Partial tenant migration w/ ShareGate--Limiting access of the other side?
Posted by mixduptransistor@reddit | sysadmin | View on Reddit | 6 comments
We're a M365 shop. We are divesting a small portion of our business to a third party, and the acquiring company is entitled by the agreement to email of divested employees, SharePoint sites for the divested departments, and MS Teams teams for the divested departments
They do a lot of these acquisitions and have a fairly standard process where they will connect to our tenant with ShareGate and migrate what they need. I think most of the time they do full acquisitions, not partial ones
Our issue is that Sharegate apparently needs full permissions into our entire tenant, and we're obviously hesitant to do that
So my question to the peanut gallery is: Is there a way to mitigate this risk? We're waiting to hear back from ShareGate support if the new-ish Exchange Online RBAC for Applications can be applied to the app registration, but that will only solve our email problem
They've suggested that we use a VM in our environment for the migration and we can record/shoulder surf what they're doing, but I don't know enough about ShareGate to know if that is viable. Is it an on-prem tool, or is it a cloud tool? Is it possible for us to lock it so that it can only be used on a machine we control? Seems like if it's a cloud tool that's not going to work
jamesaepp@reddit
We used ShareGate a year ago for a project. My memory is weak, but I recall the permissions were all 'Delegated' type when we set it up, so the authorization is at the day based on what the user accessing ShareGate has access to.
I can double check later for you though.
mixduptransistor@reddit (OP)
Some are delegated, some are application level. I think we've decided that the VM for Sharegate will be in our environment on our domain, and that way someone on our team will be involved. In fact, we just got confirmation that the acquiring company is happy for us to click all the buttons so they don't even need access, just scoping out what moves
When I started this thread I wasn't entirely sure we could keep control in house but it seems that is the case
ChiefWetBlanket@reddit
Unfortunately to migrate that it will need some beefy permissions. ShareGate is damn amazing at doing what it does though, it will slurp those employees and Sharepoint sites right out of the environment with a few clicks. It can even migrate Teams chats, channels, and rooms right over to the new location. But to do that, it needs low level RW access to the objects. So there isn't a way around that. You would have the same problem if you were using BitTitan or any of the other migration tools out there.
It's a full fat client utility though. Your idea of using a VM on your environment is a good one if you don't trust the company.
mixduptransistor@reddit (OP)
Yeah, I was under the impression it was SaaS. It's not that we don't trust them at all but anyone would obviously hesitate before they gave an outside company full read access to everything
Being able to put it on a VM in our environment is looking more and more like the path I want to take. I'm happy to spend a person from my team shoulder surfing/screen sharing or even doing the migration ourself
The alternative we have in mind is to setup a new tenant for this business, migrate everything into that, and then hand that over to the buyer. Not ideal for us because of costs and time to set that all up, and I'm sure not ideal for the buyer who just wants this data in their tenant
ChiefWetBlanket@reddit
Quite frankly, this is a conversation your CISO, CEO, and the buyer of the division need to be having. Bring your concerns to the CISO, let them decide on how to proceed.
Using a third party tenant isn't a bad idea, security wise. Keep in mind ShareGate is expeeeeeeeeeeeeeeensive. If they already have the license, use it.
mixduptransistor@reddit (OP)
Those people don't have the technical knowledge needed to make a decision on their own. They are involved, as is our legal counsel, but they need to know what the options are and my role is to investigate all the options, the caveats of each, and then provide that back to the business to decide what risk we're willing to take as a company, or what controls we're willing to invest in to compensate for the risk