Deactivate MFA on your Office365 migration account.


During a Mail, Drive, Site or Teams migration from or to Office365, you are hitting a 401 unauthorized error message. This error message means that we are unable to connect to your source or target Office365 tenant programmatically and that is due to one of these reasons:

  • Your email/password provided in the source/target connector are invalid or expired.
  • Your account is authenticating through ADFS or SSO.
  • You have MFA or 2 step verification turned ON in your tenant.


  • Check your email and password and make sure they are valid and not expired.
  • Remove any redirection to ADFS or SSO.
  • Remove your migration account from the MFA rule.

We recommend you to use a dedicated migration account that you can exclude from any of your MFA rules. Once your migration project is finished, you can delete this temporary migration account.

To exclude your migration account from MFA, login to and go to Azure Active Directory and then to Conditional Access as shown in the screenshots below.


Make sure to deactivate the policy that is already in place and then create a new policy.

In the new policy, include everyone and exclude your migration account as shown in the screenshot below. This way, the users of your organization will keep having the MFA on. Only the migration account will bypass it.

Don’t forget to turn the Enable button to on and to save your changes.


Once this is done, give it about 2 to 5 minutes to propagate and try signing in with your migration account. It should authenticate natively to Office365.

Meet Cloudiway - A powerful and automated migration and coexistence platform. We support G Suite, Office 365, Zimbra, Lotus and lots more...
Register Now