O365 Tenant to Tenant Migration: How to create and sync AD accounts?

Mohnish Kumar 1 Reputation point
2020-06-07T12:46:02.613+00:00

I'm faced with an Office 365 tenant to tenant migration involving 3 tenancies. B & C will be migrating into tenant A. Please see below image of the existing setup. All identities live in the same AD DOMAIN, but are using different UPNs and 3 AD connect servers.

Before the data migration phase (the easy part), I will need to create new identities for people who live in tenant B in tenant A. How do I go about this seeing as all accounts are living in the same AD domain/forest?

What would be the best approach here to handle the identies and the least amount of disruption to users?

9284-untitled-picture.png

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,547 questions
0 comments

10 answers

Sort by: Newest
Most helpful Newest Oldest
  1. Madscientist 1 Reputation point
    2021-11-24T23:05:43.257+00:00

    Thank you, Mike. Yes, that makes sense. Question is how do we perform a staged migration using this method? The on premise AD has several thousand users (close to 10,000) active accounts, and it is not possible to perform a cutover / big bang migration over a weekend, for example. I am having a difficult time picturing how this staged migration would go. I can create cloud only accounts for users and migrate the data, but what about the AD groups that synchronize via AD Connect, and the registered Windows 10 computers. Do I have to create cloud accounts for all the AD groups as well and keep that scenario until all users are cutover? I can picture this scenario being significantly simpler if there is an interforest AD migration as well, where there will be net new accounts created in a new forest that synchronizes via a net new AD Connect server to the new target tenant. But in our situation, it is the same on premise AD.

    Will there be any impact to the existing AD environment or current production tenant if a second AD Connect server attempts to interact with these same objects to synchronize to the new tenant? Right now, the new tenant is new and we are in the process of migrating settings and content. My primary concern is deploying an Azure AD configuration that will break the functionality of the existing tenant, which is our production tenant.

    As far as the workstations, I know the workstations need to be reset and join the new tenant with new user profiles, so we will be doing that. That's the area of least concern. My biggest issue is prevent any configuration that will break the current environment during the process of setting up the migration.

    Appreciate any help you could offer. Thank you.

    0 comments
  2. Roahso 1 Reputation point
    2021-11-24T22:56:04.453+00:00

    @Madscientist
    You can sync one AD to 2 separate tenants (one with Azure AD Connect and the other with Azure AD Connect Cloud Sync) but unfortunately, you an AD object can only use one at a time.

    For your situation, you will probably need to copy the Azure AD users from Tenant A and create cloud only accounts in tenant B with temporary UPN's. Once you're done moving everything from Tenant A, you can stop syncing there and switch over to tenant B. The cloud only accounts will be converted by a process called "Soft Join".

    Let me know if that makes sense.

    0 comments
  3. Madscientist 1 Reputation point
    2021-11-24T22:41:01.557+00:00

    How did you guys resolve this? I am faced with the same problem. I need to synchronize the same on premise AD to 2 separate Azure AD tenants for a migration. The environments are large with several thousands users each. Did you configure separate AD Connect servers to synchronize the same AD users to the 2 tenants? Thank you.

    0 comments
  4. Roahso 1 Reputation point
    2021-10-22T02:06:40.373+00:00

    @Shashi Shailaj you are extremely knowledgeable on this subject I see. I just have a quick question on whether or not a scenario is even possible.

    Two firms both with their own Hybrid Azure AD Setup. I want to perform an M365 tenant to tenant migration but cannot figure out how to handle the identities.

    CompA is synced to Azure AD Tenant A with Azure AD Connect and CompB will also sync into Azure AD Tenant A with Azure AD Connect Cloud Sync.

    Moving the M365 Data requires active identities in the source and destination tenant but once I turn off the AD Connect in Comp B's environment, that account will be removed from CompB's tenant as well which would break the data migration.

    0 comments
  5. Shashi Shailaj 7,581 Reputation points Microsoft Employee
    2020-06-10T19:59:09.773+00:00

    @NickA-9660 ,

    The guest accounts are just a reference to the original account and whenever we invite any user from a different AAD tenant a new object gets created within the local azure AD which references to the external Azure AD account . You can see the source for these users would be External Azure Active Directory as shown in image below.

    9676-jd01.jpg

    In your case if you have 50 guest accounts from @company-x.com in @company-y.com and you remove the domain from the tenant of @company-x.com those accounts do not get removed from the @company-y.com tenant and you would need to delete them before inviting the accounts again. The guest accounts do not get converted to users . yes , you have to remove them and let them resync from Azure AD connect . and in case of sharepoint/teams , you will have to re-invite / re-add them again because its not the same object now . The moment the domain was moved to another new tenant and the users were synced to this new tenant even though the UPN looks same but the object ID and SID in the Azure back-end changes. Same goes for the guest accounts . So any tenant which has invited these users earlier would have to delete their old guest account and re-invite them .

    So for example if you have moved the domain(c2.com) from one tenant (tenant A) to another tenant(tenant A) and now have the same user synced having same resultant UPN address as before user@c2.com , and you try to logon to the old sharepoint where user@c2.com was invited and still exists in the AAD as a guest user , you will see the following error.

    9670-jd02.jpg

    this will happen despite the user being present as a guest with same UPN , but that user is a different one with different object ID so they may look same but are not same and old user (user@c2.com) may need to be deleted and an invite sent again to the new user user@c2.com from the new Azure AD tenant.

    I hope this was helpful and answers your queries. Consolidations are always a little complicated due to technical imitations of what can/cannot be done. In case of any further queries please let us know and we will be happy to help . If the information provided helped , please accept this as answer so that its helpful for other members of the community .

    Thank you.

    0 comments