Box to SharePoint Migration: Permissions, Box Notes & Metadata
Technical guide to Box-to-SharePoint migration covering storage limits, Box Notes conversion, permission mapping, tool comparison, and which features don't transfer.
Planning a migration?
Get a free 30-min call with our engineers. We'll review your setup and map out a custom migration plan — no obligation.
Schedule a free call- 1,500+ migrations completed
- Zero downtime guaranteed
- Transparent, fixed pricing
- Project success responsibility
- Post-migration support included
Most enterprises migrating from Box to SharePoint Online are doing it for one reason: Microsoft 365 consolidation. When you're already paying for E3 or E5 licenses that bundle SharePoint Online and OneDrive, a separate Box invoice is a hard sell to the CFO. Add Copilot readiness, tighter Entra ID integration, and the operational overhead of managing two file platforms, and the business case writes itself.
Box is not a legacy system, nor is it technically inferior. It is a highly capable, folder-centric cloud storage platform built on a different architectural paradigm than SharePoint. Box organizes content around personal and shared folders with a flat, permission-heavy hierarchy. SharePoint is a site-based document management system governed by Microsoft 365 Groups, managed metadata, and strict storage quotas. A lot of businesses have gravitated towards consolidating their cloud operations into a single cloud suite like Microsoft 365 for various use cases, such as simplifying fee structure, improving security, maintaining data governance, and more.
If you treat this migration as a drag-and-drop exercise, you will hit path-length limits, lose proprietary file formats like Box Notes, and create a broken-inheritance nightmare that takes months to unravel.
This guide covers the storage math, the Box features that silently don't transfer, how to handle Box Notes conversion, and why permission mapping — not file transfer — is the hardest part of this project.
Pre-Migration Audit: Storage, Permissions, and File Inventory
Start here. Every failed migration traces back to skipping the audit.
Storage Volume Reconciliation
Box offers unlimited storage on its business and enterprise tiers. Users treat it as a bottomless hard drive, storing everything from active project files to decade-old video assets. SharePoint Online does not work that way. The standard allocation is 1 TB per tenant, plus 10 GB per licensed user. An organization with 500 users has a total SharePoint storage pool of roughly 6 TB. If your Box instance currently holds 30 TB, migrating everything directly into SharePoint will trigger massive overage fees.
Since SharePoint has limits and Box doesn't, taking the time to audit the data and find out what actually needs to be in SharePoint can save money as well as keep the data in SharePoint better organized. Run a data profiling scan to identify duplicates, stale files (untouched for 2+ years), and ROT data (Redundant, Obsolete, Trivial). Most enterprises find 30–50% of their Box data doesn't need to migrate at all. Route stale data to cheaper cold storage — such as Azure Blob Storage — rather than consuming premium SharePoint quota.
File and Path Inventory
The entire decoded file path, including the file name, can't contain more than 400 characters for OneDrive for home, OneDrive for work or school and SharePoint in Microsoft 365. Deep Box folder hierarchies with long filenames will fail silently during migration if paths exceed this limit. Spaces decode to %20, rapidly consuming your character budget. Scan for deep directory trees before migration and flatten them.
Good news on filenames: both don't allow the same set of characters " * : < > ? / \ | — so illegal-character renaming is minimal for Box-to-SharePoint moves.
If you're using Microsoft's Migration Manager, be aware of hard planning constraints: a single migration task should not exceed 100,000 items or 1 TB of data. Large Box accounts should be split into smaller tasks by root folder. (learn.microsoft.com)
Permission and External Collaborator Inventory
Before migrating a single file, export a complete map of:
- All Box folder-level collaborators (Owner, Editor, Viewer, Uploader roles)
- External collaborators — every guest user with shared access
- Box Groups — which will need to become SharePoint Groups or Entra ID security groups
- Folders with unique permissions — where access differs from the parent
Do not rely on memory for guest access. Use Box reports to identify content shared with external users — that inventory becomes your re-invite list after cutover.
This permission map is the blueprint for your SharePoint permission design. For guidance on how SharePoint permission inheritance works, see The Definitive Guide to SharePoint Permissions & Security.
Box Notes Identification
Run a query to identify every .boxnote file in the environment. Box Notes are a proprietary format incompatible with Microsoft Office. They require a dedicated conversion workflow — covered in detail below.
Folder and Site Mapping Decisions
Do not replicate your Box folder tree in SharePoint 1:1. This is the most common mistake. The mapping should follow this pattern:
| Box Source | SharePoint Target | Notes |
|---|---|---|
| Personal folders (per user) | OneDrive for Business | Pre-provision OneDrive accounts before migration |
| Team/department folders | SharePoint document libraries (one per team site) | Design site architecture first |
| Archived or cold data | Azure Blob Storage or archive site | Don't burn SharePoint quota on files no one opens |
| Project-specific folders | SharePoint sites or Teams channels | Consider hub site architecture |
Avoid dumping everything into a single Document Library. SharePoint's 5,000-item list view threshold degrades filtered views and breaks default list rendering. The threshold is a view and query limit, not a storage cap — but it directly affects usability. Use the migration to flatten folder trees where possible and shift classification into metadata, content types, and search filters.
If your Box environment uses metadata templates, tags, or folder descriptions worth preserving, define target SharePoint site columns and content types before migration. Migration Manager and FastTrack can carry Box tags and advanced metadata forward, but they need a destination schema to map into. Dumping metadata into ad-hoc text fields loses the search, retention, and reporting value.
For guidance on metadata-driven architecture in SharePoint, see Mastering SharePoint Information Architecture.
OneDrive pre-provisioning: If you choose OneDrive as the destination, pre-provision OneDrive for users in your organization before migration. Otherwise, the OneDrive destinations aren't going to pass validation, causing migrations to fail.
If you're using Migration Manager, note that destinations cannot be changed once migration starts. Get the mapping right before the first pass. (learn.microsoft.com)
What Migrates and What Doesn't
This is where most migration guides lie by omission. Several Box-native features do not transfer to SharePoint, regardless of tool.
What Migrates
- Files and folder structures
- File metadata (created date, modified date, modified-by attribution)
- Internal sharing permissions (mapped via identity mapping)
- Box Notes (converted to
.docxwith caveats — see below)
What Does NOT Migrate
- Box Shared Links — Shared links are not migrated and must be recreated in SharePoint. Every external or internal URL pointing to Box content breaks.
- Box Comments — DIY tool support is inconsistent. Some tools drop them entirely, while others migrate them partially. If comment history is critical for compliance or context, ClonePartner’s custom extraction ensures full comment fidelity without relying on unpredictable off-the-shelf tools.
- Box Tasks — Task assignments within Box do not transfer. Recreate them in Planner or Microsoft To Do.
- Box Relay Workflows — Box Relay workflows and custom automations require recreation using Power Automate.
- External Collaborators — Migration Manager doesn't share content with external collaborators. This policy is in place to protect your organization, and industry best practice is to never automatically share sensitive internal data with external collaborators. You must re-invite them manually.
- File Version History — Migration Manager does not preserve file versions. During a migration, only the most recent version of a file is transferred. If version history matters, evaluate third-party tools that support version migration.
- Third-party App Integrations — Box apps connected via OAuth must be reauthorized or replaced in the Microsoft 365 ecosystem.
Plan for Power Automate rebuilds: Any workflow logic in Box Relay needs to be rebuilt in Power Automate. Power Automate is capable but architecturally different — its SharePoint connector Get items action defaults to returning 100 results, and you must configure pagination for larger datasets. See our SharePoint Import Guide for workarounds.
How to Handle Box Notes Conversion
Box Notes are a proprietary format. They are essentially HTML and JSON wrappers stored within Box's infrastructure. They cannot be opened in Microsoft Word, Excel, or any Office application. If they land in SharePoint unconverted, users get broken files — either raw JSON text or a download prompt for a file their system cannot open.
Microsoft's Migration Manager attempts to convert Box Notes to a .docx format, but the conversion has documented gaps. Certain elements such as File Previews, Tables of Contents, and Annotations are frequently omitted or broken during the process.
The conversion history has been inconsistent — Microsoft temporarily removed Box Notes conversion from Migration Manager before re-adding it. If your organization relies heavily on Box Notes with embedded tables of contents, annotations, or file previews, verify the conversion output before committing to a full migration.
Off-the-shelf DIY tools handle Box Notes with varying, often unpredictable fidelity. Some tools dump the raw JSON, requiring massive post-processing, while others force a .docx conversion that silently drops formatting. All of these tools perform the conversion blindly—none of them validate the output at scale.
ClonePartner's approach is different: we run a custom conversion pipeline, then programmatically verify every converted file against the source — checking formatting, embedded images, tables, and checklists — before signing off. That per-file validation is what separates "the tool says it worked" from "we confirmed it worked."
Recommendation: Run a pilot batch of 50–100 Box Notes through your chosen tool. Open every converted .docx and verify formatting, embedded images, tables, and checklists before migrating the full corpus. Keep an ID map from original Box Note to new SharePoint document so support teams can trace problem files later.
Permission Migration: The Hardest Part of the Move
File transfer is the easy part. Getting permissions right is where Box-to-SharePoint migrations stall, break, or create security gaps.
Why Permissions Don't Map Cleanly
Box uses a folder-level collaboration model: you invite a user as an Owner, Editor, Viewer, or Uploader on a specific folder, and that permission cascades to everything inside. It is flat and explicit.
SharePoint uses a site-and-library inheritance model with SharePoint Groups, Entra ID security groups, permission levels (Full Control, Edit, Read, Contribute), and the ability to break inheritance at any folder, file, or list item. Every time you break inheritance, you create a unique permission scope.
Microsoft supports up to 50,000 unique permission scopes in a library but recommends staying under 5,000 for performance. Those scopes do not clean themselves up if you later move files into a folder with matching access. (learn.microsoft.com)
Do not copy a messy Box permission model 1:1 into SharePoint. Redesign the target first, then map into that design. Otherwise you trade one access model for a broken-inheritance cleanup project.
Box-to-SharePoint Permission Mapping
| Box Role | SharePoint Equivalent | Notes |
|---|---|---|
| Owner | Site Owner / Full Control | Map carefully — Site Owner grants broad admin rights |
| Editor | Edit or Contribute | "Edit" includes delete; "Contribute" doesn't |
| Viewer | Read | Direct mapping |
| Uploader | Contribute (custom) | No direct SharePoint equivalent |
Design Permissions Before Migration
Do not migrate permissions and fix them later. That approach creates broken inheritance that is extremely difficult to audit or clean up.
Before migration:
- Stop mimicking Box. Do not recreate Box's folder-level sharing in SharePoint.
- Create SharePoint Groups (or Entra ID security groups) mapped to Box's collaboration structure.
- Apply permissions at the Library or Site level, not folder-by-folder.
- Decide where inheritance will break — and document why.
- Configure external sharing policies at the tenant and site level before migration day.
- Note the 100,000-item sharing limit — a folder cannot be uniquely shared if it already exceeds 100,000 items. (learn.microsoft.com)
For a full walkthrough, see The Definitive Guide to SharePoint Permissions & Security.
External Collaborator Re-invitation
Box external collaborators do not migrate automatically. You need to:
- Export the full list of external users with access from Box
- Decide which external users should retain access in SharePoint
- Configure SharePoint external sharing at the tenant level (off by default in many enterprise configs)
- Re-invite external users via SharePoint sharing after migration
Box to SharePoint Migration Tools
A critical distinction most guides miss: Microsoft offers two migration tools, and only one supports Box.
Microsoft's Free Tools
SPMT (SharePoint Migration Tool) is Microsoft's free, downloadable migration tool — but it does not support Box as a source. SPMT is a free and easy to use migration solution to help you migrate content from on-premises SharePoint sites to Microsoft 365. It supports SharePoint Server and local file shares only. (learn.microsoft.com)
Migration Manager (in the SharePoint Admin Center) does support Box. The ability to migrate from Google Drive, Box, Dropbox, and Egnyte is fully integrated into Migration Manager. It is free, handles identity mapping, includes incremental (delta) sync, and converts Box Notes to .docx. Key limitations: no file version history migration, no shared link recreation, a maximum of 50 task rows running simultaneously, and 100,000-item or 1 TB per-task guidance.
DIY Migration Tools vs. Engineer-Led Services
| Approach | Best For | Box Notes Handling | Limitations |
|---|---|---|---|
| ClonePartner (Engineer-Led Service) | Enterprises (50TB+), complex permissions, compliance, zero downtime | Custom conversion pipeline — programmatically validates every file | Not suited for very small (<1TB) migrations |
| ShareGate / AvePoint | Mid-market DIY with dedicated IT staff | Converts to .docx (unverified output) |
You must design permissions and handle broken links manually |
| Basic DIY Tools (Movebot, Cloudiway, CloudM) | Simple, flat folder structures | Varies (often raw JSON or basic Word docs) | High risk of broken inheritance, metadata loss, and missing external collaborators |
The self-serve tools above work well for straightforward moves — small volumes, flat permissions, minimal Box Notes. But they all share the same limitation: they transfer files without redesigning the destination. You're still responsible for permission architecture, broken-link remediation, metadata mapping, and post-migration cleanup. Automated tools consistently fail on these edge cases at enterprise scale. For complex environments, ClonePartner handles the full lifecycle as an engineering service, ensuring zero data loss and zero downtime.
Migration Approaches by Complexity
Decision Framework: When to Use ClonePartner vs. DIY Tools
- When DIY tools are fine: You have less than 5 TB of data, flat folder structures, no complex external sharing, and an internal IT team with the bandwidth to manually fix broken links and permissions post-migration.
- When you need ClonePartner: You are moving 50 TB+, have deep permission inheritance, rely heavily on Box Notes, or require strict compliance (HIPAA, SOX). ClonePartner’s engineers handle the permission redesign, metadata mapping, Box Notes conversion, and hyperlink remediation so your team doesn't inherit a mess.
DIY with a Tool (1–5 TB, Simple Permissions)
Works if you have a small-to-medium Box instance with straightforward folder-level permissions and minimal external collaborators. Pick a tool, run a pilot batch, validate, migrate in phases.
Best for: Small IT teams, single-department moves, straightforward folder structures.
Phased Migration with Parallel Sync (Zero-Downtime Enterprises)
Pre-stage the bulk of data using delta sync while users continue working in Box. Run incremental passes over days or weeks, then execute a short cutover window. Migrate data in advance while users continue working in Box, then complete a quick cutover.
Best for: Enterprises that cannot tolerate downtime, organizations running concurrent Box and SharePoint during transition.
Do not rename or restructure during migration. The risks that come with rearranging content during the migration are primarily in the form of data duplication; the incremental process sees all changes as new data. If you change a folder name at the root, it detects that as a new folder, and all of the contents is retransferred, including all subfolders.
Managed Service (50 TB+, Complex Permissions, Compliance)
For large enterprises with tens of thousands of users, complex permission trees, external collaborator webs, compliance requirements (HIPAA, SOX, financial services), or aggressive timelines — a managed migration service is the lower-risk path.
ClonePartner runs Box-to-SharePoint migrations as a dedicated engineering engagement. Our team handles API rate limits, Box Note conversion with per-file validation, permission redesign (not just permission copying), metadata mapping, hyperlink remediation, delta sync management, external collaborator re-invitation, and post-migration reconciliation. Migrations complete in days, not the months that self-serve tools require when you factor in internal team learning curves and rework cycles.
The difference between a self-serve tool and ClonePartner isn't the file transfer — it's everything around it: the permission architecture decisions, the broken-link remediation, and the guarantee that nothing gets lost in transit.
Post-Migration Validation and Decommissioning
The migration is not over when the progress bar hits 100%. Run these checks before declaring success:
- File count reconciliation — Compare total file counts between Box source and SharePoint destination. Account for files skipped due to path length, zero-byte files, or unsupported types.
- Permission audit — Spot-check 10–20 folders across different permission levels. Verify the right users have the right access. Ensure no unintended "Everyone except external users" permissions were applied to sensitive HR or Finance libraries.
- External collaborator audit — Verify that all required vendors and partners have redeemed their Entra ID guest invitations and can access their designated content.
- Box Notes conversion verification — Open a representative sample of converted
.docxfiles. Check formatting, tables, embedded images. Watch for silently dropped annotations and tables of contents. - Link rewriting — Internal documents referencing Box URLs now have broken links. Identify and update the highest-traffic ones. Broken Box URLs circulate in emails, wikis, and Slack for years.
- List view threshold — If any document library exceeds 5,000 items, verify that list views are indexed properly.
For target-side audit techniques, see How to Export Data from SharePoint.
Decommissioning Box
Do not cancel your Box subscription the day after migration. Run both platforms in parallel for a minimum of 30 days — 60 days for large enterprises or regulated industries.
During the parallel window:
- Set Box to read-only for all users to prevent new content creation
- Monitor SharePoint adoption — watch for users reverting to Box out of habit
- Run a final delta sync at the end of the window to catch stragglers
- Export Box admin reports and archive them for compliance (audit trail of who had access to what)
- Cancel Box licenses only after all stakeholders confirm the move is complete
What Decides Whether This Goes Well
The file transfer itself is the easy part. What determines success or failure:
- Storage audit thoroughness — migrate what matters, not everything
- Permission design before migration — not after
- Box Notes conversion validation — don't assume it worked
- External collaborator re-invitation plan — don't leave partners locked out
- Link rewriting strategy — broken Box URLs persist longer than you expect
If you're running a straightforward 1–5 TB move with simple permissions, Migration Manager or a third-party tool will get you there. If you're dealing with 50 TB+, complex cross-department permissions, external collaborator webs, or compliance requirements — that's where having a team who has done this repeatedly makes the difference.
Frequently Asked Questions
- Does the SharePoint Migration Tool (SPMT) support Box as a source?
- No. SPMT only supports on-premises SharePoint Server and local file shares. For Box, use Microsoft's Migration Manager (free, in the SharePoint Admin Center) or a third-party tool like ShareGate, AvePoint, Movebot, Cloudiway, or CloudM. For enterprises needing zero-downtime migration with full permission redesign and Box Notes conversion handled end-to-end, ClonePartner offers a managed engineering service that eliminates the tool-selection guesswork entirely.
- What happens to Box Notes when migrating to SharePoint?
- Box Notes are a proprietary format incompatible with Microsoft Office. Migration Manager and most third-party tools convert them to .docx, but elements like File Preview, Table of Contents, and Annotations may be omitted. Movebot converts to JSON instead of .docx. Always run a pilot batch and verify the output before a full migration.
- Do Box sharing permissions transfer to SharePoint automatically?
- Internal permissions can be mapped using identity mapping in Migration Manager or third-party tools. External collaborators must be re-invited manually — Migration Manager does not share content with external users by design. Shared links are not migrated and must be recreated.
- What Box features do NOT migrate to SharePoint?
- Box Shared Links, Tasks, Relay workflows, third-party app integrations, external collaborator access, and file version history (in Migration Manager) do not transfer. Box Comments are tool-dependent — Cloudiway says they don't migrate, while Microsoft FastTrack says they do. Validate with your exact tool.
- How long should I keep Box active after migrating to SharePoint?
- Keep Box running in read-only mode for a minimum of 30 days after migration — 60 days for large enterprises or regulated industries. Run a final delta sync before canceling to catch any missed files.
