SharePoint Migration Identity Mapping Tool: Azure Active Directory Identity Scan

Overview

The Azure Active Directory scan will look up identities that were found in the source SharePoint environment in the Azure Active Directory that you authenticate to.

When performing look-ups, this is the pattern used for matching:

Users
ExactMatch
Source Identity is a Windows user with a Security Identifier [SID]. The target is the OnPremisesSecurityIdentifier in Azure Active Directory.
Non-Windows accounts will never be able to have an ExactMatch.
PartialMatch
Source identity claim value equals the UserPrincipalName or Mail value in Azure Active Directory.
or
Source Identity Display Name equals the Display Name in Azure Active Directory.
NoMatch
Unable to perform neither ExactMatch or PartialMatch.
Groups
ExactMatch
Source Identity is a Windows group with a Security Identifier [SID]. The target is the OnPremisesSecurityIdentifier in Azure Active Directory.
Non-Windows accounts will never be able to have an ExactMatch.
PartialMatch
Source Identity Display Name equals the Display Name in Azure Active Directory.
NoMatch
Unable to perform neither ExactMatch or PartialMatch.

We use ADAL to authenticate the operator to Azure Active Directory. This requires consent for the application to read the Azure Active Directory. In order to ensure there is consent prior to running the scans, the tool will perform a pre-flight validation check which involves authenticating to Azure. This will enable the operator to avoid running a long scan process if all the prerequisites have not been met. See <Link to consent info> for more information.