SharePoint 移轉工具的運作方式How the SharePoint Migration Tool works

SharePoint 移轉工具會先進行目的地租用戶驗證,隨後提示您輸入要進行檔案移轉的來源檔案位置及目的地 SharePoint 網站集合。The SharePoint Migration Tool authenticates to the destination tenant after which you are prompted for the source file location and destination SharePoint site collection where you want the files to be migrated. 在選取 [遷移] 提交移轉工作後,系統會在所有提供要移轉的檔案上同時進行掃描、封裝、上傳和匯入等步驟。After you submit the migration jobs by selecting Migrate, the scanning, packaging, uploading, and importing steps are performed in parallel across all the files provided for migration.

注意

當系統提示您輸入認證時,請使用目標 SharePoint 網站上的網站集合系統管理員帳戶。Use a Site Collection administrator account on the target SharePoint site when prompted for credentials.

驗證: 開啟移轉工具後,首先您必須驗證至目的地,也就是您的檔案將要移轉至的租用戶。AUTHENTICATION: After opening the tool, the first thing you must do is authenticate to the destination -- the tenant where you will be migrating your files. 請提供您提交之移轉工作相關聯帳戶的租用戶使用者名稱與密碼。Providing your username and password to the tenant associates the migration jobs you submit to this account. 這可讓您在需要時以同樣認證登入,並從另一部電腦繼續移轉工作。This allows you to resume your migration from another computer if needed by logging in with the same credentials. 此帳戶應為您移轉目的地的網站集合系統管理員。This account should be a site collection administrator of the destination you want to migrate. 支援的驗證方法如下:The following authentication methods are supported:

  • NTLMNTLM
  • KerberosKerberos
  • 表單Forms
  • ADFSADFS
  • 多重要素驗證Multi-factor authentication
  • SAML 宣告SAML based claims
  • 用戶端憑證驗證Client certificate authentication

重要

如果在內部部署 SharePoint Web 應用程式中啟用了多重驗證方法 (包括 NTLM 或 Kerberos),則 SharePoint 移轉工具不支援 NTLM 和 Kerberos 驗證。If multiple authentication methods, including NTLM or Kerberos, are enabled in the on-premises SharePoint Web Application, NTLM and Kerberos authentication are not supported by the SharePoint Migration Tool. 請使用次要驗證格式或將 Web 應用程式轉換為僅使用 NTLM 和/或 Kerberos 驗證。Please use a secondary form of authentication or convert the Web Application to use NTLM and/or Kerberos authentication only.

掃描:選取 [遷移] 後,系統將一律對每個檔案進行掃描,即使您決定不遷移檔案亦然 (請參閱「進階設定」)。SCAN: After you select Migrate, a scan will always be performed on every file, even if you decide not to migrate your files (see Advanced Settings). 掃描會確認您擁有資料來源的存取權,以及 SharePoint 目的地的寫入權限。The scan verifies that there is access to the data source and write access to the SharePoint destination. 同時,掃描檔案中是否有已知的潛在問題。It also scans the files for known potential issues.

封裝: 在封裝階段中,系統會建立內容套件,其中包含資訊清單。PACKAGING: In the packaging stage, a content package is created that contains a manifest.

上傳: 在上傳階段,內容套件會依資訊清單上傳至 Azure。UPLOAD: In the upload stage, the content package is uploaded to Azure with the manifest. 在由 SharePoint 提供的 Azure 容器接受移轉工作前檔案和資訊清單會以 AES-256-CBC 標準進行加密以待使用。Before a migration job can be accepted from a SharePoint-provided Azure container, the files and manifest are encrypted at rest using the AES-256-CBC standard.

重要: 系統會在匯入階段將金鑰提供給 SharePoint SAS。IMPORT: During the import phase, the key is provided to SharePoint SAS. 只有 Azure 和 SharePoint 會互動以擷取並移轉資料至目的地。Only Azure and SharePoint are interacting to fetch and migrate the data to the destination. 此程序以計時器作業為主,不過您仍可再將其他作業排入佇列。This process is a timer job-based but does not prevent other jobs from being queued up. 在匯入期間,系統會在工作資料夾中建立報告並即時更新。During the import, a report is created in the working folder, and live updates are made. 完成移轉工作後,記錄會儲存在 Azure 容器中,並建立最終報告。After the migration job is completed, the log is stored in the Azure container and a final report is created.

工作階段與繼續: 執行移轉時,工具會將工作階段資訊儲存在使用者 OneDrive 網站上的隱藏清單。SESSION AND RESUME: While the migration is being performed, the tool saves information of the session in a hidden list on the user's OneDrive. 這可讓移轉工具繼續執行任何之前的移轉工作階段。This allows the migration tool to resume any previous migration sessions.

加密及安全性Encryption and security

在上傳和匯入階段期間,資料會加密,並且會產生 Azure 容器和金鑰。During the upload and import phases, data is encrypted and Azure containers and keys are generated.

重要

SharePoint 服務和選取的數個工程師可以針對這些帳戶執行維護命令,但無法直接存取這些帳戶。The SharePoint service and a select number of engineers can run maintenance commands against them, but they do not have direct access to the accounts. 資料中心技術人員並不具備資料在磁碟機上分佈方式的相關知識,也無法即時取得能掛接磁碟的設備。Datacenter technicians are not prepped with knowledge of how data is laid out on disk and do not have ready access to equipment to mount disks. 所有的磁碟機在離開資料中心前,都會以物理方式損毀,All drives are physically destroyed before leaving the datacenter. 我們所有的資料中心內也都部署了物理性安全檢查人員。Physical security is also in place across all of our datacenters.

每個容器都為客戶所專屬,不會重複使用。Each container is dedicated to the customer and not reused. 資料會儲存在 Azure Blob 中的任一處,並於 4 至 30 天後刪除。The data is stored in the Azure blob anywhere from 4 to 30 days after which it is deleted. 當資料刪除後,檔案就會解除連結,並於稍後從磁碟上虛刪除。When the data is deleted, the files are de-linked and later soft-deleted from disk. 位於帳戶中且在磁碟上的檔案可能會在多個伺服器間共用。A file in an account and on-disk may be shared across many servers. 包括備份複本在內的複本也會使用同樣的處理程序 (如果適用的話,異地複寫資料也會採用相同程序)。The same process is used for replicas, including backup copies (geo-replicated data if applicable).

隨機、單次使用的預設容器金鑰會由程式方式產生,且時效只有三天。The random, single-use default container key is generated programmatically and is only valid for three days. 此金鑰是取得容器存取權的唯一方式。This key is the only way to gain access to the container. SharePoint 永遠不會儲存金鑰。SharePoint never stores the key.

容器本身的存在時間會比金鑰長。The container itself lives longer than the key. 從建立日期算起的 30 - 90 天內,容器就會被清除。The container is purged anywhere from 30 to 90 days from its creation date. 容器會位於某個租用戶之外但仍於區域內的共用 Microsoft 儲存空間中,並受容器金鑰保護。The container is housed in a shared Microsoft storage outside the tenant but within the region and is protected using the container key. 對於多地理位置的客戶,容器會根據指定其儲存地理位置的目的地 URL 而產生。For multi-Geo customers, The containers are generated based on the destination URL to dictate in what Geo it will be stored.

如果您的金鑰遺失或被其他人取得,有兩個已存在的方法可立即提供保護。If your key is lost or obtained by someone else, there are two defenses in place that protect you. 第一,容器只供讀取/寫入作業。First, the container only enables read/write operations. 容器中沒有清單,這表示您必須知道容器中儲存檔案的詳細資料,才能進行讀取或寫入。The container has no list, which means you would need to know the details of the files stored in the container in order to read or write to them. 第二,您的檔案在待用時會使用 AES-256-CBC 進行加密。Secondly, the files are encrypted at rest with AES-256-CBC.

重要

只有擁有金鑰的人有權存取容器。Only those who have the key have access to the container. 訂閱中的其他使用者或租用戶則沒有存取權。Other users in the subscription or the tenant do not have access.

注意

「SharePoint 移轉工具」不適用於由中國 21Vianet 營運的 Office 365 使用者。The SharePoint Migration Tool is not available for users of Office 365 operated by 21Vianet in China. Microsoft 365 使用者的德國雲端若使用 German Telekom 資料信任者,則也不適用此工具。It is also not available for users of Microsoft 365 with the German cloud using the data trustee, German Telekom. 但是,資料位置不在德國資料中心的德國使用者則可使用此工具。However, it is supported for users in Germany whose data location is not in the German data center.