Exchange Online via Restricted EWS Application (RBAC Scoping)

Overview

Movebot supports connecting to Exchange Online using a restricted application configuration that limits mailbox access to a defined subset of mailboxes within the tenant.

This method introduces additional configuration complexity and is not recommended unless mailbox-level access restriction is required.

When should this be used instead of full access?

If you require:

• Restricting mailbox access to a defined subset of users

• Compliance controls preventing tenant-wide mailbox access

If you are not subject to the above requirements, follow the standard Exchange Online guide.

Requirements

To configure this connection method, you will need:

• A Movebot account

• An Exchange Online administrator account

• Access to Microsoft Entra ID

• PowerShell access to Exchange Online

How to Configure Restricted EWS Access

1. Create the application registration in Entra

   • Login to Entra as an administrator for your domain, and navigate to App Registrations.

   • Click New Registration

   • Specify a name for the new application. Leave the remaining fields as default. Click Register.

   • Make a note of the Application (Client) ID. This will be entered into your Movebot configuration.

   • Make a note of the Tenant ID. This will be needed in Movebot

   • Configure the permissions. Click API Permissions --> Add a Permission.

   • Select APIs my organisation uses, then search for Office 365 Exchange Online.

   • Select Application Permissions

   • Enable permission:

   • Grant admin consent

   • Click Certificates and Secrets --> Client Secrets --> New Client Secret

   • Copy the Client Secret Value

2. Configure the Connection in Movebot

   The following information is must be entered into the Movebot EWS connector.

   • Tenant ID

   • Email Address (does not need to be an administrator account.)

   • Application Client ID

   • Application Client Secret

3. Connect to Exchange Online using PowerShell

4. Create a Mail-Enabled Security Group

   • Create a group that defines which mailboxes Movebot can access.

   • Add allowed mailboxes:

   • Only mailboxes added to this group will be accessible.

5. Retrieve the Distinguished Name of Security Group

   • Copy the entire DistinguishedName value.

   • Example:

6. Create the Management Scope

   • Replace FULL-DN-HERE with your group’s Distinguished Name.

7. Register the Service Principal

   • You will need:

     • Application ID (from App Registration)

     • Object ID (from Enterprise Application)

8. Assign the EWS RBAC Role with Scope

9. Validate the Configuration

   • To confirm whether a mailbox is within scope:

   • If the result shows: InScope = True the mailbox is accessible.

Important Notes

Connection Test Behaviour

When using restricted RBAC scoping, the Movebot connection test will fail by design.

This is expected behaviour and does not indicate a misconfiguration.

Because the application does not have organization-wide access, automatic mailbox discovery and validation are not supported.

Permission Propagation Delay

Permission updates and RBAC scope changes may not take effect immediately. In some environments, it can take up to an hour before access behaviour reflects the new configuration. If testing fails immediately after setup, wait and retry before troubleshooting further.

Mailbox Mapping Requirement

When using restricted access:

• Mailboxes must be mapped manually using CSV Transfer Mapping.

• Only mailboxes included in the mail-enabled security group can be migrated.

• Mailboxes outside of the group will return HTTP 403 errors during migration.

Common Errors

Supported Features

Movebot supports Exchange Online mailbox migrations using this configuration.