Movebot HomeLogin

SharePoint Online

Learn how to connect to Sharepoint Online with Application Access

Introduction

We are now recommending connecting to SharePoint with Application Access. This involves setting up a new application in Azure.

Recommendations

For best results when connecting to SharePoint Online in Movebot using Application Access, we recommend the following permissions:

  • A Global Administrator service account in Azure

  • The Global Administrator account is licensed

  • You have the SharePoint domain/hostname on hand.

If you are unable to connect as a Global Administrator, contact us for alternative configuration options.

Configuration Steps

You can also follow our step-by-step video guide below.

To connect to SharePoint you'll need to create an application in Azure, then use that application to connect Movebot and SharePoint.

Creating the application in Azure

If you're migrating data within a single tenant, create separate application registrations for the source and destination connections to avoid rate limiting.

When creating an application in Azure it can sometimes take a few minutes for the settings to populate. If testing the connection in Movebot is producing errors, give it a minute or so and then retest.

  1. Login to Movebot and create a new project or task

  2. Choose to Create new Connection

  3. Select Sharepoint from the list of available connections and set the connection name

  4. Provide the non-admin SharePoint domain in the field required

  5. Login to Entra as a Global Administrator and register a new application at https://entra.microsoft.com and create a new App Registration via Identity -> Applications -> App registrations

  6. Name the application. Keep the other fields as default and click Register.

  7. Copy the Application ID from the "Overview" section and paste it into Movebot.

  8. In Azure in the Application permissions, click API Permissions --> Add a Permission. Select Microsoft Graph, then Application Permissions.

Enable the following Permissions: 

Directory.Read.All
Files.ReadWrite.All
SharePointTenantSettings.Read.All
Sites.Manage.All
User.ReadWrite.All

  1. Next add the access, under Azure in the Application permissions, click API Permissions --> Add a Permission. Select Sharepoint, then Application Permissions.

Select the following permissions:

Sites.FullControl.All

  1. Grant admin consent and finish the consent process.

Generating the client secret

Under the application configuration:

  1. Click Certificates and Secrets -- > Client Secrets -- > New Client Secret. Provide a description and Add. Copy the Secret from the "Value" Field.

  2. Return to Movebot and Paste the Secret "Value" into the appropriate field

Upload the certificates from Movebot

Finally, you will need to generate and download the client certificate from Movebot and upload it to Azure for authentication.

  1. Under Step 3: click the button Generate and Download Certificate. You should get a PEM file download from Movebot.

  2. In Azure - Click Certificates and Secrets -- > Certificates -- > Upload Certificate

  3. Upload the file created in step 1

  4. The thumbprint in Azure should match the one shown in Movebot

  5. Return to Movebot and Click Save and Test connection in Movebot.

  6. If the connection has succeeded, you can continue.

Video Guide

Common Errors

Movebot supports migrations to and from SharePoint Online as part of Microsoft 365. Below is a list of common issues users encounter during SharePoint migrations, along with troubleshooting guidance and answers to frequently asked questions.

Error: Invalid client secret provided

Cause: The client secret value is incorrect.

Resolution: Double-check that you have copied and entered the client secret value, not the client secret ID. These are often confused but are different fields in Azure.

Error: SCP or roles claim need to be present in the token.

Cause: Required claims are missing from the token.

Resolution: Ensure all necessary API permissions are granted and that they are assigned as Application permissions, not Delegated. Also, confirm admin consent has been granted for these permissions.

Error: Tenant "domain.com" not found

Cause: The specified SharePoint Tenant Domain does not exist or is misconfigured.

Resolution: Verify that the tenant domain is correct. It should follow the format yourcompany.onmicrosoft.com

Error: Application with identifier 'a323b4ba-031...' was not found in the directory

Cause: The application’s Client ID is incorrect or the app registration is missing.

Resolution: Check that the correct Client ID is being used. Refer to Step 7 of the configuration steps, to confirm you have provided the proper ID.

Error: The certificate used to sign the client assertion is not registered

Cause: The required certificate has not been uploaded to the application in Entra.

Resolution: Generate the necessary certificate and upload it to the registered application in Entra. Refer to "Upload the certificates from Movebot" section of configuration steps.

Error: Could not find site (site-not-found)

Cause: The SharePoint domain value is incorrect or the specified site does not exist.

Resolution: Review your SharePoint configuration settings and ensure that you have specified the correct non-admin SharePoint domain. If the domain includes '-admin,' please remove it.a

Error: User Migration Failed (user-not-active)

Cause: The user account is not currently active or fully provisioned in Microsoft 365.

Resolution: First ensure the user has an active license assigned. If the user is newly created, their OneDrive may not yet be provisioned. You can either:

  • Pre-provision the user’s OneDrive using PowerShell (learn more).

  • Have the user sign in to OneDrive manually at least once to trigger provisioning.

Frequently Asked Questions

Can Movebot migrate data between two Microsoft 365 tenants?

Answer: Yes. Movebot supports bidirectional migrations between Microsoft 365 tenants, including full tenant-to-tenant migrations.

Can we restrict the app registration to only have access to specific users or sites?

Answer: No. Currently, the app registration will have access to all users and sites within the tenant. More granular access control is not supported at this time.

Why does SharePoint show more storage used than Movebot?

Answer: SharePoint includes all previous versions of files in its reported storage usage. By default, Movebot only counts the most recent version of each file, which can result in lower reported storage.

Can Movebot migrate data from a Classic SharePoint Site to a Modern Site?

Answer: Yes. Movebot treats both Classic and Modern SharePoint sites the same. Data can be migrated seamlessly between them.

Supported Features

Feature
Supported in

SharePoint Document Libraries

Fully Supported

OneDrive Users

Fully Supported

Permissions

Fully Supported

Versions

Fully Supported

Modification Retention

Fully Supported

Automatic Sanitization

Fully Supported

Tags: sharepoint

Last updated

Was this helpful?