🦊

MigrationFox Documentation

MigrationFox migrates files, Teams channels, and SharePoint sites between 13 platforms with high-throughput parallel transfers and zero downtime. Plus a full M365 Assessment Suite and mail migration for tenants preparing a Copilot rollout or moving mailboxes. Start free with 2 GB of migration credits.

⚡

Quick Start

Get your first migration running in under 5 minutes.

📚

Platform Guides

Setup instructions for every supported platform.

🛠

Troubleshooting

Solutions to common errors and issues.

Supported Platforms

Google Drive SharePoint OneDrive Microsoft Teams Slack AWS S3 SFTP / FTP Dropbox Box SMB Shares Azure Blob Storage

How It Works

Every migration follows five core steps:

1. Connect 2. Discover 3. Provision 4. Migrate 5. Monitor

Quick Start Guide

Get your first migration running in just a few steps.

Create an Account

Sign up at app.migrationfox.com. You get 5 GB of free transfer on the Starter plan to test things out. No credit card required.

Create a Project

Projects are how you organize migrations. Think of a project as a migration job — e.g., "Marketing Team to SharePoint" or "Full Org Google-to-M365".

Click New Project from the dashboard. Give it a name and optional description.

Connect Source & Destination

In your project, add a source (where data is coming from) and a destination (where data is going). Follow the platform-specific guides below to set up credentials.

Discover Content

Run a discovery scan on your source to index all files, folders, and metadata. This lets you see exactly what will be migrated before you start.

Start Migration

Configure your migration settings (mode, conflict resolution, bandwidth) and click Start Migration. Monitor progress in real time from the dashboard.

Tip

Run a small test migration first with a subfolder before migrating your entire organization. This helps you verify permissions and folder structure are correct.

Creating a Project

A project is the top-level container for a migration. Each project has its own source connection, destination connection, discovery data, and migration jobs.

Project Settings

Setting	Description
Name	A human-readable label for this migration, e.g. "Marketing Drive to SharePoint"
Source	The platform you are migrating from (Google Drive, Dropbox, S3, etc.)
Destination	The platform you are migrating to (SharePoint, OneDrive, Google Drive, etc.)
Migration Mode	COPY, MOVE, or DELTA — see Migration Modes
Conflict Resolution	What to do when a file already exists at the destination — see Conflict Resolution

Project Lifecycle

A project goes through these stages:

Setup — Connect source and destination, configure credentials
Discovery — Scan the source to build a file inventory
Provisioning — Optionally pre-create destination structure (sites, libraries, folders)
Migration — Transfer files and metadata
Verification — Review results, re-run for any failed items

Understanding the Workflow

Every migration in MigrationFox follows a five-phase workflow. Understanding each phase helps you plan and execute migrations efficiently.

Phase 1: Connect

Authenticate with your source and destination platforms. MigrationFox supports OAuth (interactive login), service accounts (for unattended access), and API keys depending on the platform. Credentials are encrypted with AES-256 and stored securely.

Phase 2: Discover

Discovery scans your source environment and builds a complete inventory of files, folders, and metadata. The discovery report shows:

Total file count and size
Folder tree structure
File type distribution
Large files that may need special handling
Permission mappings

Phase 3: Provision

Before migrating data, MigrationFox can pre-create the destination structure. For SharePoint, this means creating site collections, document libraries, and folders. For Google Drive, this means creating Shared Drives and folder hierarchies. Provisioning ensures the destination is ready to receive data.

Phase 4: Migrate

The actual data transfer. MigrationFox streams files directly from source to destination without storing data on its own servers. Files are transferred in parallel with configurable concurrency. Large files use chunked/multipart uploads for reliability.

Phase 5: Monitor

Track migration progress in real time. The dashboard shows:

Files transferred / remaining / failed
Transfer speed (MB/s)
Estimated time remaining
Per-file status with error details
Audit log of all operations

Tip

After a migration completes, you can re-run it as a delta sync to catch any files that were added or changed during the initial migration.

Google Drive / Google Workspace

Migrate files and folders to or from Google Drive, including personal drives, Shared Drives (Team Drives), and domain-wide content for Google Workspace organizations.

Prerequisites

A Google Cloud project with the Google Drive API enabled
For organization-wide access: a Google Workspace admin account (for domain-wide delegation)
Either a service account (recommended for production) or an OAuth 2.0 client

Required Permissions / Scopes

https://www.googleapis.com/auth/drive

This scope grants full read/write access to Google Drive files. For read-only source access, you can use drive.readonly instead.

Service Account Setup (Recommended)

Service accounts provide unattended, organization-wide access without requiring individual user authentication.

Create a Google Cloud project

Go to console.cloud.google.com. Click Select Project → New Project. Give it a name (e.g., "MigrationFox") and click Create.

Enable the Google Drive API

In your project, go to APIs & Services → Library. Search for "Google Drive API" and click Enable. Wait 2-3 minutes for propagation.

Common error: "Google Drive API has not been used in project X before or it is disabled." — This means you skipped this step. The API MUST be enabled in the same Google Cloud project that owns the service account. Go to console.developers.google.com/apis/api/drive.googleapis.com/overview?project=YOUR_PROJECT_ID and enable it.

Create a Service Account

Go to APIs & Services → Credentials → Create Credentials → Service Account.

Give it a name, skip the optional permissions, and click Done.

Download the JSON key

Click on your newly created service account → Keys tab → Add Key → Create new key → JSON. Download and keep this file secure.

Enable Domain-Wide Delegation

In Google Workspace admin console (admin.google.com):

Go to Security → API Controls → Domain-wide Delegation
Click Add new
Enter the service account's Client ID (found in the JSON key or in Google Cloud Console)
Add the scope: https://www.googleapis.com/auth/drive
Click Authorize

Add credentials in MigrationFox

In your MigrationFox project, select Google Drive as the source or destination. Choose Service Account authentication and upload the JSON key file.

OAuth Setup (Alternative)

OAuth is simpler to set up but requires interactive user login and only accesses that user's content.

In Google Cloud Console, go to Credentials → Create Credentials → OAuth Client ID
Application type: Web application
Add your MigrationFox redirect URI: https://app.migrationfox.com/auth/google/callback
Note the Client ID and Client Secret
In MigrationFox, choose OAuth authentication and click Connect with Google

Supported Features

Feature	Supported
Files & folders	Yes
Shared Drives (Team Drives)	Yes
Permissions / sharing	Yes
Google Docs → DOCX export	Yes
Google Sheets → XLSX export	Yes
Google Slides → PPTX export	Yes
Large file support (chunked)	Yes
Delta sync	Yes

Limitations

Google Forms, Google Sites, and Apps Script files cannot be migrated as they have no export format. These items will be skipped and reported in the migration summary.

SharePoint / OneDrive

Migrate files, document libraries, and site content to or from SharePoint Online and OneDrive for Business.

Full site migration guide

Cross-tenant site collections — content types, list views, version history snapshots, Site Pages, and UPN-mapped permissions — are documented on the dedicated SharePoint Site Migration page.

Prerequisites

An Azure AD (Entra ID) app registration
A Microsoft 365 tenant with SharePoint Online
Global Admin or SharePoint Admin permissions (for granting consent)

Required Permissions

For Application (app-only, unattended) access:

Sites.ReadWrite.All Files.ReadWrite.All

App Registration Setup

Register a new application

Go to portal.azure.com → Azure Active Directory → App registrations → New registration.

Name it "MigrationFox" (or similar). Under Supported account types, select Accounts in this organizational directory only. Click Register.

Add Application permissions

Go to API permissions → Add a permission → Microsoft Graph → Application permissions.

Add: Sites.ReadWrite.All and Files.ReadWrite.All.

Grant admin consent

Click Grant admin consent for [Your Organization]. You must be a Global Admin to do this. Each permission should show a green checkmark after consent is granted.

Create a client secret

Go to Certificates & secrets → New client secret. Set an expiration (recommend 24 months). Copy the Value immediately — you won't be able to see it again.

Note your credentials

You'll need three values to connect in MigrationFox:

Tenant ID — Found in Overview → Directory (tenant) ID
Client ID — Found in Overview → Application (client) ID
Client Secret — The value you copied in step 4

Add credentials in MigrationFox

In your project, select SharePoint or OneDrive as the source/destination. Choose App-Only (Client Credentials) authentication and enter your Tenant ID, Client ID, and Client Secret.

OAuth Setup (Delegated Access)

For delegated access (user-specific), add Delegated permissions instead of Application permissions, add your redirect URI (https://app.migrationfox.com/auth/microsoft/callback), and use the OAuth flow in MigrationFox.

Supported Features

Feature	Supported
Files & folders	Yes
Document libraries	Yes
Site collections	Yes
List migration	Yes
Site provisioning	Yes
Permissions / sharing	Yes
Large file support (chunked)	Yes
Delta sync	Yes

Limitations

Page layouts, workflows (Power Automate flows), and web parts are not migrated. These are SharePoint-specific components that cannot be transferred as files. You will need to recreate them manually at the destination.

Microsoft Teams

Migrate Teams channels, messages, replies, reactions, and member lists between Microsoft Teams tenants, or from Slack to Teams.

Prerequisites

An Azure AD app registration (can be the same as your SharePoint registration, or separate)
Teams Administrator permissions for granting consent

Required Permissions

Group.Read.All Channel.ReadBasic.All ChannelMessage.Read.All ChannelMessage.ReadWrite.All Teamwork.Migrate.All Team.ReadBasic.All TeamMember.Read.All User.Read.All

Setup

Register an app (or reuse your SharePoint app)

Follow the same steps as the SharePoint setup. You can use the same app registration if you prefer.

Add Teams Application permissions

In API permissions → Microsoft Graph → Application permissions, add:

Group.Read.All — required to list teams
Channel.ReadBasic.All
ChannelMessage.Read.All
ChannelMessage.ReadWrite.All — required for writing messages via migration API
Teamwork.Migrate.All
Team.ReadBasic.All
TeamMember.Read.All
User.Read.All — required for creating teams and resolving user identities in app-only context

Grant admin consent

Click Grant admin consent for [Your Organization]. The Teamwork.Migrate.All permission is particularly important as it enables the Teams migration API.

Supported Features

Feature	Status
Channels (standard & private)	Coming soon
Messages	Coming soon
Replies & threads	Coming soon
Reactions	Coming soon
Member list	Coming soon
File attachments in messages	Coming soon

Note

Teams migration uses the Teams Import API, which creates messages with original timestamps and sender information. The destination team must be in "migration mode" during import.

Slack

Migrate Slack channels, messages, threads, reactions, and file attachments to Microsoft Teams.

Prerequisites

A Slack app with a bot token
Workspace Admin or Owner permissions (for installing the app)

Required Bot Token Scopes

channels:history channels:read groups:history groups:read users:read users:read.email files:read

Setup

Create a Slack App

Go to api.slack.com/apps → Create New App → From scratch. Name it "MigrationFox" and select your workspace.

Add Bot Token Scopes

Go to OAuth & Permissions → Scopes → Bot Token Scopes and add all the required scopes listed above.

channels:history + channels:read — Read public channels
groups:history + groups:read — Read private channels
users:read + users:read.email — Map Slack users to destination users
files:read — Download file attachments

Install to workspace

Click Install to Workspace and authorize the app. You'll be redirected back to Slack.

Copy the Bot User OAuth Token

After installation, go back to OAuth & Permissions. Copy the Bot User OAuth Token — it starts with xoxb-.

Add credentials in MigrationFox

In your project, select Slack as the source. Enter the Bot User OAuth Token.

Supported Features

Feature	Status
Public channels	Coming soon
Private channels	Coming soon
Messages	Coming soon
Threads	Coming soon
Reactions	Coming soon
File attachments	Coming soon
User list / mapping	Coming soon

Important

Slack's free plan only retains 90 days of message history. If you need to migrate older messages, you must be on a paid Slack plan or have exported your data before the retention window closed.

AWS S3

Migrate files to or from Amazon S3 buckets. Also works with S3-compatible storage providers like MinIO, Wasabi, and Backblaze B2.

Prerequisites

An AWS account with an IAM user or role that has S3 access
The bucket name and region

Required IAM Permissions

At minimum, your IAM user needs the following S3 permissions. You can use the managed AmazonS3FullAccess policy or create a custom policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject",
        "s3:DeleteObject",
        "s3:ListBucket",
        "s3:GetBucketLocation"
      ],
      "Resource": [
        "arn:aws:s3:::your-bucket-name",
        "arn:aws:s3:::your-bucket-name/*"
      ]
    }
  ]
}

Setup

Create an IAM user (or use existing)

In the AWS Console, go to IAM → Users → Create user. Attach the AmazonS3FullAccess policy (or a more restrictive custom policy like the one above).

Create an access key

Select the user → Security credentials → Create access key. Choose Third-party service as the use case. Download or note the Access Key ID and Secret Access Key.

Add credentials in MigrationFox

In your project, select AWS S3 and enter:

Access Key ID
Secret Access Key
Region (e.g., us-east-1)
Bucket Name

Supported Features

Feature	Supported
Files & folders (prefixes)	Yes
Buckets	Yes
Multipart upload (large files)	Yes
Delta sync (via ETag comparison)	Yes
S3-compatible providers	Yes

S3-Compatible Storage

MigrationFox works with any S3-compatible storage by specifying a custom endpoint:

Provider	Endpoint Example
MinIO	`https://minio.yourserver.com`
Wasabi	`https://s3.wasabisys.com`
Backblaze B2	`https://s3.us-west-004.backblazeb2.com`
DigitalOcean Spaces	`https://nyc3.digitaloceanspaces.com`

Tip

For S3-compatible providers, set the Custom Endpoint field and make sure Path Style Access is enabled if the provider requires it (most do, except AWS itself).

SFTP / FTP

Migrate files to or from remote servers using SFTP (SSH File Transfer Protocol) or FTP.

Prerequisites

SSH access to the server (for SFTP) or FTP credentials
The user account must have read access (source) or write access (destination) to the target directory

Setup

Gather connection details

You'll need:

Hostname or IP address of the server
Port (default: 22 for SFTP, 21 for FTP)
Username
Password or SSH private key (PEM format)

Verify access

Test that you can connect from the command line:

sftp username@your-server.com

Or for key-based authentication:

sftp -i /path/to/key.pem username@your-server.com

Add credentials in MigrationFox

In your project, select SFTP or FTP. Enter the hostname, port, username, and password or paste your SSH private key.

Supported Features

Feature	Supported
Files & folders	Yes
Recursive directory scan	Yes
Streaming transfers	Yes
Key-based authentication	Yes (PEM format)
Password authentication	Yes

Security Note

SFTP is strongly recommended over FTP. FTP transmits credentials and data in plain text. Only use FTP if your server does not support SFTP and the network is trusted.

Dropbox

Migrate files and folders to or from Dropbox, including personal and business accounts.

Prerequisites

A Dropbox developer app
For business accounts: Dropbox Business admin access

Required Scopes

files.content.read files.content.write files.metadata.read

Setup

Create a Dropbox App

Go to dropbox.com/developers → App Console → Create App.

Choose Scoped access
Choose Full Dropbox (access to all files and folders)
Name your app (e.g., "MigrationFox")

Configure scopes

In your app settings, go to the Permissions tab and enable:

files.content.read
files.content.write
files.metadata.read

Click Submit to save.

Generate an access token or use OAuth

Option A: In the Settings tab, under OAuth 2, click Generate to create a short-lived access token for testing.

Option B: Use the OAuth flow in MigrationFox for long-lived access with automatic token refresh.

Add credentials in MigrationFox

In your project, select Dropbox. Either paste the access token or click Connect with Dropbox to use OAuth.

Supported Features

Feature	Supported
Files & folders	Yes
Chunked uploads (large files)	Yes
Permissions / sharing	Yes
Dropbox Business (team folders)	Yes
Delta sync	Yes

Box

Migrate files, folders, and collaborations to or from Box.

Prerequisites

A Box developer app (Custom App)
For enterprise access: Box Admin authorization

Setup

Create a Custom App

Go to developer.box.com → My Apps → Create New App → Custom App.

Choose authentication method

Select OAuth 2.0 for interactive login, or Server Authentication (with JWT) for unattended access. OAuth 2.0 is simpler; JWT requires Box Admin authorization.

Enable scopes

In your app's Configuration, under Application Scopes, enable:

Read all files and folders stored in Box
Write all files and folders stored in Box

Authorize the app (JWT only)

If using JWT: In the Box Admin Console, go to Apps → Custom Apps → Authorize New App. Enter your app's Client ID.

Add credentials in MigrationFox

In your project, select Box. For OAuth, click Connect with Box. For JWT, upload the config JSON file from the Box developer console.

Supported Features

Feature	Supported
Files & folders	Yes
Chunked uploads (large files)	Yes
Collaborations / permissions	Yes
Box Enterprise (managed users)	Yes
Delta sync	Yes

SMB / Windows File Shares

Migrate files from on-premises Windows file servers and network shares (UNC paths) using the MigrationFox Windows Agent.

Agent troubleshooting

If the agent disconnects, stalls, or needs an in-place version upgrade, see Agent troubleshooting for the log file location, service-management commands, and the Azure Blob HEAD verification path.

Prerequisites

A Windows machine with network access to the file share
Administrator privileges on the machine (for running the agent)
An active MigrationFox project with an agent token

How It Works

Unlike cloud-to-cloud migrations, on-premises file shares are not accessible from the internet. The MigrationFox Windows Agent runs on a machine inside your network, connects outbound to MigrationFox, and handles local file access securely.

Agent Options

The MigrationFox Agent is available in two formats:

migrationfox-agent.exe — Standalone Windows executable, no dependencies required
migrationfox-agent.ps1 — PowerShell script, useful for environments where .exe files are restricted by policy

Setup

Register an agent token

In your MigrationFox project, go to Settings → Agents → Create Agent Token. Give it a name (e.g., "Office Server Agent"). Copy the token.

Download the Windows Agent

Download MigrationFox Agent (.exe or .ps1) from the Agents page. Place it on the Windows machine that has access to the file share.

Run the agent

Open Command Prompt as Administrator and run:

migrationfox-agent.exe --token YOUR_AGENT_TOKEN

Or using the PowerShell script:

.\migrationfox-agent.ps1 -Token YOUR_AGENT_TOKEN

The agent will register itself and appear as "Online" in your project.

Configure the source path

In your project, select SMB / File Share as the source. Enter the UNC path to the share:

\\fileserver\shared\documents

The agent will browse and migrate files from this path.

SMB to Cloud Direct Upload

The agent uploads files directly from the local file share to the cloud destination without routing data through the MigrationFox API server. This means:

Faster transfers — data goes directly from your network to the cloud provider
5 parallel uploads — the agent runs up to 5 concurrent file uploads for maximum throughput
No data stored — files are streamed directly, never written to intermediate storage

Supported Features

Feature	Supported
Files & folders	Yes
UNC paths	Yes
Recursive directory scan	Yes
Large file streaming	Yes
Concurrent uploads (5 parallel)	Yes
Direct cloud upload (no relay)	Yes
NTFS permissions	Mapped to destination equivalents

Important

The agent must remain running for the duration of the migration. If the agent disconnects, the migration will pause and resume automatically when the agent reconnects. Run the agent as a Windows Service for best reliability.

Azure Blob Storage

Migrate files to or from Azure Blob Storage containers. Supports any storage account with access key or SAS token authentication.

Full connector guide

Soft-delete interactions, custom endpoints (Azure Government / China / Private Endpoint), source-platform compatibility matrix, and portal-refresh troubleshooting live on the dedicated Azure Blob Storage connector page.

Prerequisites

An Azure Storage Account with at least one container
The account name and an access key (or a SAS token with read/write permissions)

Setup

Open your Storage Account

Go to portal.azure.com → Storage accounts → select your storage account.

Copy the access key

In the left menu, go to Security + networking → Access keys. Click Show next to key1 and copy both the Storage account name and the Key value.

Tip

You can also use a SAS token with more granular permissions. Generate one from Shared access signature in the left menu, ensuring Blob service, Container and Object resource types, and Read, Write, List permissions are selected.

Add credentials in MigrationFox

In your project, go to Connect → select Azure Blob Storage → choose Account Key authentication. Enter:

Account Name — the storage account name
Access Key — key1 (or key2) from the Azure portal
Container Name — the blob container to migrate from or to

Test the connection

Click Test Connection to verify MigrationFox can list blobs in the specified container. If the test fails, double-check the account name and key, and ensure the container exists.

Supported Features

Feature	Supported
Files & virtual folders (prefixes)	Yes
Containers	Yes
Block blob upload (large files)	Yes
Delta sync (via ETag / Last-Modified)	Yes
SAS token authentication	Yes

Limitations

Page blobs and Append blobs are not supported. Only Block blobs (the default and most common type) are migrated. Azure Data Lake Storage Gen2 (hierarchical namespace) containers are supported for read but require the standard blob endpoint.

InfoPath PDF Archive

New First-to-market — no other migration tool offers this.

What It Does

InfoPath PDF Archive converts InfoPath XML form submissions into formatted, searchable PDF documents and uploads them to a SharePoint Online document library. This preserves your form data in a universally readable format before InfoPath is retired.

Deadline: July 14, 2026

Microsoft is retiring InfoPath Forms Services from SharePoint Online on July 14, 2026. After this date, InfoPath forms will no longer render in SharePoint Online. Archive your form data now to avoid data loss.

How It Works

The MigrationFox Agent connects to your on-premises SharePoint server via NTLM authentication
Downloads the XSN template (form definition) and all XML submissions from the InfoPath form library
Extracts field definitions and labels from the XSN template manifest
Generates a formatted PDF document for each XML submission, with field names and values laid out in a readable table format
Uploads the generated PDFs to a SharePoint Online document library in your destination tenant

Prerequisites

The MigrationFox Windows Agent installed on a machine with network access to the on-premises SharePoint server
NTLM credentials (domain\username and password) with read access to the InfoPath form library
A SharePoint Online destination configured in your MigrationFox project (for uploading the generated PDFs)
The on-premises SharePoint server must be accessible from the machine running the agent (typically on the same network or via VPN)

Step-by-Step Setup

Install the MigrationFox Agent

Download the agent from your MigrationFox dashboard (Settings → Agents). You can use either the .exe standalone executable or the .ps1 PowerShell script. Place it on a Windows machine that has network access to your on-premises SharePoint server.

Create an agent token

In your MigrationFox project, go to Settings → Agents → Create Agent Token. Copy the token.

Run the agent

Open Command Prompt as Administrator and run:

migrationfox-agent.exe --token YOUR_AGENT_TOKEN

Or using PowerShell:

.\migrationfox-agent.ps1 -Token YOUR_AGENT_TOKEN

The agent will register and appear as "Online" in your project.

Configure the InfoPath source

In your project, create a new job and select InfoPath PDF Archive as the job type. Provide:

SharePoint On-Prem URL — The URL of the on-premises SharePoint site (e.g., http://sharepoint.contoso.com/sites/hr)
Form Library Name — The name of the InfoPath form library
NTLM Domain — Your Active Directory domain (e.g., CONTOSO)
Username and Password — Credentials with read access to the form library

Configure the destination

Select a SharePoint Online document library as the destination for the generated PDFs. You can provision a new library or use an existing one.

Start the archive job

Click Start. The agent will download templates and submissions, generate PDFs locally, and upload them to SharePoint Online. Progress is displayed in real time on the dashboard.

Output Format

Each InfoPath submission is converted to a PDF with:

Form title and submission date in the header
Field labels extracted from the XSN template
Field values from the XML submission
A clean, tabular layout suitable for printing and archiving
File naming convention: FormName_SubmissionDate_ID.pdf

Tip

Run a test with a single form library first to verify the PDF output looks correct before archiving all form libraries. You can preview the generated PDFs in the SharePoint Online library before proceeding with the full archive.

Mail Migration

New Migrate mailboxes between email platforms with folder filtering, date ranges, and bulk import.

Supported Platforms

Gmail — Google Workspace mailboxes via Gmail API
Office 365 — Exchange Online mailboxes via Microsoft Graph
Exchange EWS — on-premises Exchange via Exchange Web Services
IMAP — any IMAP-compatible mail server (Zimbra, Dovecot, etc.)

Features

Folder filtering — include or exclude specific folders (e.g. skip Junk, Drafts)
Date range — migrate only messages within a specific date window to reduce volume
Attachments — full attachment migration with size tracking
Bulk Import (CSV) — upload a CSV with source/destination mailbox mappings to queue migrations for an entire organization in one step. See Bulk mail migration with user mapping for the CSV format, Gmail service-account + domain-wide delegation setup, and the M365 Mail.ReadWrite application permission requirement.

M365 Assessment Suite

Add-on · New A separate product line. Read-only Microsoft Graph scans that score your tenant across security, governance, and Copilot readiness.

What It Does

The M365 Assessment Suite is a family of six 100% read-only Microsoft Graph scans. Each produces a 1.0–4.0 composite score, a prioritized list of findings with stable IDs, and actionable recommendations. The suite covers everything from Copilot oversharing risks to Power Platform sprawl. Most scans finish in three to five minutes per tenant.

6 Assessment Products

Copilot Readiness — the flagship assessment. Evaluates whether your tenant is safe to enable Microsoft 365 Copilot and identifies exactly what to fix first.
Microsoft 365 Complete — a cross-cutting report that spans all modules. Bundle-only, not sold standalone.
SharePoint & OneDrive — focused deep-dive into SharePoint permissions, oversharing, OneDrive adoption, and cleanup opportunities.
Teams — Teams lifecycle governance, external sharing, guest access, and collaboration hygiene.
M365 Security — Identity, Conditional Access, MFA coverage, dangerous OAuth grants, and Global Admin sprawl.
Power Platform — environment sprawl, DLP policy gaps, unmanaged flows and apps, maker concentration risk.

7 Assessment Modules & 74 Finding IDs

Across all six products, findings are drawn from seven modules with a total of 74 unique finding IDs. Each product activates the relevant subset of modules. The Copilot Readiness product, for example, runs all seven; the Teams product runs only the Teams & OneDrive Governance module plus Identity & Conditional Access.

Why this matters

Microsoft Copilot indexes everything its caller can see. Stale "Anyone with the link" sharing, missing DLP coverage, or weak Conditional Access can cause Copilot to surface sensitive content to the wrong user in chat responses. The assessment finds those gaps before Copilot does.

The 1.0–4.0 Score

The composite score is a weighted average across the active modules (SharePoint Permissions and Purview Current State are weighted 2× because they have the highest direct impact on Copilot oversharing). Every score lands in one of four bands:

1.0–1.9 — NOT_READY (red) — Critical gaps in DLP, oversharing, or identity will leak sensitive data through Copilot. Do not enable Copilot, even for a pilot, until the "Must Do Before Copilot" items are resolved.
2.0–2.9 — PARTIALLY_READY (orange) — Run a tightly scoped pilot with 5–10 hand-picked users on non-sensitive workloads only. Address all "Must Do Before Copilot" items before broadening.
3.0–3.4 — MOSTLY_READY (yellow) — Internal pilot approved for any team. Resolve the remaining "Must Do Before Full Rollout" items before expanding to your full user base.
3.5–4.0 — READY (green) — Full Copilot rollout approved. Maintain ongoing monitoring with quarterly reassessments to catch drift.

Setup & Required Scopes

All six M365 Assessment Suite products connect to your Microsoft 365 tenant via a service-account credential (Azure AD app registration with client_credentials flow). Setup is a one-time, ~5 minute task that covers every product.

The 14 Read-Only Graph Scopes

All scopes are application permissions requiring admin consent. None of them grant write access — the assessment is read-only by design.

Sites.Read.All — SharePoint sites and permission settings
Files.Read.All — OneDrive and SharePoint files (oversharing scan)
User.Read.All — user profiles, license assignments, Copilot eligibility
Group.Read.All — M365 groups and Teams membership
Directory.Read.All — tenant directory and roles
AuditLog.Read.All — audit log access verification
InformationProtectionPolicy.Read.All — sensitivity labels and IP policies (tenant-wide)
Policy.Read.All — Conditional Access and authentication policies
Reports.Read.All — M365 usage and adoption reports
SecurityEvents.Read.All — identity protection events
TeamSettings.Read.All — Teams configuration and policies
DelegatedPermissionGrant.Read.All — OAuth grants for risky-app detection
Application.Read.All — app registrations for overprivileged-client detection
SharePointTenantSettings.Read.All — tenant-wide SharePoint sharing settings

Read-only by design

A write guard at the Graph API client level throws on any PATCH/POST/PUT/DELETE attempt. There is no code path by which the product can modify your tenant. Combined with AES-256-GCM encryption of findings at rest, the security story is "we look, we never touch".

Step-by-Step Setup

Open the Governance tab in MigrationFox

Create an Azure AD app registration

In your M365 tenant's Azure portal, go to Microsoft Entra ID → App registrations → New registration. Name it something like MigrationFox M365 Assessment. Single tenant. No redirect URI needed.

Add the 14 Graph application permissions

In the new app registration, go to API permissions → Add a permission → Microsoft Graph → Application permissions. Add each of the 14 scopes listed above. Then click Grant admin consent for <tenant>.

Create a client secret

Go to Certificates & secrets → New client secret. Set an expiry (12 or 24 months). Copy the secret value immediately — you won't be able to see it again after you leave the page.

Paste credentials into MigrationFox

Back in the MigrationFox setup wizard, paste your tenant ID, client ID, and client secret. The wizard validates the credential against Graph and shows you exactly which scopes are missing if any are not consented. Click Save.

Run the assessment

Click Run Assessment. You'll see live progress per module — Licensing, Purview, Identity, Apps, Teams/OneDrive, SharePoint Permissions, Power Platform. Most tenants finish in three to five minutes. You can safely close the wizard and come back later from the Governance landing page.

Running an Assessment

From the Governance tab, click + Run New Assessment. Select the product type (Copilot Readiness, SharePoint & OneDrive, Teams, M365 Security, Power Platform, or Microsoft 365 Complete if you have the bundle). Choose the saved credential for the target tenant and click Run Assessment.

Live Progress

The wizard shows real-time progress for each module as it scans. Modules execute in parallel where possible. If a module encounters an unverified check (missing scope, beta endpoint 404), it marks those checks as unverified and continues — no module failure blocks the overall scan.

Re-runs

Paid tiers get unlimited re-runs within the 90-day access window. Free tier is limited to one assessment per tenant per month. Each re-run produces a fresh score and findings set, so you can track improvement over time from the score trend chart on the Governance landing page.

Reading the Report

Once the assessment completes, the wizard shows three things in order: the hero score banner, the module scorecard, and either the priority action cards (paid tiers) or the sneak-peek upgrade card (free tier).

Hero Score Banner

A large composite score (1.0–4.0) with the four-state pilot verdict colour-coded, the guidance paragraph for that verdict, the target tenant name, the assessment date, and the duration. Below the banner are the export buttons (paid tiers only) and a "Run Again" CTA.

Module Scorecard

One row per module with the per-module score (1–4), score label, finding count, and Graph call count. Modules with unverified checks (e.g. a missing scope or a 404 from a beta endpoint) show an "· some checks unverified" amber note. The scorecard is visible to all tiers including Free.

Finding Priorities

Each finding is tagged with one of three exact priority labels:

Must Do Before Copilot — blockers. Do not enable Copilot until these are resolved. Most likely to surface in the Purview, Identity, and SharePoint Permissions modules.
Must Do Before Full Rollout — pilot is safe but a wider rollout needs these closed first.
Nice to Have — quality of life improvements that don't block Copilot but improve the long-term posture.

Each finding has a stable ID (e.g. PUR-001, SPO-004), a one-line observation, a business impact paragraph, an action-verb-first recommendation, the responsible role, an effort estimate, the exact Graph endpoint that produced the finding, and a Microsoft Docs link.

The Critical PUR-001 Check

The single most important check in the entire assessment is PUR-001 — DLP × Copilot workload coverage. It checks whether Microsoft365Copilot appears as a protected workload in any active Data Loss Prevention policy. Most tenants we see fail this check — their DLP rules block sensitive content in SharePoint, OneDrive, Teams, and Exchange but Copilot is not in the workload list, so Copilot can still surface that same content in chat responses, bypassing the entire DLP layer. PUR-001 is the killer finding before any Copilot rollout.

Privacy Mode

When you create an assessment you can toggle Privacy Mode on. In privacy mode the assessment runs normally and you see the score and module scorecard in the wizard, but the encrypted findings blob is not persisted to the database after the run completes. You'll see the report once and then it's gone. Useful for one-shot consulting engagements where the customer doesn't want their findings stored.

7 Assessment Modules

Every finding in the M365 Assessment Suite belongs to one of seven modules. Each module has a stable ID prefix and a defined scope of Graph API calls.

1. Licensing & Infrastructure (LIC-000 to LIC-010)

Checks subscribed SKUs, base tier detection (E3/E5/Business Premium), add-on presence (Copilot, Purview, Entra P1/P2, Audit Premium), M365 service health, and OneDrive adoption across the tenant. This module answers: do you have the licenses required for the features you want to use?

2. Purview State (PUR-000 to PUR-008)

Evaluates retention labels, Data Loss Prevention policies, sensitivity labels, and Sensitive Information Types. Includes the critical PUR-001 check that detects whether Microsoft365Copilot is a protected workload in any active DLP policy — the single most important check before any Copilot rollout. Also checks retention policy coverage and auto-labeling configuration.

3. Identity & Conditional Access (IDN-000 to IDN-013)

Inventories Conditional Access policies, MFA baseline coverage, guest user ratio, Global Admin count, PIM presence, OAuth grant sprawl, and dangerous application permissions. Flags overprivileged apps with Mail.ReadWrite or Files.ReadWrite.All that could leak data through Copilot responses.

4. M365 Apps Readiness (APP-000 to APP-006)

Analyzes Office update channel distribution across the tenant. Copilot requires Current Channel or Monthly Enterprise Channel — users stuck on Semi-Annual Channel cannot run Copilot. This module quantifies the upgrade effort.

5. Teams & OneDrive Governance (TMS-000 to TMS-006)

Evaluates Teams lifecycle hygiene (stale teams, orphaned teams, naming policies), tenant-wide external sharing capability, OneDrive adoption rates, and Known Folder Move (KFM) deployment status. KFM ensures desktop/documents/pictures are backed up to OneDrive, which Copilot indexes.

6. SharePoint Permissions (SPO-000 to SPO-013)

Performs a per-site permission audit across all SharePoint sites in the tenant (paid tiers scan all sites, free tier samples up to 30). Detects "Anyone with the link" oversharing, broken inheritance, mega-sites with 100k+ items, external sharing at the site level, and sites with no active owner. Each site gets a risk profile: Low / Medium / High / Critical.

7. Power Platform (PP-001 to PP-012)

Scans Power Platform environments, DLP policy coverage, unmanaged flows and canvas apps, maker concentration risk (single-person dependencies), and environment sprawl. Uses the BAP (Business Application Platform) API to enumerate environments and their policies.

SharePoint Restructuring Wizard

Paid tier

The Restructuring Wizard analyzes SharePoint site health and proposes a restructuring plan to break mega-sites into properly scoped site collections. It is available to tenants with a paid assessment purchase.

What It Analyzes

Permissions complexity — broken inheritance depth, unique permission count at the library level (not file level)
Storage distribution — storage consumed per library, identifying hot spots
Stale content — libraries and folders with no modifications in 12+ months
Large lists — lists exceeding the 5,000 item view threshold
Folder depth — deeply nested folder hierarchies that cause sync and URL-length issues
Item limits — sites approaching the 30 million item limit

Health Score

Each site receives a health score from 1 to 10. Sites scoring below 5 are flagged for restructuring with specific recommendations.

Execution

When you approve a restructuring plan, the wizard auto-provisions new site collections with the recommended structure and queues MigrationFox migration jobs to move content from the old mega-site into the new sites. Permissions are re-applied at the site collection level for clean inheritance.

OneDrive Cleanup Wizard

Paid tier

The OneDrive Cleanup Wizard scans up to 100 licensed users and identifies cleanup opportunities across five issue categories. It is available to tenants with a paid assessment purchase.

5 Issue Categories

Oversized — users consuming more than 80% of their OneDrive quota
Stale — OneDrives with no file modifications in 12+ months
External sharing — OneDrives with active external sharing links
Departed users — OneDrives belonging to disabled or deleted accounts
Orphan content — content in OneDrives with no active owner or manager

Export

Results can be exported as CSV for bulk remediation planning or integration with IT service management tools.

Continuous Monitoring

Tenants with monitoringEnabled turned on receive an automatic monthly re-scan. The system runs the same assessment that was last executed, compares the results to the previous scan, and sends an email comparison report.

Comparison Report

The monthly email includes:

New findings — issues that appeared since the last scan (regressions)
Resolved findings — issues that are no longer detected (improvements)
Score delta — the change in composite score with a trend indicator

Enable monitoring

Toggle continuous monitoring from the Governance landing page or from the Billing → Purchase History section. Monitoring is available on paid tiers only and uses the same credential saved during initial setup.

Exports (PDF / CSV / JSON)

Paid tiers can export assessment results in multiple formats. The available formats depend on the tier:

Export Formats

PDF — full assessment report. Single assessment purchases include MigrationFox-branded PDF. Bundle purchases include white-label PDF with the buyer's logo (no MigrationFox branding) for client delivery.
Word (.docx) — editable report for anyone who needs to add commentary or customize sections before delivering to a client or stakeholder.
Excel (.xlsx) — findings in a structured spreadsheet with columns for ID, module, priority, observation, recommendation, effort, and responsible role.
HTML — self-contained HTML report with inline CSS and no external resources. Can be hosted on an intranet or attached to an email.
CSV (Planner format) — Microsoft Planner import format with Task / Bucket / Priority / Due / Assigned / Description / Labels columns. Import directly into Planner to create a remediation project.
JSON — structured JSON export with all findings, action plan, module results, and metadata. Suitable for programmatic consumption or integration with SIEM/ITSM tools.

Pricing & Tiers

The M365 Assessment Suite is a separate product line from MigrationFox migration. It is six standalone read-only Graph audits sold under a single pricing model: one-time payment, 90-day access window, locked to one Microsoft 365 tenant at first scan. There is no subscription, no auto-renew, and no per-user fee. Two product shapes: a single assessment at CA$399, or the Microsoft 365 Complete Assessment Bundle at CA$1,599 which unlocks all six. Paid tiers also unlock the Restructuring Wizard, OneDrive Cleanup Wizard, and Continuous Monitoring.

Free Snapshot — CA$0

One assessment per tenant per month for any one of the six product lines. View-only — the composite score, the four-state verdict, the module scorecard with finding counts, and one sample finding rendered in the same format as the paid tiers. There are no exports of any kind and no email or webhook delivery on completion. The free tier exists to answer one question honestly: does your tenant have a problem in this area?

Single Assessment — CA$399 one-time

One-time payment, 90 days of unlimited re-runs, locked to one Microsoft 365 tenant at first scan. Choose one of: Copilot Readiness, Power Platform, SharePoint and OneDrive, Teams, or M365 Security. Full findings list across the relevant modules. JSON, HTML, and CSV exports. MigrationFox-branded PDF. Internal use license — the report cannot be re-delivered to a third party as a paid work product.

This is the right tier for an in-house IT or security team that owns one tenant, wants to drive a specific area to green, and needs to track score improvement over time. Re-runs are unlimited within the 90-day window.

Microsoft 365 Complete Assessment Bundle — CA$1,599 one-time

All six assessments in one purchase — Copilot Readiness, Power Platform, SharePoint and OneDrive, Teams, M365 Security, plus the cross-cutting Microsoft 365 Complete report (which is bundle-only and not sold standalone). 90 days of unlimited re-runs. Locked to one Microsoft 365 tenant at first scan. Includes white-label PDF with the buyer's logo (no MigrationFox branding) and a commercial redistribution license — the buyer may deliver the report to a paying client as their own engagement work product.

This is the right tier for MSPs and consultancies running readiness engagements across client tenants. One bundle = one client. The bundle saves CA$396 vs buying five singles, and the white-label rights make it the only legal way to resell the report to a client.

Per-tenant lock

Each purchase has a targetTenantId field that is null until the first scan, then immutably stamped with the Microsoft 365 tenant ID. Subsequent scans against a different tenant are blocked. This is the technical enforcement of the per-engagement pricing model. An MSP scanning ten client tenants needs ten purchases.

Full pricing comparison and FAQ on the dedicated Microsoft 365 Assessment Suite landing page.

API & Webhooks

The same authenticated REST endpoints used by the in-app wizard are available for programmatic access. All endpoints use the standard MigrationFox JWT auth header. Tier gates are enforced server-side — calling /export.json on a Free tier returns 402 with a copilot_insight_required body.

Endpoints

Method	Endpoint	Tier	Description
`POST`	`/governance`	Free+	Start a new assessment. Body: `{ label, credentialId, projectId?, privacyMode? }`
`GET`	`/governance`	Free+	List the tenant's assessments (50 most recent)
`GET`	`/governance/:id`	Free+	Get a single assessment row including status, score, pilotState, moduleScores
`GET`	`/governance/:id/findings`	Free+	Decrypted findings. Free tier returns a single sampleFinding teaser; paid tiers return the full sorted list
`GET`	`/governance/:id/export.json`	Insight+	Structured JSON export with all findings, action plan, module results
`GET`	`/governance/:id/export.html`	Insight+	Self-contained HTML report (inline CSS, no external resources)
`GET`	`/governance/:id/export.csv`	Partner+	Microsoft Planner import format (Task / Bucket / Priority / Due / Assigned / Description / Labels)
`GET`	`/governance/history`	Free+	30 most recent completed assessments for the score trend chart
`POST`	`/governance/:id/delete`	Free+	Delete an assessment row (Railway POST workaround for browsers that block DELETE)

Webhook Event: governance.assessment.completed

If your tenant has a webhook URL configured (Billing → Webhook Notifications), MigrationFox fires a webhook event when each assessment finishes. The webhook is gated to Insight+ tiers — Free assessments do not fire webhooks. The same delivery mechanism handles both migration and governance events; consumers should switch on the X-MigrationFox-Event header.

Webhook Payload Example

{
  "event": "governance.assessment.completed",
  "assessmentId": "cmnxxx...",
  "tenantId": "ten_xxx...",
  "label": "Q1 Readiness Scan",
  "targetTenantId": "<M365 tenant GUID>",
  "targetTenantName": "Contoso Ltd.",
  "status": "COMPLETED",
  "overallScore": 2.8,
  "pilotState": "PARTIALLY_READY",
  "totalFindings": 14,
  "mustDoBeforeCopilot": 5,
  "durationMs": 198432,
  "timestamp": "2026-04-11T15:30:42.123Z"
}

HMAC-SHA256 signature is delivered in X-MigrationFox-Signature when a webhook secret is configured. The same headers are used as for migration job webhooks — X-MigrationFox-Event, X-MigrationFox-Delivery, and X-MigrationFox-Signature — so existing webhook handlers can simply add a switch on the event name.

Email Delivery

Insight+ subscribers also receive an email on each completed assessment with the score, the four-state verdict, the top 3 must-do actions, and a deep link back to the wizard. Email delivery uses Resend; if no RESEND_API_KEY is configured the email is silently skipped (best-effort delivery). Free tier assessments do not trigger emails.

Discovery / Scanning

Before migrating any data, MigrationFox scans your source environment to build a complete inventory. This process is called discovery.

Running a Discovery Scan

In your project, ensure the source connection is configured and authenticated
Click Start Discovery (or create a discovery job via the API)
MigrationFox will recursively scan all files, folders, and metadata
The scan typically takes a few minutes for small sources, up to several hours for millions of files

Discovery Report

After scanning completes, the discovery report shows:

Total file count and total size
Folder tree with nested file counts and sizes
File type breakdown — e.g., 40% Documents, 30% Images, 20% Videos
Large files over 100 MB (flagged for monitoring)
Permission summary — who has access to what
Duplicate detection — files with identical content hashes

Selective Migration

After discovery, you can choose to migrate everything or select specific folders. This is useful for phased migrations or excluding irrelevant content.

Tip

Discovery does not copy or modify any data. It only reads metadata (file names, sizes, dates, permissions). You can run discovery scans as many times as needed.

Provisioning

Provisioning creates the destination structure before migrating data. This ensures all target containers (sites, libraries, drives, folders) exist before files are transferred.

What Gets Provisioned

Destination	Provisioned Resources
SharePoint	Site collections, document libraries, folders
OneDrive	Folders
Google Drive	Shared Drives, folders
Dropbox	Folders
Box	Folders
S3	Buckets (if not existing), prefixes/folders
Azure Blob Storage	Containers (if not existing), virtual folders

How to Use

Run Discovery on the source first
Review the folder structure in the discovery report
Configure any folder mappings if you want to remap paths
Click Provision Destination to create the structure
Once provisioning completes, start the migration

Note

Provisioning is idempotent. Running it multiple times will not create duplicate structures. Existing folders and sites are skipped.

Migration Modes

MigrationFox supports three migration modes that determine how files are handled during transfer.

COPY Default

Copies files from source to destination. The source files remain untouched. This is the safest mode and is recommended for most migrations.

Source files are not modified or deleted
Ideal for initial migration or when you want to keep the source as a backup

MOVE

Copies files to the destination, then deletes them from the source after successful transfer. Use with caution.

Files are deleted from the source only after verified successful transfer
Useful for decommissioning the source storage
Not all platforms support source deletion

Warning

MOVE mode permanently deletes files from the source. Ensure you have verified a test migration before using this mode on production data.

DELTA

Only transfers files that are new or changed since the last migration run. Uses file size, modification date, and content hashes (where available) to determine changes.

Much faster for subsequent runs after an initial COPY
Perfect for keeping source and destination in sync during a transition period
On S3, uses ETag comparison for efficient change detection

Folder Mapping

Folder mapping lets you remap source paths to different destination paths during migration. This is useful when the destination has a different organizational structure.

How It Works

You define mapping rules that transform source paths into destination paths:

Source Path                    →  Destination Path
/Marketing/2024/Campaigns     →  /Departments/Marketing/Campaigns-2024
/Engineering/Docs             →  /Technical/Documentation
/Shared/Photos                →  /Media Library/Photos

Mapping Rules

Exact match — Map a specific folder to a specific destination
Prefix match — Map all content under a source prefix to a destination prefix
Flatten — Move all files from nested subfolders into a single destination folder
Skip — Exclude specific folders from migration entirely

Tip

Use the discovery report to review the source folder structure before setting up mappings. This helps you plan the destination structure accurately.

Conflict Resolution

When a file already exists at the destination with the same name, MigrationFox uses the conflict resolution strategy you've configured.

SKIP

If a file with the same name exists at the destination, skip it. The source file is not transferred. Best for re-running migrations where most files are already transferred.

OVERWRITE

Replace the existing destination file with the source file. Use when the source is authoritative and you want the latest version.

RENAME

Keep both files. The new file is renamed with a suffix (e.g., report.pdf becomes report (1).pdf). Safest option when you are unsure.

Permission Migration

MigrationFox can migrate file and folder permissions (sharing settings) from the source platform to the destination platform.

How Permissions Are Mapped

Permissions are mapped by email address. If a user has access to a file on the source (e.g., Google Drive sharing), MigrationFox will grant the same user access at the destination (e.g., SharePoint permissions), provided the user exists in the destination directory.

Permission Mapping Matrix

Source Permission	SharePoint Equivalent	Google Drive Equivalent
Viewer / Read	Read	Viewer
Editor / Write	Contribute	Editor
Owner	Full Control	Organizer
Commenter	Read (no equivalent)	Commenter

Important

Permission migration requires that the user email addresses exist in both the source and destination directories. Users who exist only on the source will be logged but their permissions will not be created at the destination.

Bandwidth Throttling

Control the transfer speed to avoid saturating your network or hitting API rate limits.

Configuration

In your project settings, you can configure:

Maximum bandwidth (MB/s) — Limits the total transfer speed
Concurrency — Number of files transferred in parallel (default: 4)
Schedule windows — Run migrations only during specific hours (e.g., nights/weekends)

Recommendations

Scenario	Bandwidth	Concurrency
Small migration (< 10 GB)	Unlimited	4-8
Medium migration (10-500 GB)	50-100 MB/s	4-8
Large migration (> 500 GB)	100-200 MB/s	8-16
During business hours	10-25 MB/s	2-4

Tip

If you're hitting API rate limits (429 errors), reduce concurrency rather than bandwidth. Most cloud APIs rate-limit by request count, not data volume.

Scheduling

Schedule migration jobs to run at specific times. This is useful for running migrations during off-peak hours or for recurring delta syncs.

How to Schedule

When creating or editing a migration job, set the Scheduled Start time. The job will be queued and will start automatically at the specified time.

Scheduling Options

One-time schedule — Run once at a specific date and time
Recurring schedule — Run on a schedule (e.g., daily at 2 AM for delta syncs)
Immediate — Start the job right away (default)

{
  "jobType": "MIGRATION",
  "mode": "DELTA",
  "scheduledAt": "2026-03-25T02:00:00Z"
}

Tip

Schedule delta syncs to run nightly during your migration window. This ensures the destination stays up-to-date while users continue working on the source.

API Reference

MigrationFox provides a REST API for programmatic access to all migration features. Full API documentation is coming soon.

Authentication

All API requests require a Bearer token. Generate an API key from Settings → API Keys in the MigrationFox dashboard.

curl -H "Authorization: Bearer YOUR_API_KEY" \
  https://api.migrationfox.com/v1/projects

Base URL

https://api.migrationfox.com/v1

Endpoints (Preview)

Method	Endpoint	Description
`GET`	`/projects`	List all projects
`POST`	`/projects`	Create a new project
`POST`	`/projects/:id/jobs`	Create a migration job
`GET`	`/projects/:id/jobs`	List jobs for a project
`GET`	`/jobs/:id`	Get job status and progress
`POST`	`/jobs/:id/cancel`	Cancel a running job

Coming Soon

Full OpenAPI/Swagger documentation with request/response examples, error codes, and interactive testing will be available at api.migrationfox.com/docs.

Webhooks

Configure webhooks to receive real-time notifications about migration events.

Supported Events

Event	Description
`job.started`	A migration job has started
`job.completed`	A migration job completed successfully
`job.failed`	A migration job failed
`job.progress`	Periodic progress updates (configurable interval)
`discovery.completed`	A discovery scan has completed

Configuration

In your project settings, go to Webhooks → Add Webhook. Provide:

URL — Your endpoint that will receive POST requests
Events — Which events to subscribe to
Secret (optional) — Used to sign payloads for verification

Payload Example

{
  "event": "job.completed",
  "timestamp": "2026-03-24T15:30:00Z",
  "data": {
    "jobId": "job_abc123",
    "projectId": "proj_xyz789",
    "status": "COMPLETED",
    "filesTransferred": 15420,
    "bytesTransferred": 52428800000,
    "duration": 3600,
    "errors": 3
  }
}

Tip

Use webhooks to integrate with Slack, Microsoft Teams, or your monitoring tools to get notified when migrations complete or encounter errors.

Troubleshooting

Common errors and their solutions.

"Authentication expired"

Cause: The OAuth access token has expired and the refresh token is no longer valid.

Solution: Re-authenticate the connection in your project settings. Click Reconnect on the affected source or destination. For service accounts, re-upload the credentials.

Prevention: Use service accounts (Google) or app-only auth (Azure) for long-running migrations. These don't expire like user OAuth tokens.

"File not found"

Cause: The file was deleted or moved on the source between the discovery scan and the migration.

Solution: Re-run discovery to get an updated file inventory, then restart the migration. These errors are non-fatal and won't stop the overall migration.

Prevention: Minimize the time between discovery and migration. Communicate with your team that the source should not be modified during migration.

"Request Timeout (408)"

Cause: A large file transfer or API call exceeded the timeout limit.

Solution: MigrationFox automatically retries timed-out requests. If the error persists, try reducing concurrency in your project settings. For very large files (> 5 GB), ensure chunked upload is enabled.

Prevention: Increase the timeout threshold in advanced settings, or reduce concurrency during large file transfers to allocate more bandwidth per file.

"Permission denied (403)"

Cause: The connected account does not have sufficient permissions to access the requested resource.

Solution:

Google: Verify domain-wide delegation is configured and the correct scopes are authorized in the Google Workspace admin console
Azure/SharePoint: Verify API permissions are granted with admin consent in Azure AD. Check that each permission shows a green checkmark
S3: Verify the IAM policy includes the correct bucket ARN and actions

Prevention: Follow the platform setup guides carefully and test with a single file before running a full migration.

"Rate limited (429)"

Cause: Too many API requests in a short time. Cloud providers enforce rate limits to prevent abuse.

Solution: MigrationFox automatically handles 429 responses with exponential backoff. If you see persistent rate limiting, reduce concurrency in your project settings (e.g., from 8 to 4 or 2).

Prevention: Start with lower concurrency and increase gradually. Microsoft Graph API allows ~2,000 requests per second; Google Drive allows ~12,000 requests per 100 seconds.

"Insufficient storage quota"

Cause: The destination doesn't have enough storage to receive the migrated files.

Solution: Check the discovery report for total source size and compare with available space at the destination. Increase the destination storage quota, or migrate in smaller batches.

Prevention: Always check destination storage capacity before starting a migration. The discovery report includes total source size for planning.

Still Need Help?

If your issue isn't listed above:

Check the job details page for per-file error messages
Review the audit log for detailed operation history
Contact support at support@migrationfox.com

Security

MigrationFox is designed with security at every layer. Here's how your data and credentials are protected.

AES-256 Credential Encryption

All stored credentials (OAuth tokens, API keys, service account keys, passwords) are encrypted at rest using AES-256-GCM. Encryption keys are managed separately from the database and rotated regularly.

Argon2id Password Hashing

User passwords are hashed using Argon2id, the winner of the Password Hashing Competition. This algorithm is resistant to GPU and ASIC attacks, ensuring passwords remain secure even in the event of a database breach.

TOTP Multi-Factor Authentication

Protect your account with time-based one-time passwords (TOTP). MigrationFox supports standard authenticator apps like Google Authenticator, Authy, and 1Password. MFA can be enforced at the organization level.

Stream-Through Architecture (Zero Storage)

MigrationFox does not store your files. Data is streamed directly from source to destination in real time. Files are never written to MigrationFox's servers, eliminating data-at-rest risk. Only metadata (file names, sizes, paths) is stored for job tracking.

Audit Trail

Every operation is logged with timestamps, user identity, and action details. The audit trail covers authentication events, project changes, job executions, and administrative actions. Logs are retained for compliance and can be exported.

Data Handling Summary

Data Type	Stored?	Protection
User files	Never stored (stream-through)	TLS in transit
Credentials (tokens, keys)	Encrypted at rest	AES-256-GCM
Passwords	Hashed	Argon2id
File metadata	Stored for job tracking	Database encryption
Audit logs	Stored for compliance	Append-only, tamper-resistant