× Search
Monday, July 22, 2024

Azure Storage Account Migration

This video demonstrates CopyRight2's Azure Migration Add-on to migrate data, file shares including NTFS & share level permission to Azure Storage Accounts.

Azure Storage Account Migration

This video demonstrates the use of CopyRight2's Azure Migration Add-on to migrate file shares including NTFS and share level permissions from an on-premise Windows® 2019 file server to an Azure storage account. It starts from scratch with an on-premise domain and a member server hosting the file shares to migrate to the cloud. Additionally it shows how to use Distributed File System (DFS) and how to convert RBAC AGLP to AGDLP groups.

Below are the links to download Azure AD Connect and the AzFilesHybrid PowerShell scripts to join the storage account to the on-premise domain:



The source environment is a Windows® 2019 Active Directory domain (domain controller \\WIN2K19) with a Windows® 2019 member server (\\WIN2K19FS) hosting file and group shares. It uses a domain-based DFS with two namespaces, "Group" and "Home" to redirect to the shares on the member server. The NTFS and file share permissions are using AGDLP (Account -> Global Group -> Domain Local Group -> Permission) and AGLP (Account -> Global Group -> Server Local Group -> Permission) RBAC.

The target environment is Microsoft Azure.


Beyond CopyRight2 you will need to download and install Azure AD Connect to replicate the on-premise Active Directory to Azure Active Directory and the AzFilesHybrid PowerShell scripts to join the storage account to the on-premise AD.

You will also need to register an app in Azure AD to let CopyRight2 access Azure APIs required to create/update the storage account's file share permissions.

CopyRight2 Options

OS Types, Roles and DCs
NetBIOS Name:
OS Type: Azure
Role: Domain Member
Domain Controller NetBIOS Name: WIN2K19

Azure App Registration

CopyRight2 requires an app registration in Azure Active Directory (AAD) in order to migrate file share permissions to the storage account.

Name: CopyRight2

Client Secret
Name: Client Secret

API Permissions (Delegated)

API Permissions
Microsoft Graph Groups.Read.All
Microsoft Graph RoleManagement.Read.Directory
Microsoft Graph User.Read.All
Azure Service Management user_impersonation

Redirect URI
Platform: Web
URI: http://localhost:8890

Settings (Server Local Group Migration)

Job Type
User and Group Migration

Name and Description Page
Name: Local Group Migration

Source and Destination Page
Source computer: WIN2K19FS
Destination computer: WIN2K19

User and Group Migration Page
Specific accounts: Local Group "L_Sales"

Filter Page
User accounts: Disabled
Local groups: Enabled (Add/Update)

Active Directory Options Page
Move migrated objects here: LDAP://OU=Sales,OU=Brawndo,DC=DOMAINE,DC=COM

Settings (Data Migration)

Job Type
Data Migration

Name and Description Page
Name: Azure Data Migration

Source and Destination Page

Source Destination
\\WIN2K19FS\ACross$ \\\across
\\WIN2K19FS\DCole$ \\\dcole
\\WIN2K19FS\EGardner$ \\\egardner
\\WIN2K19FS\EHolden$ \\\eholden
\\WIN2K19FS\GEstrada$ \\\gestrada
\\WIN2K19FS\Marketing$ \\\marketing
\\WIN2K19FS\MHoyles$ \\\mhoyles
\\WIN2K19FS\MSutton$ \\\msutton
\\WIN2K19FS\RCraig$ \\\rcraig
\\WIN2K19FS\RRiley$ \\\rriley
\\WIN2K19FS\Sales$ \\\sales
\\WIN2K19FS\SColeman$ \\\scoleman

Synchronization: Add/Update/Delete
Use Volume Shadow Copy: Disabled (for final copy phase) / Enabled (for pre-copy phase)

ACL and Owner Permissions Page
Assign security identifiers of groups and users on the source...: Enabled

File Shares Page
Include file shares located at specified folder(s) and below: Enabled (Add/Update)
Update DFS: Enabled (for final copy phase) / Disabled (for pre-copy phase)
DFS server name: WIN2K19

Azure Options Page
Subscription ID: Azure subscription ID
Primary Domain:
Tenant ID: Tenant ID of AAD
Application ID: ID of registered Azure app
Application Secret: Secret of registered Azure app
Authenticate using Azure Storage Account: Enabled


The video shows the final copy phase of the migration updating DFS entries to let them point to the shares new location in the Azure storage account. In a real world scenario, you would previously run the pre-copy phase, while users are still working on the source data, with either "Volume Shadow Copy" or "Ignore errors resulting from locked files" enabled and DFS updates disabled to minimize any downtime during the final copy phase.
Terms Of UsePrivacy StatementCopyright © Sys-Manage, 1998-2024. All Rights Reserved.
Back To Top