How to deal with the "Make sure you have FULL CONTROL at the source site" Issue

I might encounter the "Make sure you have FULL CONTROL at the source site" error. Sometimes it has nothing to do with the lack of permissions. It could be MFA, Internet Explorer browser cache, some security policy, or any number of things. I am going to add several options you can try to resolve it or at least troubleshoot it a little further.

Run the Migrator with the Clear Credentials Cache Flag

Try setting the CLEAR_CREDENTIALS_CACHE flag to True while running the migrator

Install the legacy PnP PowerShell module

Migrator is using the legacy version of the PnP PowerShell Module. Let's try to install it and simply connect to your site

Open PowerShell and run this command:

Install-Module SharePointPnPPowerShellOnline -Scope CurrentUser

Test Connection to SharePoint Online

Connect-PnPOnline -Url <Your SharePoint site> -UseWebLogin -WarningAction Ignore
Get-PnPList -Includes Views, Fields, DefaultView

Things to look out for:

• Do you have a pop-up window briefly open immediately close?
• Does it throw a 401 or 403 error?
• Can you get past MFA to log in?
• Can you try other accounts?
• Can you connect to a few other SharePoint sites?
• Can you connect to completely different tenant?

Create SharePoint-Only application and use it instead of browser-based authentication

For simplicity, by default we are using the browser for authenticating against web sites. But you can try authenticating with a SharePoint-only app. You have to be a SharePoint Online Tenant admin to make it work. Only use it on the tenant that fails to let you log in. But if you really want to - there is nothing wrong with using two separate SharePoint Apps. If you never worked with SharePoint Apps (App-only authentication), the topic might sound a little complicated. But if you simply read and follow these steps, you can make it work:

Related materials about SharePoint-only authentication:

• Related Microsoft article: Granting access using SharePoint App-Only
• Related Video: Tenant level App-Only rights in SharePoint Online

Prerequisites

Install SharePoint Online Management Shell

Make sure Custom App Authentication (legacy authentication) is allowed by running the following PowerShell script. You will have to authenticate as a Tenant Admin in order for it to work:

Connect-SPOService -Url https://YOUR_TENANT-admin.sharepoint.com/
Set-SPOTenant -DisableCustomAppAuthentication $false

How to Register an App-only permissions app

• Create a new App Principal by opening this URL: https://TENANT.sharepoint.com/_layouts/15/appregnew.aspx

• Click Generate button against the Client ID textbox

• Click Generate button against the Client Secret textbox

• App domain: you can specify anything. It does not really affect anything. You can specify www.sample.com

• Redirect URI: you can specify anything. It does not really affect anything. You can specify http://deployment

• Get Client ID and Client Secret (on the next screen) Store them in a safe place

• Grant tenant-wide permissions. See full list of permissions. To do it open this URL https://TENANT-admin.sharepoint.com/_layouts/15/appinv.aspx

• Paste your App ID and click Lookup.

• Paste this XML to the App's Permission request XML

<AppPermissionRequests AllowAppOnlyPolicy="true">
	 <AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl" />
</AppPermissionRequests>

• Click Create

• When asked, click "Trust It"

Test your PowerShell connection:

Connect to SharePoint from PowerShell to the site

$appId = "0a20932b-bd9d-XXXX-8c5b-2ef9fc7ee72c"
$appSecret = "+xKIALIQSvnxNnAOu7yerkFxOZaVxXXXXKZZMUMX1X0="
$url = "https://YOUR_TENANT.sharepoint.com/"
Connect-PnPOnline -Url $url -ClientId $appId -ClientSecret $appSecret

# output the site's URL. If you see it - congratulations, you are connected successfully!
Get-PnPSite

If you are migrating between two different SharePoint tenants, then you can repeat the same steps above for the second SharePoint Online tenant.

If you managed to connect to the SharePoint site(s) using PowerShell and the SharePoint-Only App Id (Client Id) and App Secret (Client Secret), then you can apply this approach in the Migrator:

Open the RunAllScripts.ps1 file. Replace this code:

If($CLEAR_CREDENTIALS_CACHE){
    Connect-PnPOnline -Url $TARGET_SITE_URL -SPOManagementShell -ClearTokenCache -WarningAction Ignore
}else{
    Connect-PnPOnline -Url $TARGET_SITE_URL -UseWebLogin -WarningAction Ignore
}

with this code:

Connect-PnPOnline -Url $TARGET_SITE_URL -WarningAction Ignore -ClientId <Client_ID> -ClientSecret <Client_Secret>

Open** CompleteResourceMapping.ps1** file and replace

Connect-PnPOnline -Url $TARGET_SITE_URL -UseWebLogin -WarningAction Ignore

with

Connect-PnPOnline -Url $TARGET_SITE_URL -UseWebLogin -WarningAction Ignore -ClientId <Client_ID> -ClientSecret <Client_Secret>

Open the GenerateInitialMapping.ps1 file and replace this code

If ($CLEAR_CREDENTIALS_CACHE) {
    Connect-PnPOnline -Url $SOURCE_SITE_URL -SPOManagementShell -ClearTokenCache -WarningAction Ignore
}
else {
    Connect-PnPOnline -Url $SOURCE_SITE_URL -UseWebLogin -WarningAction Ignore
}

with

Connect-PnPOnline -Url $SOURCE_SITE_URL -UseWebLogin -WarningAction Ignore -ClientId <Client_ID> -ClientSecret <Client_Secret>

Other things to try

• Try opening the Internet Explorer. Open your site that gives you access denier error. Then re-run the Migrator