Office 365 is often an organization's first major step into the public cloud. To allay many common fears, Microsoft has always made it a point to keep each customer's data separate, and that strategy has proven to be a very effective way of enhancing security. However, now it seems like virtually every organization is using Office 365. As they start facing mergers, acquisitions or divestures, the strict separation of AD tenants is posing some challenges: How can you successfully migrate users and data from one tenant to another?
There's another hitch as well. Most organizations that adopt the Microsoft cloud maintain at least part of their on-premises IT infrastructure, including Active Directory (AD). In fact, Microsoft says that 75 percent of customers with at least 500 users have a hybrid AD environment — their on-premises AD remains the primary source of authentication and authorization, and they sync that on-premises AD to Azure AD using Azure AD Connect. Naturally, having one or two hybrid environments further complicates the migration or consolidation project during a merger or acquisition.
In our white paper, "Common pitfalls of Office 365 tenant-to-tenant migration," we laid out the major stumbling blocks organizations encounter as they plan and execute a tenant-to-tenant migration. Here, we'll explain the best practices that will help you migrate your AD users, Exchange mailboxes and OneDrive data quickly, safely, completely and with minimal impact on the business.
Following best practices will help you migrate users and data from one tenant to another quickly, safely and completely — and with minimal impact on the business.
Let's start with the big picture. Figure 1 illustrates the main phases in an Office 365 tenant-to-tenant migration. As you can see, the actual account, mailbox and OneDrive data migrations come only after multiple planning and preparation steps. Let's explore the best practices for those earlier phases, and then dive down into specific tips tailored to each of the types of data being migrated.
Figure 1. High level flow — tenant migration
Careful planning and preparation is critical to a successful tenant-to-tenant migration.
Often, mergers and acquisitions take months to plan and execute, and during that time, disclosures and other communication are very limited. The IT team may have no idea that a migration is on the horizon until the merger or acquisition is public news. Therefore, they might feel intense pressure to get the job done as quickly as possible.
The old saying "haste makes waste" is more than applicable here. It's essential to take the time to understand exactly what you're being asked to do. Do you have to migrate only accounts, or email and OneDrive data as well? Then, for each type of data, you'll want to really dig into the specifics, such as whether you need to include archived email data. We'll explore those details later.
The first step in any migration is to back up the source and target environments. Be sure your backup plan includes all on-prem and cloud-only objects (users, groups, group membership and so on) that are important to your business. A good backup is like a good insurance policy — in case something goes wrong with your migration, it helps ensure that you can keep your business running with as little disruption as possible.
Once you know the scope of the migration, you need to build a complete inventory of the source and target environments. You need to know about all the user accounts and all the data that those users have, including email archives and OneDrive data if those are in the migration scope, so nothing important gets left behind.
The discovery process is mostly technical — you can get a list of all accounts in Active Directory and Azure AD, for instance — but it will also involve conversations with your business counterparts, so it's important to establish all the key stakeholders from both the technical and business groups. There may be email archives that you don't know about, for example or OneDrive data that is the product of shadow IT.
Make sure to record the size of each piece of data, since that will help you determine timings, inform creation of collections and allow for better scheduling.
The discovery process is mostly technical, but it will also involve conversations with your business counterparts.
Migrating accounts and data that you don't need extends the migration timeline and increases risk unnecessarily, and it also makes the target environment more cluttered and harder to manage and secure. But only your business knows which users and data actually should be migrated, so work with them to determine what should go and what can be left behind.
In particular, work with them on how to deal with data archives. We'll address specific strategies for limiting the accounts, email data and OneDrive data later.
Migrating accounts and data you don't need slows the migration, increases risk, and makes the target environment harder to manage and secure.
Once you have a sense of how many accounts and how much data you're actually going to migrate, it's time to assess whether you can complete the migration quickly, for example, over a weekend. If your migration is small enough that a "big bang" approach will work, you don't have to worry about keeping users productive during the course of the migration.
However, for most organizations, the scope of the migration precludes this approach; they can't afford the downtime that it requires. Therefore, they require a phased migration, in which accounts and data are migrated gradually over the course of weeks or months. Again, you need to involve the business stakeholders in exactly when different users and data will be migrated. For example, should executives be moved first? When are the busiest times for different groups?
Divide the users to be migrated into groups, considering business priorities and needs as well as factors such as mailbox size, and name those collections appropriately. Plan how you want to migrate them and run your proposed schedule by the business for approval; this step
ensures that all stakeholders are aware of the migration timings and can prepare accordingly.
If you're performing a phased migration, you need to plan for coexistence — ensuring that users can remain productive throughout the migration, regardless of whether their accounts and data have been migrated yet. Users should not need to know anyone's migration status; they should simply be able to continue emailing colleagues, sharing data, scheduling meetings and so forth without missing a beat. Behind the scenes, that means synchronizing email systems, data shares, calendars, free/ busy data and more.
It's difficult to overstate the importance of having an effective and comprehensive coexistence strategy. The fact is, in most cases, it's the end-user experience that determines the success of the project.
In most cases, it's the end-user experience that determines the success of the project.
From the beginning, have a communication plan that covers the critical "who & what," "when" and "how" aspects:
"Who" comes in two forms: who is doing the communicating and who is on the receiving end. Be sure to designate exactly who is responsible for performing which types of communication, and make sure those people have access to the information they need to do the job. Then be sure to take into account all the different people they should communicate with, and what those people need to know:
End users need to know what's coming and how it will affect them. They also need to understand how the new environment will be different when doing their jobs, as well as what's new, useful or interesting.
IT managers and BU managers need to know the progress of the migration and any licensing requirements relevant to their groups.
The IT manager will want real-time status updates about where the project is in its lifecycle and any pending issues, since any overruns could impact budgets, resources and productivity.
Everyone needs to know timeframes, what (if anything) is expected of them and where to get help if they experience problems.
At the start of the project, think about what you need to communicate to each group of users. At a minimum, provide the migration timeline and resources that will help inform and support them, and explain the methods for reporting and tracking issues. If you're using a phased approach, communicate the milestones for completion of each phase of the migration.
During the migration project, provide regular status updates to the business and key stakeholders.
Last, there's the question of how to communicate. Take advantage of all appropriate options, whether that might be regular email blasts, FAQs in a designated place or even a dedicated migration hotline.
Ensure you have a way to easily monitor the status of migration tasks in real time so you can track progress, coordinate activities and detect issues early. Ideally, you want to enable management to access high-level status information on their own, whenever they want, so they can see that the migration is on track and you won't have to constantly generate reports. A dashboard is a great way to provide updates and a central view of the project without having to constantly respond to ad-hoc requests from each stakeholder.
No matter how well you plan, things can go wrong. A third-party Outlook add-on might do something strange to certain types of email items, or you might encounter unexpected name resolutions, strange trust behavior or net rooting anomalies. Be sure you can roll back any migration job to minimize the impact to users.
No matter how well you plan, things can go wrong, so be sure you can roll back any migration job to minimize the impact to users.
Also be sure that your backup and recovery solution provides a quick and easy way to identify changes and granularly restore objects if necessary. In particular, make certain that your recovery plan includes cloud-only objects. Many solutions leave out cloud-only groups, group membership and attributes such as license attributes, business to business (B2B) or business to consumer (B2C) accounts, and Azure AD and Office 365 groups. Finally, ensure you have a broad, robust backup and recovery strategy in case a major issue arises.
During the planning phase, your helpdesk staff might field only a few questions about the migration. But once the actual migration jobs get underway, you really need to ensure that you have enough people ready to handle calls or tickets, based on the size of your migration jobs. The more accounts or mailboxes you're migrating in a given day, the more helpdesk staff you need to have on hand just in case users encounter problems.
It's critical to think about security both during and after the migration. Here are the ABCs to focus on:
Make sure you have a way to audit your target environment. You need to know what users are doing and whether the platform is working correctly, so you can minimize the risk of a data breach or other security incident. Although there are some native auditing capabilities, consider investing in a third-party solution that delivers broad functionality and, ideally, provides a unified view of both your cloud and on-premises environments.
Don't assume that because you're in the cloud, Microsoft will take care of backing up your data. Cloud providers are responsible for their uptime SLAs, so if there's a problem on the back end, they will restore services quickly. But there's no native backup of data; if something like a user attribute or a critical file gets deleted deliberately or accidentally, you're responsible for recovering it. The Azure AD Recycle Bin is a handy tool that enables quick recovery of some recently deleted objects, but it's no substitute for an enterprise backup, recovery and disaster recovery solution. For instance, it doesn't cover all objects and it can't help you restore individual attributes of an object. For more details on the limitations of native tools and information about third-party solutions to consider, please see the white paper, "Active Directory Recovery in a Cloud or Hybrid World."
Security also requires rigorous permissions management, accurate user provisioning and timely user deprovisioning. You need to be able to keep close tabs on your users and groups and ensure that all access rights are granted in accordance with the least-privilege principle. With native tools, exercising proper control is difficult, time-consuming and error-prone, so it's smart to invest in an enterprise identify management solution that will automate and streamline the job.
Getting help from experts with a long track record of success is often the best way to complete your migration on budget, on schedule and with minimal impact to the business.
Before starting any account or data migrations, make sure you have the right tools in place, not just for your migration project, but also for discovery, backup and recovery, auditing and reporting, and post-migration management. It's important to note that many native Microsoft tools lack the breadth and depth of third-party tools to get the job done without having to create a lot of complex scripts.
That said, no matter how good the tools are and how easy they are to use, you can't get around the fact that migrations are both complex and critical. While most IT pros are smart and adaptable, they may not have a lot of experience performing migrations, let alone an Office 365 tenant-to-tenant migration. Therefore, it is smart to engage experts with a long track record of success; in fact, it's often the best way to complete your migration on budget, on schedule and with minimal impact to the business.
With the broader best practices in place, let's dive into the specifics of the actual migrations, starting with account migration. Figure 2 illustrates the key steps in the process:
Figure 2. The key steps in an account migration
Determining which accounts should be migrated isn't a technical question; it's a business question.
As noted earlier, migrating accounts and data you don't need increases the complexity and risk of both the migration and the target environment. You first need to determine what accounts exist in the source environment's Active Directory and Azure AD, as well as the date when they last logged on. Then you need to determine which AD accounts should be migrated and which should be left behind. For instance, a particular account might have been idle for 30 days or even 90 days because the user is on medical leave, while another might be a leftover from someone who left the organization for good.
But determining which accounts should be migrated isn't a technical question; it's a business question, so you have to engage with your business counterparts. In this case, HR should be your first stop, since they have the master list of who actually works for the organization. Work with them and, if necessary, the end users and their managers, to determine whether any accounts are no longer needed or should not be migrated for other reasons, such as a security concern.
Then you need to think about other users, such as customers or partners who have cloud-only B2B or B2C accounts in Azure AD. You'll need to work with the appropriate business staff to determine which of those accounts are worth migrating and which are not. Remember, organizations can have thousands or even millions of B2B and B2C accounts, so it's definitely worth your time to prune down the list.
Finally, think about any service accounts you have. You need to understand the reason for their existence and all contingencies for planning their migration.
As you assess which users to migrate and set up their new accounts in the target environment, keep in mind any compliance regulations you're subject to. For instance, the General Data Protection Regulation (GDPR) has strict requirements about protecting personal data, so if your organization does business with Europe, work with your legal team to understand any restrictions on moving customer information from the acquired company to the acquiring entity. And make sure that the permissions granted to the new user accounts are in line with PCI DSS, HIPAA or any other regulations your organization must adhere to.
If you're performing a phased migration, you'll need to migrate users in groups over time. Give careful thought to the collections, working closely with the users to ensure that you migrate people who work together as a group. Remember that those groups might not map directly to formal structures like business units or departments. And consider their needs and workflows as you schedule the migration jobs. For example, you probably don't want to migrate the finance team during critical end-of-quarter reporting.
Work closely with the business to ensure that you migrate people who work together as a group.
Figure 3 shows the phases in a tenant-to-tenant mailbox migration.
Figure 3. Mailbox migration steps
Be sure to consider mailbox size as you schedule your migration jobs.
Pruning back the number of user accounts you migrate will simplify your migration, but it pales in comparison to the impact you can make by limiting the amount of mailbox data you move. Organizations have gigabytes or even terabytes of mail data, and much of it has limited usefulness. The trick is figuring out what's worth moving and what isn't, and then prioritizing how you move what you need to move.
One approach is to limit mail migration by date; for example, migrate only the last six months of data. But don't make this an edict laid down by IT; work with your business counterparts to determine a reasonable cutoff, and be prepared to make exceptions for users who need older data.
However, keep in mind any compliance regulations that require longer email retention. Even if you don't need to migrate older data to the new tenant, you might need to ensure it is retained securely in an appropriate archive and that you can access it for e-discovery purposes.
Increase your licenses in the target Office 365 tenant to accommodate all the mailboxes you're migrating from the source tenant.
Be sure to consider mailbox size as you schedule your migration jobs. For instance, your VPs might have much larger mailboxes than their administrative assistants. If you try to migrate them all together, the admins will all be migrated but the VP's mailbox won't be done, and the admins won't be able to access it to do their jobs. In general, look for a tool that gives you the flexibility to add more agents when you're processing larger mailboxes to ensure the job completes in a timely manner.
Figure 4 shows the phases in a tenant-to-tenant mailbox migration.
Figure 4. Steps in a OneDrive migration
Be sure to consider any compliance regulations that require you to retain email or OneDrive data for a specific length of time.
As with account and email migration, it's important to work with the business to carefully review your current OneDrive data and determine what should and should not be migrated. As with email data, be sure to think about any compliance regulations that require you to retain OneDrive data for a specific length of time, so you can make plans to properly save any data that you choose not to migrate to the new tenant. A quality data analytics solution can be very valuable here.
Once you've limited the volume of OneDrive data to be migrated, be sure to coordinate the timing of its migration with the email migration schedule. In general, you want to complete the OneDrive data migration as quickly as possible after the email migration, but the time frame will depend heavily on the amount of OneDrive data involved. Be sure to set user expectations appropriately. Ideally, look for a migration solution that can offer good coexistence to allay these concerns.
Like mailboxes, OneDrive often contains valuable and sensitive data, so you have to keep security and compliance concerns squarely in mind. Verify that the current access permissions for the data are correct, and then make sure that after the migration, the same permissions will be in place.
Any migration is a complex undertaking with many moving parts, and proper planning and execution are essential to minimizing the impact to the business. If your organization is actively planning a merger or acquisition, or M&A activity is likely in your future, it's wise to become well-versed in all the tenant-to-tenant migration best practices described here.
Looking for a simple SaaS solution to streamline your tenant-to-tenant migration? Consider Quest On Demand Migration.
It's also smart to look for solutions and partners that can help. Quest has years of experience helping customers complete migrations quickly, accurately, safely and with zero impact to the business. We offer a simple SaaS solution — On Demand Migration — that simplifies the tenant-to-tenant migration process. You'll be able to safely migrate directories, mailboxes and OneDrive data from one Office 365 tenant to another, and accounts that have already moved to the target tenant will still be able to access resources on the source tenant during the remainder of the migration — ensuring the seamless coexistence that your users and management will use to measure the success of the project.
We invite you to learn more at quest.com/products/on-demand-migration
At Quest, our purpose is to solve complex problems with simple solutions. We accomplish this with a philosophy focused on great products, great service and an overall goal of being simple to do business with. Our vision is to deliver technology that eliminates the need to choose between efficiency and effectiveness, which means you and your organization can spend less time on IT administration and more time on business innovation.