Portal Configuration

After completing prerequisite validation and portal onboarding, configure the additional Opsole Migrate portal settings required before scheduling or starting migrations.

Before You Begin

Complete the following before configuring this page:

• Migration Prerequisites - Overview
• Entra Application Registration
• Provisioning Package
• AD Disjoin Account Preparation, if required by your scenario
• Validation Checklist
• Portal Onboarding - Getting Started

You should also have:

• Confirmed migration scenario and tenant scope
• Validated tenant/app registration credentials
• Validated provisioning package (.ppkg)
• AD disjoin account details, if required
• Approved backup, recovery, profile migration, and group assignment decisions

Security and Credential Handling

Enter credentials and sensitive artifacts only in the Opsole Migrate portal.

Do not share any of the following through email, chat, ticket attachments, public shares, source control, or unmanaged file locations:

• AD disjoin account password
• Client secrets
• Provisioning packages (.ppkg)
• LAPS credentials
• BitLocker recovery keys

Access to recovery data and sensitive configuration should follow your organization's security, support, and audit governance.

1. Open Additional Configuration

After successfully saving your initial Entra ID configuration during onboarding, open Additional Configuration in the portal.

2. Security and Authentication

Active Directory Disjoin Account

Specify the AD account used to disjoin devices from the source Active Directory domain during migration.

Use the format:

DOMAIN\username

This setting applies as follows:

The account must be valid in the source AD environment and must have delegated permissions to disjoin target devices from the correct OU scope.

Active Directory Disjoin Password

Enter the password for the AD disjoin account.

Before saving, confirm that:

• The account is active and not locked out.
• The password is current and not expired.
• The account was validated on a representative test device.
• The account is delegated on the OU or OUs containing target devices.

3. Backup and Recovery Options

LAPS Password Backup

Enable this option only if approved by your organization's recovery and security policy.

When enabled, Opsole Migrate stores local administrator password recovery information for recovery assurance during migration.

BitLocker Recovery Key

Enable this option to back up the BitLocker recovery key for recovery scenarios during or after migration.

Before enabling, confirm that:

• BitLocker recovery handling is approved by the security team.
• Support teams know where recovery data is available.
• Access to recovery data is governed and audited according to your internal policy.

4. Profile Migration Options

Multi-User Profile Migration

Multi-user profile migration is disabled by default.

• When enabled, all supported user profiles on the device are migrated.
• When disabled, only the currently logged-in user profile is migrated.

Enable this option for shared-device or multi-profile scenarios only after pilot validation.

Multi-user profile migration can increase migration runtime depending on the number and condition of profiles on the device.

This is a global setting and applies to all migrations.

5. Device Configuration

BitLocker Migration Method

Select the BitLocker handling method that matches the approved encryption and recovery plan for the migration project.

Group Tag

Optional. Used for Autopilot or dynamic group targeting after migration.

Device Attribute

Optional. Used for custom grouping, automation, reporting, or dynamic device assignment in the target tenant.

6. Group Assignment and Retention

Allowed Groups for Scheduled Migration

Optional. Limits which groups are available when scheduling migrations from the device tab.

Use this setting when administrators should choose only from an approved migration scheduling group list instead of all available Microsoft Entra groups.

Post-Migration Group Assignment

Selected groups are automatically assigned to the device after successful migration.

Use this option for target-state assignments such as migrated device groups, baseline policy groups, or post-migration application groups.

Exclude Groups from Retention

By default, devices can be reassigned to their original cloud groups after migration where group restoration is enabled.

Use this option to exclude groups that should not be restored in the target state, such as legacy, source-only, or conflicting policy groups.

7. Provisioning Package Upload

Upload only a validated provisioning package (.ppkg) created with Windows Configuration Designer.

To upload the provisioning package:

1. Navigate to Settings > Configuration.
2. Locate the Package section.
3. Click Upload Package.
4. Choose the package expiry date.
5. Upload the validated provisioning package.

Use the correct package for your migration scenario:

Before uploading, confirm that:

• The package was validated on a standalone test device.
• The package token has not expired.
• The selected package expiry date matches your provisioning package validity plan.
• The package is stored and handled as a sensitive credential.
• The package was not shared through email, chat, public shares, or unmanaged locations.

Do not upload an expired, unvalidated, or wrong-tenant provisioning package.

Configuration Completion

After all required settings are configured and saved, the portal configuration is complete.

Before starting migrations, confirm that:

• The Validation Checklist is complete.
• Portal settings match the approved migration scenario.
• Recovery settings are approved.
• Provisioning package upload is validated.
• Pilot devices are ready for scheduling.

You are now ready to continue to the migration readiness checklist and start migration preparation.

Next Steps

• Continue to Start Your Migration