Performing a Tenant to Tenant Migration

A tenant-to-tenant migration is a process that lets you move data from one Microsoft 365 tenant to another. These migrations are a critical component of mergers, acquisitions, divestitures, and rebrandings, as they allow you and your team to align and optimize your digital resources. Tenant-to-tenant migrations can involve the migration of various types of data and accounts including mailboxes, OneDrive accounts, domains, user data (such as files and folders) and Microsoft Teams from one tenant to another.

This process can be complex and time-consuming; however, the right preparations can help ensure that your tenant-to-tenant migration goes as smoothly as possible. Proper preparation usually involves working with Microsoft Consulting Services or a Microsoft partner (such as Agile IT) to facilitate your migration, as well as using a third-party tool to migrate content.

Choosing the right partner and taking the time to thoroughly plan your migration can help simplify this process for you and your team.

To help you better understand how tenant-to-tenant migrations work and what goes into planning and executing a migration, this guide will detail the essential steps for a smooth, secure, tenant-to-tenant migration process within Entra ID and Microsoft 365.

The Scenario

There are multiple scenarios where a tenant-to-tenant migration may be required, and each migration scenario is unique. This makes it nearly impossible to create a one-size-fits-all guide for tenant-to-tenant migrations. The goal of this guide is merely to give you an idea of what a tenant-to-tenant migration might look like given the scenario we’ve presented.

In this example, both the source tenant and the target tenant are separate entities in the Microsoft cloud environment that both use Microsoft 365. The target tenant has acquired the source tenant and must consolidate all users, groups, and resources from the source into the target tenant. These objects can be manually created in the target tenant’s directory, imported with Microsoft Entra ID tools, or synchronized using Entra ID Connect. Below we will be taking a look at the phases that are involved in a tenant-to-tenant migration based on the scenario we’ve created.

The Planning Phase

Due to the complex nature of a tenant-to-tenant migration and the various moving parts involved, you cannot jump right into the migration process. For your migration to succeed, you must first go through a multi-step planning phase that will help you prepare for the migration and ensure that everything goes smoothly when the migration occurs.

To ensure that everything goes smoothly, the planning phase for your tenant-to-tenant migration should begin at least two weeks before the migration. During this phase, one of the first things that your IT team should decide is whether they need third-party migration tools, or if Microsoft’s cross-tenant migration features within Microsoft Entra ID can handle your migration needs.

To ensure the success of your tenant-to-tenant migration, additional steps that you should take in the planning phase include:

  • Assessing Current Access Policies: The first thing that you should do during the planning phase is review and document any multi-factor authentication (MFA) and conditional access policies currently in place for the source tenant. If the target tenant has different access policies than the source tenant, you will need to make adjustments to ensure smooth access for migrated users when they go to access their new tenant.

  • Setting Up Microsoft Entra Roles and Permissions: Next, ensure that administrators in both the source and target tenants have the necessary roles assigned to them (such as global administrator or exchange administrator). Ensuring that administrators have proper access will be critical in facilitating the migration process by helping configure permissions during (and after) the migration.

  • Confirming Licensing Requirements: During the planning phase, it is also essential that you take inventory of your licensing needs and confirm that the target tenant has enough licenses available for the source users. You may need to purchase additional Microsoft 365 licenses to accommodate all of the new users who will be migrating to the target tenant. It’s important to note here that Microsoft will not allow licenses to transfer between tenants, so having a thoughtful and cohesive plan can save you a lot of time and money.

  • Exploring Microsoft Entra’s B2B Options: During the migration, there may be instances where data needs to be accessed by users in both tenants temporarily to ensure business continuity. Your team should determine if this is something that will affect your migration, and if so, you should make sure that you enable Microsoft Entra’s B2B collaboration before the migration day to secure cross-tenant access.

The Communication Phase

Once you have a migration plan in place, it is essential that you develop a clear plan for communicating the migration to users of both the source and target tenants. Include information on the reason behind the migration, the benefits of the migration, the expected timeline, and any possible outages that could occur. This communication should include instructions on what users need to do during/after the migration, as well as support options should they encounter problems with the migration. Make sure to include a guide for clearing nicknames and auto-complete caches in Outlook and share instructions for accessing Microsoft 365 services such as Microsoft Teams and OneDrive for Business after the migration. Make sure that you maintain active communication with users throughout the migration so that they know what is expected of them at each step of the process.

The Cutover Phase

As the migration approaches, your team should take steps to prepare for the big day. Preparation should start at least three days before the migration, as this will give you time to get everything in order to ensure a smooth migration. During this phase, your IT team should:

  • Verify the Domain: The first thing that you should do to prepare for the migration is to start the process of verifying the source tenant’s email domain within the target tenant by creating TXT records in the DNS. It is important to note that DNS propagation can take up to 72 hours, which is why it is so critical that preparations begin at least three days before the migration.

  • Adjust TTL for DNS: One way that you can speed up DNS propagation is to lower the TTL (time-to-live) setting on the DNS. Lowering the TTL can help ensure minimal delays when updating records, which is crucial for smooth cutover during migration.

  • Schedule Migration and Mapping Mailboxes: Next, you will need to generate a list of user mailboxes for migration and create a CSV file for mapping. Whether you will be using third-party migration tools or Microsoft’s native options, it is essential that you map the source accounts to the .onmicrosoft.com domain to ensure consistency, as the email domain may change multiple times.

  • Complete Directory Synchronization: Finally, you will need to disable directory synchronization between Microsoft Entra ID (formerly Azure AD) and on-premises Active Directory in the source tenant. However, it is essential that you ensure that all synchronizations are finalized before disabling to avoid data inconsistencies.

Migration Day

When the big day arrives, there are essential steps that your organization must take to ensure the success of your tenant-to-tenant migration. These include:

  • Updating the MX Record: To prevent the flow of new inbound emails to the source tenant during the migration, you need to update the MX record in the source tenant to an unreachable domain. You could also use an MX backup service to queue incoming emails until the migration has been completed. 

  • Disconnecting the Source Tenant Domain: Next, you will need to disconnect the primary email domain from user objects in the source tenant: 1. Update the domain in the source tenant to sourcetenant.onmicrosoft.com for all mailboxes, groups, and resources. 2. If applicable, remove any secondary email addresses using the source domain. 3. Run PowerShell commands using Microsoft Graph API or Microsoft Entra ID PowerShell modules to identify any objects that may be preventing domain removal.

  • Verifying the Domain in the Target Tenant: After you’ve removed the domain from the source tenant, the next thing that you need to do is add and verify it in the target tenant. To do this, you may need to configure AD FS (Active Directory Federation Services) conditional access policies in the target tenant for secure access to the new domain.

  • Final Mail Flow Configuration: Next, you will need to redirect the MX record to the target tenant or release the MX backup service, as this will allow inbound emails to flow to users in the target tenant. 

  • Post-Migration Access Checks: Finally, you should set up auto-discover records, update licenses, and configure user logins with the correct primary domain to ensure users have access to the target tenant.

Post-Migration

Once the migration is complete, there are still final steps that you need to take to ensure everything runs smoothly for users of the target tenant. Post-migration steps that you need to take include:

  • User Communication and Cache Clearing: Once the migration is complete, you must ensure that all users clear their nicknames and auto-complete caches to davoid errors when replying to migrated emails.

  • Reconfiguring Microsoft Teams, SharePoint, and OneDrive: Next, you need to verify access and permissions in core Microsoft 365 services. Some users may need to re-establish connections, re-link shared resources, or be granted permission to access files. 

  • Monitoring for Security and Compliance: With your new users in place in the target tenant, your next step is to review conditional access and identity protection settings within Microsoft Entra ID. To ensure the security of your organization’s data (as well as compliance with industry standards), it is essential that you check that all security policies in place align with the target tenant’s standards.

  • Scheduling Follow-Up Checks: Finally, to ensure that the migration was successful, schedule follow-up checks about a week after the migration to make sure that everything is functioning as expected. Fortunately, Microsoft Entra’s monitoring tools make this simple as you can quickly track logins, risk events, and overall security post-migration. 

Learn More About Tenant-to-Tenant Migration with Agile IT

Tenant-to-tenant migrations are often an essential component of mergers, acquisitions, and rebrandings that help to align digital resources and IT infrastructure. However, this is a massive undertaking, and you may be unsure where you should start to ensure your migration is a success. If this is the case, consider consulting Agile IT to find out how our experienced team can help guide you through your tenant-to-tenant migration. We have migrated over 1.5 million mailboxes, providing our customers with secure, efficient Microsoft 365 transitions.

Feel free to contact us today to find out how our team can help you execute a reliable, hassle-free tenant-to-tenant migration.

Published on: .

This post has matured and its content may no longer be relevant beyond historical reference. To see the most current information on a given topic, click on the associated category or tag.

How can we help?

Loading...

Let's start a conversation

location Agile IT Headquarters
4660 La Jolla Village Drive #100
San Diego, CA 92122

telephone-icon + 1 (619) 292-0800 mail-icon Sales@AgileIT.com

Don’t want to wait for us to get back to you?