O365 Tenant Migration: Your Questions Answered
It’s been quite a year at Quadrotech. We’ve hit record speeds – sustaining 1 TB / hour transfer rates for Exchange Online – while also working on the world’s largest tenant consolidation project, helping one organization merge 120 individual tenants into a single service.
Over the past 12 months, we’ve migrated a magnificent 1 PB of data between tenants. If you’re familiar with such things, you’ll know this is a big deal. As such, we’re confident in saying we’re experts in all things O365 tenant migration, and we often host webinars on the topic.
Director of Enterprise Migrations, Mike Weaver, recently ran a lively T2T session with our friends at Petri.com, and below you’ll find answers to the big questions that come up:
O365 Tenant Migration Questions
Q. How do you actually test the identity migration as you have suggested? Aren’t these one-time events?
Things like testing AD Connect and those kinds of aspects can be extremely difficult. If you have a lab environment in the source, then sometimes you have a lab environment in the target that you can practice these steps with.
For practicing a domain move, if you haven’t done a domain move, and ejection of a domain, you should buy a domain, have your DNS team give you a sub-domain, and test that. But, you should understand that during the migration, there’s going to be a lot more stickiness of that domain.
Find your IT community, ask them if you can put them on a different name domain temporarily, and walk them through that whole process to understand that experience.
You need to keep in mind that when you’re doing a cross-tenant move, you’re not moving an identity; you’re renaming objects and making them look the same. That identity in the source is going to keep the GUID.
Q. How do you handle links that are shared externally?
There are a few aspects of this. As part of the domain move, you want to disable that external access, so you don’t have the situation where the external user still has access to that location. There’d be nothing from stopping that external user if you don’t shut it off, which can create an additional problem; if you migrate someone’s OneDrive and the external user goes in and changes something original user can’t get back to it.
If you had really loose security policies where links could be open for three years, or you had anonymous links, etc., that are going to be impacted, your users have to plan for it, and external users have to plan for it.
You should determine its impact. Look at link-sharing and look at the external user situation. Then do a targeted communication to the users that are going to have heavy impacts. End-user interviews can help mitigate that the best that you can.
Q. Are there limitations regarding Microsoft Dynamics integration with Exchange and when you need to move the workload separately?
You’re going to need to do your Exchange migration at a similar time. Let’s say it occurs on the same migration weekends, so that you can get it all up and running. If it’s integrated, you have to do it together. If you’re doing a staged migration, you’re probably going to have to move all of your CRM users, and the domain that they’re using at the same time.
You may be combining companies, combining brands, but you may not want to do that right away for your sales team. In a lot of cases to get away from the domain problem, we’ll do all the different aspects of the company on other weekends. Then we’ll do the domain cut with the sales teams at the end along with the CRM as well.
Q. In one of your reports, you mentioned Yammer. How do we migrate this?
Yammer has limitations in the migration, and there’s no API to actually do that migration. In a lot of cases, if you’re using Yammer in the source, and using Yammer in the target, then a lot of times it’s re-adding users to the proper place in Yammer. If you have legal requirements, you have to do eDiscovery on the source, and retain that information.
You could set up the community networks again, re-add members, and do those kinds of aspects. Yammer’s a tricky one, especially for complex utilizations. Again, we continue to wait for more APIs here, so we can do migration work for that workload.
Q. Are there any special considerations when you have a mix of PC and Mac clients?
We have a Mac and PC reconfiguration agent. Mac functionality is a little lighter. What’s becoming more and more popular is there is a Mac management platform which is probably the most popular product out there for managing Macs in enterprise environments. A lot of those administrators will have the ability to actually do some of those updates through that management product. The Mac reconfiguration process is completely different.
Just as you talk about testing and planning, you need to test both carefully, and all versions of build. So, if you’re running different versions of Mac OS, different versions of Windows, different versions of Office, you have to walk through all of that in your testing. Your Mac administrators in particular will be quite familiar with that.
Q. Is there an impact if Microsoft Exchange is in hybrid mode?
Yes. There are two situations. If you’re in hybrid mode and it’s not because you have mailboxes on-prem, that’s pretty simple. You’d probably want to cut that hybrid configuration in advance.
If you’re in hybrid mode, because you have mailboxes, and aspects on-prem and the target is going to be all Office 365, then you could migrate the remaining mailboxes up into Office 365, in preparation for the project. Then the tenant to tenant move becomes just like everything else.
If you’re going from hybrid bureau to hybrid mode, and you have to move some of the on-prem mailboxes, you might be able to do a cross-forest MRS. You can do a direct Exchange migration between the two organizations, but you’d have to be careful because now you’re going to be stuck talking about network topology.
Q. What if there are two Office 365 tenants configured with Microsoft Exchange hybrid mode, and both have active directory federated accounts?
It will require some very specific AD Connect procedures and some cleanup. If you’re in hybrid mode – because you are, and not because you have mailboxes on-prem – it might be time to review that decision, particularly in the source environment. If you’re moving off of that system, that might be the right time to do that as part of your change.
But certainly, there are methods to do that with certain custom AD Connect processes.
Q. Does eliminating an on-prem AD and moving to the Azure AD make things easier?
If we’re talking about the source environment, it’s indifferent. If you don’t have a good reason to have on-prem AD, you don’t have on-prem applications or servers, and you can make that move, then certainly that will probably be easier because then you just have to spin it down on the other end.
In the aspect of the tenant to tenant migration, the only thing I’d be careful of is you do have to address whatever’s tied to that local AD, as part of your cross-tenant move, if you’re actually going to spin down those on-prem.
Do keep in mind though, if your workstations in the source are being managed by on-prem AD, in more of a traditional manner, and a traditional configuration, and you’re not getting rid of those machines right away, the users are going to need to be able to log in. You are going to have to upgrade and change all that as part of the project.
If you’re going to eventually, or within the next 30/60/90 days, replace all the workstations, and bring them into the target workstation realm, and hardware, and standard, then it probably doesn’t make sense to do that migration, and just float through where you are, and then subset it as part of your spinning down management at the end.
Q. Are you able to migrate OneNote data?
Yes. When you do a OneNote migration, you have to be very careful because you have to actually rebuild the index file, and you have to do it by working with a specific OneNote process. There are some limitations to that API.
Usually, we migrate it as the workload. So if the OneNote is stored in Teams, we’ll do it as part of the Teams move; if it’s in SharePoint, we’ll do it part of the SharePoint move; and OneDrive, part of the OneDrive move. You have to interface with the OneNote migration API to rebuild those indexes.
Otherwise, you’ll end up with the files, the notes, all the little note files, and you can still open those, if you have the full OneNote client, you can drag them back into a OneNote, and do it in an index. You do want to be very careful in your planning, and testing because if it’s ignored, and you have a very heavy OneNote user community, it can be quite a problem. Certainly, if that’s of concern, you want to be sure that it’s part of your test plan.
Q. How do you handle Power BI reports and the migration of that data across tenants?
Power BI has two aspects: it has what you’re reading, and then the reports that you made on. It is an unfortunate user manual process because there isn’t an API for it. What you have to keep in mind is, what is Power BI looking at? If it’s looking at Dell data, Salesforce, or whatever the product may be, you have to reconfigure that aspect.
Even if the user manually documents all those reports, they’re going to have to move the reports, and they’re going to have to authenticate against the source as your environment. If you’re someone who has all these really advanced Power BI dashboards, there are some manual export and import aspects that are available to the end-user. As an administrator, you may manually do that or take that on for your really sensitive ones, and then re-attach it to the data repository on the other side.
Q. What data do you lose when you delete the domain from the tenant?
The domain is a key identifier in a tenant. Microsoft has announced that they’re trying to fix this, but when you go to your login page and put in your login name, that domain immediately will bring you to your org login policy. That’s part of the identification of a tenant: it’s a vanity name. The domain is in Exchange Online, but it’s also in application registrations, and it’s in groups, and it’s in all sorts of aspects.
When you remove it, it’s going to rip it out, rename it to – in most cases – the default domain. It will rip it out of things like Azure app registrations, and other aspects, which if you’re keeping some items behind, can break certain aspects as well.
Q. Will a migration to a different tenant break any of the enterprise applications that are set up?
They will have to log in with whatever their UPN is, in the source, so they’re renamed to the .onmicrosoft.com. They’re going to have to rename that, and they’ll have to maintain dual passwords, depending on how you do the connect, and sync process. Usually, you break it and move it. Microsoft’s done some changes to allow some multi-sync into multiple tenants, but you’re probably pushing the bounds of where that is based on that question.
If we’re talking about on-prem applications that are tied to local AD or against Azure ID, it’s the same situation where the user may, or may not break it. Particularly if it’s a local app, it’ll continue to work, but the user may have to maintain two identities. You’ll have to manage and maintain that. It can get very confusing for the users because the passwords become out of sync and they lockout passwords.
Q. Is there any downtime during the migration?
My best practice recommendation is to always do a tenant migration over a weekend, and then prioritize your users that are multi-shift users. The domain ejection process we talked about depends on how many objects you have. If it’s 50 people, it can be done in five minutes, and moved over to the other one. In 90 minutes, you could have the whole thing completed.
For a 100,000-user org where that whole domain move process can take four days, it should be done over a long weekend.
I do not recommend, particularly if you’re doing your first tenant to tenant migration, that you do that domain cutover outside of a weekend, and I would really recommend you do it on a total light holiday weekend. One of those holiday weekends where not everyone takes it because you might need some support.
Again, if you are doing it midweek, you are adding considerable risk to your project in case there’s an issue with the domain ejection, you just need more runway in case there’s an issue.
O365 Tenant Migration Services
Quest Software is the market leader in Office 365 tenant to tenant migration services, helping international corporations consolidate complex cloud environments.
If you’d like to discuss an upcoming project with our expert team, please contact us today. Leave as much detail as possible, and one of our specialists will get back to you to arrange a call.