O365 Tenant to Tenant Migration: How to create and sync AD accounts?

Mohnish Kumar 1 Reputation point
2020-06-07T12:46:02.613+00:00

I'm faced with an Office 365 tenant to tenant migration involving 3 tenancies. B & C will be migrating into tenant A. Please see below image of the existing setup. All identities live in the same AD DOMAIN, but are using different UPNs and 3 AD connect servers.

Before the data migration phase (the easy part), I will need to create new identities for people who live in tenant B in tenant A. How do I go about this seeing as all accounts are living in the same AD domain/forest?

What would be the best approach here to handle the identies and the least amount of disruption to users?

9284-untitled-picture.png

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,382 questions
0 comments

10 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Shashi Shailaj 7,581 Reputation points Microsoft Employee
    2020-06-08T10:33:50.14+00:00

    Hello @syswiz,

    In your scenario , you have mentioned that the identities in all the three tenants are using different names and are being synced using three different AD connect server. Hence I am assuming that there are three different UPN suffixes that you have to consolidate to one single tenant .

    As you have three different AAD connect servers , I assume , you may have OU based filtering for all three or Attribute based filtering (as per different UPN suffixes) or maybe domain based. . One of the important things to notice is about associated data with every identity like sharepoint/onedrive data , Mailbox etc. In any company, mailbox migration is one of the big tasks during these kind of consolidation projects

    I would suggest you to do all the transitions over the weekend. Lets say you have the following three tenants and corresponding

    • tenantA.onmicrosoft.com (c1.com)
    • tenantB.onmicrosoft.com (c2.com)
    • tenantC.onmicrosoft.com (c3.com)

    Create a local Global Admin account in Tenant B (GA@tenantB.onmicrosoft.com) and Tenant C (GA@tenantB.onmicrosoft.com). Do not use the tenant specific UPN suffixes means don't create the Global admin user with GA@c2.com because for moving identities we first need to remove the custom domains associated with a tenant . For the sake of simplicity we will only use example for Tenant B. This global admin creation is just to be on safe side. you may already have this account and in that case , please use your existing GA.

    As far as I have worked with multiple customers till now , zero disruptions for users is not possible in these scenarios. But the disruptions could be minimized by planning it across a weekend. Have all of your users export their Outlook mailbox as a PST to be on the safe side. Enable litigation hold for the mailboxes which will preserve all mailbox content for every user. Lets start with Domain B. In order to start this you will need to first remove the identities from the tenant B and will need some preparation for the same before you can make changes to the existing filtering rules in AAD connect instances.

    • You must have some kind of filtering on AAD connect for Tenant B scoped for specific UPN suffix as far as I think.
    • You would need to update the filtering so that no user gets synced to the cloud.
    • This will delete all the users in scope from the Azure AD connector space in AAD connect for Tenant B and C.
    • Once these users are deleted in AAD connector space on the AD connect metaverse , this will replicate to the cloud and the same user objects will be deleted from the cloud.
    • Now the custom domain will be free for deletion from this tenant Tenant B .
    • Delete the custom domain for the tenant B .
    • Add the custom domainn in Tenant A.
    • And change the existing filtering so that all the users with UPN of tenant B (@c2.com) get synced.
    • Now the identities of Tenant B will automatically be synced to tenant A.
    • the new identities for Tenant B will automatically be created a new identity in tenant A because the customer domain c2.com is already verified in the tenant A.
    • Similarly you need to migrate the users from tenant C as well by first removing the domain c3.com

    Always remember that before modifying the sync rules on AAD connect for tenant A always make sure that the custom domain users in Tenant B has been verified in tenant A , else the sync will not be smooth and you may see issues. A lot depends on the kind of filtering and its scope set in Azure AD connect instances hence I would suggest you to test it on a small group of pilot users before doing it for everyone.

    I have linked some article which will provide more information. O365 migration is a big topic and its difficult to provide 100% accurate answer but I have tried to answer it as per information you have provided and as per my knowledge. I would also suggest to engage a O365 / Azure AD consultant if its possible for you . Should the information help you , please do accept it as answer so that it can help other members too. In case of any queries , please feel free to let us know and we will be happy to help .

    Thank you.

    0 comments
  2. Mohnish Kumar 1 Reputation point
    2020-06-08T12:54:35.35+00:00

    Hi
    Thanks for the detailed response.Your assumptions are correct and OU based filtering is being used alongside different UPN suffixes in AD. This is how the accounts are successfully syncing with their relevant tenancy.

    I just had a question with this step:

    Blockquote
    Once these users are deleted in AAD connector space on the AD connect metaverse , this will replicate to the cloud and the same user objects will be deleted from the cloud.
    Blockquote

    The issue I have with this approach is that when I break the link of on-prem tenant B users with azure AD in tenant B,then how do I migrate the exchange data across from this user in tenant B and new user in tenant A?I will be using a 3rd party tool and it is based on a .csv mapping file where it references the user from tenant B to tenant A.With the above approach the user will be effectively deleted and the exchange data in tenant B will be orphaned?

    Hopefully that makes sense and I haven't missed anything.

    0 comments
  3. Mohnish Kumar 1 Reputation point
    2020-06-09T19:55:01.387+00:00

    Hi, thanks for the response, much appreciated. The 3rd party tool is fairly straight forward. It will migrate emails from userb@c2.com to userb@tenantA.onmicrosoft.com. In order to do this the accounts must be provisioned in tenant A. For that to happen new accounts must be created in the on-premise AD then synced to tenant A. An exchange licence will then need to be applied in O365 on these new accounts. The issue and disruption for the end users here is huge. As they will lose their existing usernames and will be logging into their workstations using the new username as those will become the parent accounts for the user after the domain has migrated. This means new windows profiles too for their machines.

    The issue here is that the accounts all live in one AD forest/domain. If it were two different forests then a 2 way trust could be established and ADMT could be used to copy the passwords across to the destination AD forest. This is a very disruptive project and I'm amazed to learn that there isn't a less disruptive route here...

  4. Nick A 1 Reputation point
    2020-06-10T01:33:17.13+00:00

    I am facing the exact same scenario, excellent information.

    One question though which I cannot find any answer to: Lets say one of the tenants is @company-x.com and its being merged to tenant @company-y.com.

    In @company-y.com, 50 guest accounts from @company-x.com exist in AzureAD for Teams/Sharepoint. What happens to those @company-x.com guest accounts when you remove their domain name from their tenant and add it into company-y.com's tenant? Do the guest accounts get converted to users? Do you have to remove them all from AzureAD and let them resync from AAD Connect? Does Teams/Sharepoint link explicitly by email address or is it SID (meaning does all content/permissions get reset)?

  5. Shashi Shailaj 7,581 Reputation points Microsoft Employee
    2020-06-09T18:59:02.043+00:00

    Hello @Mohnish Kumar ,

    Azure AD have a restriction that one custom domain cannot be used in more than one tenant at the same time. So in order to release the domain from the . I am not sure about the 3rd party tool that you are using and how it works. If it takes up object ID of user from one tenant and maps it to object ID of same user in the other tenant using CSV file and then migrates the mailbox from one tenant to another., then you can just sync the user to tenant A as well by modifying filtering on AD connect Server A and then get the list of ObjectIDs and map them with the original user IDs in tenant B for creating CSV mapping file. So the delete operation on AD connect would not be needed. I was not aware of the 3rd party migration tool and was suggesting to migrate the mailbox data manually using PST export.

    When you sync those users to the tenant A , you will need to make sure that the Exchange license is present for all those user accounts so that mailbox could be generated for any Tenant B user who gets synced as a result of syncing user with @c2.com . Also for any user from tenant B . The UPN would be userB@tenantA.onmicrosoft.com which will be mapped to userB@c2.com using similar naming format as explained in my answer above.

    There may be other limitations of the 3rd party mailbox migration tool or design consideration which I am not aware hence you may need to keep them into consideration while going thorough this identity consolidation. My assumption is based on the fact that the CSV file based Identity mapping is based on tenantID / ObjectID pair . Once mailbox migration is complete , you will need to flip UPN for all the users in tenant B . So UPN for userB@c2.com will change to userB@tenantB.onmicrosoft.com and you would need to change every attribute where c2.com domain is used because we need to delete this domain from tenantB and move it to tenantA. You might need to remove it from Exchange admin console along with Teams console and also see if any office 365 groups have been created using this UPN suffix or not .

    The important thing to keep in mind here is that you need to make sure that the tenantA must have enough number of Exchange online licenses so that user's mailbox could be created immediately after it gets synced to azure AD. The amount of time all the mailboxes migrate from tenantB to tenantA and the mail suffix c2.com gets verified in tenant A will be the time of disruption for the user. I would suggest you to calculate the average speed that the tool allows for Mailbox migration and estimate total time as per the number of mailboxes and their sizes . And after you have verified c2.com in the tenant A , you can run a full sync and the UPN will get flipped so userB@tenantA.onmicrosoft.com will become userB@c2.com as it was earlier with a new Identity/Object ID of course.

    Hope the above information helps. In case of any other queries , please let us know and we will try to help . If the information is helpful , please do accept the posts as answer so that it increases the relevancy of this question and improves search rankings for customers searching for similar questions.

    Thank you.

    0 comments