HomeSolutionsBlogContact
Migration Prerequisites

Entra Application Registration

Register the Opsole Migrate application in Microsoft Entra ID, grant Microsoft Graph permissions, create a client secret, and validate authentication.

Entra Application Registration

Opsole Migrate requires an application registration in Microsoft Entra ID to enable Microsoft Graph API access for device, identity, Intune, recovery, and post-migration assignment operations.

Tenant Scope

Create the application registration in the tenant or tenants required for your migration scenario.

Migration scenarioWhere to create the app registration
AD-to-Entra or Hybrid-to-EntraTenant where migration operations are performed
Tenant-to-TenantBoth source and target tenants

Sign in with an account that can register applications, create client secrets, assign Microsoft Graph application permissions, and grant admin consent. Common roles include Global Administrator, Privileged Role Administrator, and Cloud Application Administrator or Application Administrator.

Your organization may require separate approval for granting tenant-wide application permissions.

Step 1 - Register Application

  1. Go to entra.microsoft.com.
  2. Navigate to Home > Applications > App registrations.
  3. Click + New registration.

Entra App Registration - New Registration

  1. Enter a name for the application, for example OpsoleMigrateApp.
  2. Retain all other settings at their default values.
  3. Click Register.

Entra App Registration - Name App

Step 2 - Save Identifiers

From the application's Overview page, copy and save the following values:

  • Application (client) ID
  • Directory (tenant) ID

These values are required later when configuring and validating the Opsole Migrate portal connection.

Entra App - Overview IDs

Step 3 - Add API Permissions

  1. Go to API permissions.
  2. Click + Add a permission.

Entra App - API Permissions

  1. On the Request API permissions page, select Microsoft Graph.

Microsoft Graph - Permission Type

  1. Select Application permissions.

Microsoft Graph - Application Permissions

  1. Use the search bar to add the required Microsoft Graph permissions.

Microsoft Graph - Add Permissions

PermissionTypeScope
User.Read.AllApplicationRequired
Device.ReadWrite.AllApplicationRequired
Directory.Read.AllApplicationRequired
DeviceManagementManagedDevices.ReadWrite.AllApplicationRequired
DeviceManagementServiceConfig.ReadWrite.AllApplicationRequired
DeviceManagementConfiguration.ReadWrite.AllApplicationFeature-dependent
GroupMember.ReadWrite.AllApplicationFeature-dependent
DeviceLocalCredential.Read.AllApplicationFeature-dependent
DeviceLocalCredential.ReadBasic.AllApplicationFeature-dependent

Feature-dependent permissions are required only when the corresponding capability is enabled, such as LAPS retrieval, group restoration, or configuration profile handling.

Microsoft Graph - Permissions List

  1. After adding the permissions, click Grant admin consent for [TENANT NAME].
  2. Click Yes at the grant admin consent confirmation prompt.

Grant Admin Consent

  1. Confirm that all permissions display Granted for [TENANT NAME].

Permissions Granted

Step 4 - Generate Client Secret

  1. Go to Certificates & secrets > Client secrets.
  2. Click + New client secret.

Certificates & Secrets

  1. Fill in the following:
    • Description: for example OpsoleSecretKey
    • Expires: select a duration aligned with your organization's secret rotation policy, for example 180 days
  2. Click Add.

Create Client Secret

Step 5 - Save the Secret Value

Copy the Value of the new client secret immediately and save it securely.

The client secret value is shown only once. Do not navigate away from the page until the value has been copied and stored.

Store the secret in an approved secrets vault or password management system. Do not email it, store it in scripts, save it in source control, or share it through chat.

Record the secret expiry date and assign an owner for rotation before expiry.

Client Secret Value

2.2 Validate the Entra App Registration

Validate the Microsoft Entra app registration before using it in the Opsole Migrate portal. This confirms that the app registration can authenticate successfully and that permissions, admin consent, or tenant policies are not blocking access.

Step 1 - Download the Validation Script

Download the PowerShell validation script here: Download link

Right-click the link and select Save link as... to download the file.

Step 2 - Save the Script Locally

Save the script in a dedicated folder on a secure admin workstation, for example D:\Temp.

Run the validation script from a trusted administrative workstation. If your organization requires script review, have the script reviewed and approved before execution.

Step 3 - Run the Script

Open Windows PowerShell or PowerShell 7.

Navigate to the folder where the script is saved, then run:

.\Opsole_Entra_AppAuth_Validation.ps1

Step 4 - Provide the Requested Details

When prompted, enter:

  • Directory (tenant) ID
  • Application (client) ID
  • Client secret

The client secret input is hidden.

Client Secret Value

Step 5 - Confirm Success

If the script returns PASS, the app registration authentication is working and can be safely used in the Opsole Migrate portal.

Client Secret Value

If the script returns FAIL, re-check the entered values and review tenant configuration, permissions, admin consent, Conditional Access restrictions, and secret validity before proceeding with migration activity.

Next Steps

How is this guide?

Overview

Everything you need in place before running your first migration - licensing, supported device states, network access, identity configuration, Microsoft Graph permissions, application registration in Microsoft Entra ID, and pilot readiness.

Provisioning Package

Create, secure, and validate the bulk enrollment provisioning package with Windows Configuration Designer (WCD) for AD-to-Entra, Hybrid-to-Entra, and Tenant-to-Tenant migrations.