Dr. Migrate Documentation
Dr Migrate
Deployment Guide
Prerequisites

Prerequisites

Before Dr Migrate is deployed certain prerequisite tasks need to be completed. Pick your context for steps.

Before Dr Migrate is deployed verify the below prerequisites to ensure a smooth deployment.

Pre-deployment Checklist for Dr Migrate

Use the checklist below a reference point to ensure that the environment is ready for a Dr Migrate deployment.

Requirement Learn More
A user with the required Entra/Azure permissions. Learn More
Create a Service Principal with a client secret. Learn More
Assign necessary roles to the Service Principal. Learn More
Create an Entra ID Security Group to house the SPN. Learn More
Configure Power BI tenant settings and enable required features. Learn More
Manage and configure On-Premises data gateways. Learn More

Permissions Required

Ideally the user performing the following steps should have the Global Administrator role.

If this is not possible, the least privileged approach to deployment requires the following permissions:

  • Application Admin
  • Groups Admin
  • Subscription Owner
  • Fabric Admin
  • Marketplace Admin
  • User Access Administrator

For more information about least privileged role assignment in Azure please see the Microsoft Learn Portal

Azure Migrate Configuration

Azure Migrate is a mandatory prerequisite for Dr Migrate. Successful assessments have Azure Migrate installed, configured and collecting data prior to Dr Migrate deployment.

The type of infrastructure you are collecting data from will require a specific Azure Migrate install and configuration path. Follow the button below for a specific Azure Migrate deployment guide to suite your context.

Azure Migrate Deployment Guides according to target infrastructure:

VMware Guide Hyper-V Guide Physical Guide

Deploy and Configure Azure Migrate

Dr Migrate leverages the data collection capability of Azure Migrate. Ensure that you have:

  1. Deployed an Azure Migrate Project.
  2. Deployed an Azure Migrate Appliance.
  3. Connected the Azure Migrate Project and Appliance.
  4. Provided all necessary permissions to collect data.

Microsoft has robust and detailed guides on how to deploy and configure Azure Migrate here, or refer to the deployment checklists above.

Review Azure Migrate Project Connectivity Method

ℹ️
Setting the Connectivity Method to Public Endpoint is recommended for the smoothest experience.

If Private Endpoint must be used then additional configuration steps are required, see here for more information.

Microsoft also has documentation for those seeking further information, see here.

Create Service Principal

Dr Migrate requires a Service Principal be created to allow the Dr Migrate server to communicate with Azure Migrate and Power BI.

When creating the SPN please observe the following:

  • SPN Name - It is recommended to name the App Registration “drmigrate-spn”. All other settings can be left as default
  • Client Secret Creation - Dr Migrate requires a client secret to be created, it is recommended to set the expiry to 12 months.
ℹ️
Securely store the Client Secret value, as it is only viewable on creation and will be needed during the install from Marketplace.

For Microsoft documentation on creating a Service Principal in Entra ID, see here

Configure SPN Access

Best practice is to set up the Azure Migrate and the Dr Migrate in a dedicated Resource Group and/or Subscription. This is not a requirement but provides a clear RBAC boundary and reduces Azure Policy conflicts.
ℹ️
Dr Migrate will ingest all Azure Migrate Projects located within the resource group the SPN has permissions to. If you do not wish to have a project ingested, ensure that the Azure Migrate project has been created in a dedicated resource group.

Assign your Service Principal, the following permissions

Role Scope Reason Required Requirement
Contributor Subscription or Resource Group where Dr Migrate and Azure Migrate will be located Used to collect Azure Migrate data Mandatory
Cost Management Reader Subscription where Azure Migrate is deployed. Used to customer specific price sheet Optional
ℹ️
If you have an Enterprise Agreement with Microsoft, and would like Dr Migrate to apply your agreed discount when providing TCO costings, the Cost Management Reader role is required

Learn More about how to assign RBAC roles here

Create a Security Group for the Service Principal

ℹ️
Access to Power BI tenant settings are regulated by security groups. A security group is required to manage the Dr Migrate SPN Power BI access.

Create a security group to house the Service Principal and Assign the Power BI permissions.

  • Group Name - It is recommended to name the Security Group “drmigrate-powerbi”. All other settings can be left as default

Group Name

  • Group Membership - The Service Principal should be added as a member of the security group.

Group Membership

To learn more about how to assign access to Entra ID Security Groups, see here.

Audit Azure Policy

When Dr Migrate installs, it deploys Azure resources to a managed Resource Group, these resources may be subject to Azure policy. Dr Migrate allows certain policy enforcement during its installation, such as the inheritance of tags. However, it is possible Azure Policy may attempt to enforce an action on Dr Migrate resources during deployment that may be blocked. When this scenario occurs the application deployment will fail.

To mitigate this risk it’s recommended that some policies be temporarily exempted at the Subscription level, prior to and for the duration of the Dr Migrate installation.

Different Azure policies have different effects:

Azure Policy Effects

Temporarily exempt policies that are applied to the subscription that have the following effects.

  • Append
  • DeployIfNotExists
  • Deny
  • Modify

To learn how to exempt Azure Policy from resources, please see here

Fabric (Power BI) Configuration

Configure settings in the Power BI tenant

Head to Power BI Admin Portal to configure access to the Power BI settings for the Security Group containing the Service Principal.

Configure the following settings:

Workspace settings -> Create workspaces (new workspace experience)

alt text <

  • Developer settings -> Embed content in apps alt text

  • Developer settings -> Service principals to use Fabric APIs alt text

  • Developer settings -> Allow service principals to create and use profiles alt text

  • Export and sharing settings -> Export to Excel alt text

  • Export and sharing settings -> Export to .csv alt text

  • Export and sharing settings -> Export reports as PowerPoint presentations or PDF documents alt text

All these settings need to be enabled. You can either have this at the organizational level alt text

or specify the Dr M Security Group.

alt text

Finally, check, Power BI visuals -> Add and use certified visuals only

alt text

This setting governs if certain required visuals are allowed to run within your Fabric Environment.

This setting should be Disabled, this ensures that all required visuals can be used.

If this setting is Enabled in your environment please see enabling Power BI visuals.

Gateway Administration

Dr Migrate uses an On-Premises data gateway as part of the solution.

Within the Power BI Admin Center, navigate to “On-Premises data gateways” in the central panel

Enable the Tenant Administration Settings, using the switch on the right hand side.

Data Gateway Installers

Enabling this, will show the “Manage Gateway Installers” option.

Data Gateway Installers

Ensure that the “Restrict users in your organization from installing gateways” setting is set to Off.

Gateway Installers

⚠️
This setting needs to be turned off for Dr Migrate to install.

If the restriction is set to “On” it is recommended:

  • Turn this setting to “Off” while the Dr. Migrate product is installing
  • Turn the setting back “On” 60 minutes post installation.

Overview

Requirement Learn More
A user with needed Entra & Azure permissions. Learn More
Deploy and configure Azure Migrate Project and Appliance. Learn More
Create a Service Principal with a client secret. Learn More
Assign necessary roles to the Service Principal. Learn More

Before a Dr Migrate SaaS instance is synced with Azure Migrate, verify the below prerequisites to ensure a smooth deployment.

Permissions Required

Ideally the user performing the following steps should have the Global Administrator role.

If this is not possible, the least privileged approach to deployment requires the following permissions:

  • Application Admin
  • Subscription Owner

More information about least privileged role assignment please see the Microsoft Learn Portal

Azure Configuration

Deploy Azure Migrate

Dr Migrate leverages the data collection capability of Azure Migrate. Ensure that you have:

  1. Deployed an Azure Migrate Project.
  2. Deployed an Azure Migrate Appliance.
  3. Connected the Azure Migrate Project and Appliance.
  4. Provided all necessary permissions to collect data.

Microsoft has robust and detailed guides on how to deploy and configure Azure Migrate here.

Review Azure Migrate Project Connectivity Method

ℹ️
Dr Migrate SaaS only supports Public Endpoint deployments of Azure Migrate. To use a Private endpoint deployment, consider using Marketplace.

Create Service Principal

Dr Migrate requires a Service Principal be created to allow the Dr Migrate server to communicate with Azure Migrate.

When creating the SPN please observe the following:

  • SPN Name - It is recommended to name the App Registration “drmigrate-spn”. All other settings can be left as default
  • Client Secret Creation - Dr Migrate requires a client secret to be created, it is recommended to set the expiry to 12 months.
ℹ️
Securely store the Client Secret value, as it is only viewable on creation and will be needed during the data sync step.

For Microsoft documentation on creating a Service Principal in Entra ID, see here

Configure Access

Best practice is to set up the Azure Migrate in a dedicated Resource Group and/or Subscription. This is not a requirement but provides a clear RBAC boundary and reduces Azure Policy conflicts.
ℹ️
Dr Migrate will ingest all Azure Migrate Projects located within the resource group the SPN has permissions to. If you do not wish to have a project ingested, ensure that the Azure Migrate project has been created in a dedicated resource group.

Assign your Service Principal, the following permissions:

Role Scope Requirement
Contributor Subscription or Resource Group where Dr Migrate and Azure Migrate will be located Mandatory
Cost Management Reader Subscription where Azure Migrate is deployed. Optional
ℹ️
If you have an Enterprise Agreement with Microsoft, and would like Dr Migrate to apply your agreed discount when providing TCO costings, the Cost Management Reader role is required

Learn More about how to assign RBAC roles here

You can now proceed to sync your data with your SaaS Instance.