach. The web application (e.g. https://contoso.sharepoint.com or https://contoso-my.sharepoint.com) needs to be the same for both the initial MFA connection and the connections re-using that some connection.
So if you want to set this up for migrating OneDrives, create the initial connection to https://contoso-my.sharepoint.com and then re-use it for https://contoso-my.sharepoint.com/personal/{OneDrive1…n}. If you create the initial connection to https://contoso.sharepoint.com and then connect to each OneDrive, it will challenge for credentials again.
Tenant connection
You could also setup the initial connection using the ShareGate ‘Connect-Tenant’ cmdlet.
However, I did notice re-authentication prompts using this method. What worked for me was to use https://contoso-my.sharepoint.com for the initial connection when migrating to OneDrive and to use https://contoso.sharepoint.com when migrating to Microsoft Teams/SharePoint Online.
