I keep forgetting when you use TFS Integration Platform that the user who the tool (or service account is running as a service) is running as has to be in the “Team Foundation Service Accounts” group on the TFS servers involved. If they are not you get a runtime conflict something like

Microsoft.TeamFoundation.Migration.Tfs2010WitAdapter.PermissionException: TFS WIT bypass-rule submission is enabled. However, the migration service account ‘Richard Fennell’ is not in the Service Accounts Group on server ‘http://tfsserver:8080/tfs’.

The easiest way to do this is to use the TFSSecurity command line tool on the TFS server. Now you will find some older blog posts about setting the user as a TFS admin console user to get the same effect, but this only seems to work on TFS 2010. This command is good for all versions

C:Program FilesMicrosoft Team Foundation Server 12.0tools> .TFSSecurity.exe /g+ “Team Foundation Service Accounts
" n:mydomainrichard /server:http://localhost:8080/tfs

and expect to see

Microsoft (R) TFSSecurity - Team Foundation Server Security Tool
Copyright (c) Microsoft Corporation.  All rights reserved.

The target Team Foundation Server is http://localhost:8080/tfs_.
Resolving identity “Team Foundation Service Accounts”…
s [A] [TEAM FOUNDATION]Team Foundation Service Accounts
Resolving identity “n:mydomainrichard”…
  [U] mydomainRichard
Adding Richard to [TEAM FOUNDATION]Team Foundation Service Accounts…
Verifying…_

SID: S-1-9-1551374245-1204400969-2333986413-2179408616-0-0-0-0-2

DN:

Identity type: Team Foundation Server application group
   Group type: ServiceApplicationGroup
Project scope: Server scope
Display name: [TEAM FOUNDATION]Team Foundation Service Accounts
  Description: Members of this group have service-level permissions for the Team Foundation Application Instance. For se
rvice accounts only.

1 member(s):
  [U] mydomainRichard

Member of 2 group(s):
e [A] [TEAM FOUNDATION]Team Foundation Valid Users
s [A] [DefaultCollection]Project Collection Service Accounts

Done.

Once this is done, and the integration platform run restarted all should be OK