No duplicate storage required
Migrate directly from on-prem file servers through the secure agent, rather than staging duplicate data copies.
Dashboard
Snapshot of customers and migration jobs. Use Jobs in the sidebar for the full searchable job table, filters, and row actions.
Customers
— organization(s) you can access
Migration jobs
Totals across all customers you can manage (full-wizard scope).
OneDrive Migration
Migrate local H drive folders to user OneDrive using the same customer Microsoft 365 certificate app.
Discovery
| Source folder | GB | Files | Folders |
|---|
Mappings (source folder to user)
Map each first-level home folder to a tenant user account (UPN). This is used for OneDrive target resolution.
| Source folder | Folder | Target user (UPN) | Enabled |
|---|
Run OneDrive migration
Completed files
Skipped files
Failed files
Stage events
Stage 1: Select or Create Customer
Choose the customer migration to work on. MSP and platform admins can create additional customers here. The next steps cover the Windows agent and a dedicated Microsoft 365 app for that customer’s tenant.
Customer workspace
Limited client invite (wizard stages 6–9 only)
Invite someone who should only edit folder structure, mapping, roles, and folder access. They sign in here
with the URL your MSP shares, including ?mappingSetId= and the mapping set id. That
shareable link is generated in Stage 5: Create SharePoint Site Plan after you save the
site plan (same place you can copy the client deep link).
Limited client users and invites
Revoke blocks existing users immediately and can cancel pending invitations.
Stage 2: Install the Windows agent
The agent runs on a Windows machine that can reach your file shares (often a file server). You need both the
Worker (uploads, heartbeat) and the Tray app (NTFS scans in the interactive
user session). See schemr-agent/README-AGENT.md in the product repository for full install
notes.
Install on Windows
Use published binaries from your administrator when available.
-
Publish or obtain the agent binaries (for example output from
spm-installer). - Install the Worker as a service where uploads should run unattended; install the Tray for users who trigger scans.
- Configure the Tray Settings with this app’s API URL and the file server source root.
Registration token
Paste the token into the Worker or Tray when prompted (spmrt_…).
Agent installer link will appear when release manifest is configured.
Stage 3: Microsoft 365 app connection (per customer)
This application uses an Azure AD app registration in your Microsoft 365 tenant with application permissions to SharePoint and Microsoft Graph. Schemr generates a per-customer certificate and stores the private key encrypted at rest. You only download and upload the public certificate into your Entra app registration.
What your Microsoft 365 admin should create
- In Azure Portal → Microsoft Entra ID → App registrations → New registration (single tenant).
-
API permissions → Add Microsoft Graph Application permissions required by your deployment
(for example
Sites.ReadWrite.All,User.Read.AllorDirectory.Read.Allfor role picker,Group.ReadWrite.AllorGroupMember.ReadWrite.Allif you create Entra groups for folder access). Also add SharePoint (Office 365 SharePoint Online) Application permissions such asSites.FullControl.AllorSites.Selected(plus an admin grant for the target site) so the API can call SharePoint REST for folder permission inheritance before uploads. Follow least privilege for your process. -
Provisioning creates role security groups (users from Stage 9), then SP-…-Read / SP-…-RW groups that contain those role groups only, then assigns the SP groups to SharePoint folders. If SharePoint REST returns
401 Unsupported app only token, set worker envSKIP_SHAREPOINT_FOLDER_ACL=1to finish Entra-only steps, or confirm the app uses a certificate uploaded to Entra (same key as the private key you store here). - Grant admin consent for the organization.
- Certificates & secrets → Certificates → Upload a certificate (CER) or create one generated by Schemr in this wizard. Download/copy the cert and thumbprint from this page, then upload that cert to Entra.
- Overview → copy Directory (tenant) ID and Application (client) ID.
-
SharePoint site URL: the root site you are migrating into (for example
https://contoso.sharepoint.com/sites/Migration). - Optional Site ID (Graph): if you already know the site’s Graph id, you may enter it; otherwise leave blank and the service resolves it from the URL when possible.
Application credentials
Server requirement: the API must define GRAPH_CREDENTIALS_ENCRYPTION_KEY (32 random bytes,
base64-encoded) so private keys can be stored; without it, saving will return an error.
Technical details (JSON)
Stage 1: Select Snapshot
Snapshots are created when the Windows agent completes an NTFS scan. Click Refresh after the scan finishes, choose the snapshot in the list (newest first), then Load Snapshot.
Process guide (legacy steps 1-9)
- Tenant setup (outside this wizard): generate agent token, save Entra app, generate/upload certificate.
- Stage 1: Load snapshot from agent scan.
- Stage 2: Save SharePoint site plan.
- Stage 3: Build target folder structure.
- Stage 4: Map source paths to target folders.
- Stage 5: Create business roles and add members.
- Stage 6: Assign role access to folders.
- Stage 7: Run preflight, then start migration job.
Snapshot list
Request scan from agent
The tray app must be running on the file server with a configured source folder; when the agent finishes, the snapshot appears in the list.
Folder tree (loaded snapshot)
Stage 2: Create SharePoint Site Plan
Name the migration set and define the target site and document library.
Site plan
Link for limited client login
After the site plan is saved, send this URL to someone with a migration-contributor account. It includes
the mapping set id (mappingSetId) so they can open stages 6–9 without the snapshot list.
Technical details (JSON)
Stage 3: Build New Folder Structure
Add root folders, then use + on rows to add child folders with indentation.
Target folders
| Folder Structure | Path | Action |
|---|
Technical details (JSON)
Stage 4: Map Source Paths to New Structure
Each source folder can be mapped to a target folder in SharePoint.
Source → target rules
| Source Path | Target Folder | Include Subfolders |
|---|
Dry run output (JSON)
Stage 5: Roles and members
Create logical roles (for example Finance or HR), then add Microsoft 365 users to each role. When you are finished, save this page before assigning roles to folders in the next stage (Stage 9).
Technical details (JSON)
Stage 6: Folder access (roles to folders)
One row per target folder (within your max depth). Assign organization roles only — the same people-backed roles from Stage 8. Read access on parent folders is added automatically when someone has access deeper in the tree. Rows marked “Parent access” are read-only.
Folder permissions
| Target folder | Depth | Role | Permission | Level (matches folder depth) |
|---|
Technical details (JSON)
Stage 7: Run migration job
Queue a migration job, watch progress, and review stage events.
Check for source changes (preflight)
Compare the planning snapshot attached to this mapping set to a newer scan of the same file-server root. Added or removed folders here are advisory only — jobs still use the planning snapshot until you create a new mapping set from a newer scan.
New scan (same as Snapshot stage)
Queue a scan from the tray app on the file server. When it completes and imports, use Refresh snapshot list above, then pick the new snapshot and run comparison.
Agent scan requests (JSON)
Lists are capped per request (see summary). Use download for up to 10,000 paths per side.
Comparison response (JSON)
Job controls
Job status (JSON)
Upload troubleshooting
Completed / skipped / failed lists are shown as CSV (Source, Destination). When a row has a reason (for example skip or failure), it appears in parentheses after the destination path.
Completed files
Skipped files
Failed files
Stage events
Jobs
Searchable list of migration jobs across customers you manage. Open a row in the wizard for full controls and event downloads.
| Customer | Mapping | Status | Stage | % | Queued (UTC) | Last error |
|---|