question

syswiz avatar image
0 Votes"
syswiz asked ·

O365 Tenant to Tenant Migration: How to create and sync AD accounts?

I'm faced with an Office 365 tenant to tenant migration involving 3 tenancies. B & C will be migrating into tenant A. Please see below image of the existing setup. All identities live in the same AD DOMAIN, but are using different UPNs and 3 AD connect servers.

Before the data migration phase (the easy part), I will need to create new identities for people who live in tenant B in tenant A. How do I go about this seeing as all accounts are living in the same AD domain/forest?

What would be the best approach here to handle the identies and the least amount of disruption to users?


9284-untitled-picture.png


azure-active-directoryazure-ad-connect
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

shashishailaj avatar image
0 Votes"
shashishailaj answered ·

Hello @syswiz ,


In your scenario , you have mentioned that the identities in all the three tenants are using different names and are being synced using three different AD connect server. Hence I am assuming that there are three different UPN suffixes that you have to consolidate to one single tenant .


As you have three different AAD connect servers , I assume , you may have OU based filtering for all three or Attribute based filtering (as per different UPN suffixes) or maybe domain based. . One of the important things to notice is about associated data with every identity like sharepoint/onedrive data , Mailbox etc. In any company, mailbox migration is one of the big tasks during these kind of consolidation projects


I would suggest you to do all the transitions over the weekend. Lets say you have the following three tenants and corresponding


tenantA.onmicrosoft.com (c1.com)


tenantB.onmicrosoft.com (c2.com)


tenantC.onmicrosoft.com (c3.com)


Create a local Global Admin account in Tenant B (GA@tenantB.onmicrosoft.com) and Tenant C (GA@tenantB.onmicrosoft.com). Do not use the tenant specific UPN suffixes means don't create the Global admin user with GA@c2.com because for moving identities we first need to remove the custom domains associated with a tenant . For the sake of simplicity we will only use example for Tenant B. This global admin creation is just to be on safe side. you may already have this account and in that case , please use your existing GA.


As far as I have worked with multiple customers till now , zero disruptions for users is not possible in these scenarios. But the disruptions could be minimized by planning it across a weekend. Have all of your users export their Outlook mailbox as a PST to be on the safe side. Enable litigation hold for the mailboxes which will preserve all mailbox content for every user. Lets start with Domain B. In order to start this you will need to first remove the identities from the tenant B and will need some preparation for the same before you can make changes to the existing filtering rules in AAD connect instances.


You must have some kind of filtering on AAD connect for Tenant B scoped for specific UPN suffix as far as I think.


You would need to update the filtering so that no user gets synced to the cloud.


This will delete all the users in scope from the Azure AD connector space in AAD connect for Tenant B and C.


Once these users are deleted in AAD connector space on the AD connect metaverse , this will replicate to the cloud and the same user objects will be deleted from the cloud.


Now the custom domain will be free for deletion from this tenant Tenant B .


Delete the custom domain for the tenant B .


Add the custom domainn in Tenant A.


And change the existing filtering so that all the users with UPN of tenant B (@c2.com) get synced.


Now the identities of Tenant B will automatically be synced to tenant A.


the new identities for Tenant B will automatically be created a new identity in tenant A because the customer domain c2.com is already verified in the tenant A.


Similarly you need to migrate the users from tenant C as well by first removing the domain c3.com


Always remember that before modifying the sync rules on AAD connect for tenant A always make sure that the custom domain users in Tenant B has been verified in tenant A , else the sync will not be smooth and you may see issues. A lot depends on the kind of filtering and its scope set in Azure AD connect instances hence I would suggest you to test it on a small group of pilot users before doing it for everyone.


I have linked some article which will provide more information. O365 migration is a big topic and its difficult to provide 100% accurate answer but I have tried to answer it as per information you have provided and as per my knowledge. I would also suggest to engage a O365 / Azure AD consultant if its possible for you . Should the information help you , please do accept it as answer so that it can help other members too. In case of any queries , please feel free to let us know and we will be happy to help .


Thank you.


·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

syswiz avatar image
0 Votes"
syswiz answered ·

Hi
Thanks for the detailed response.Your assumptions are correct and OU based filtering is being used alongside different UPN suffixes in AD. This is how the accounts are successfully syncing with their relevant tenancy.

I just had a question with this step:

Blockquote
Once these users are deleted in AAD connector space on the AD connect metaverse , this will replicate to the cloud and the same user objects will be deleted from the cloud.
Blockquote

The issue I have with this approach is that when I break the link of on-prem tenant B users with azure AD in tenant B,then how do I migrate the exchange data across from this user in tenant B and new user in tenant A?I will be using a 3rd party tool and it is based on a .csv mapping file where it references the user from tenant B to tenant A.With the above approach the user will be effectively deleted and the exchange data in tenant B will be orphaned?

Hopefully that makes sense and I haven't missed anything.



·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

shashishailaj avatar image
0 Votes"
shashishailaj answered ·

Hello @syswiz ,

Azure AD have a restriction that one custom domain cannot be used in more than one tenant at the same time. So in order to release the domain from the . I am not sure about the 3rd party tool that you are using and how it works. If it takes up object ID of user from one tenant and maps it to object ID of same user in the other tenant using CSV file and then migrates the mailbox from one tenant to another., then you can just sync the user to tenant A as well by modifying filtering on AD connect Server A and then get the list of ObjectIDs and map them with the original user IDs in tenant B for creating CSV mapping file. So the delete operation on AD connect would not be needed. I was not aware of the 3rd party migration tool and was suggesting to migrate the mailbox data manually using PST export.

When you sync those users to the tenant A , you will need to make sure that the Exchange license is present for all those user accounts so that mailbox could be generated for any Tenant B user who gets synced as a result of syncing user with @c2.com . Also for any user from tenant B . The UPN would be userB@tenantA.onmicrosoft.com which will be mapped to userB@c2.com using similar naming format as explained in my answer above.

There may be other limitations of the 3rd party mailbox migration tool or design consideration which I am not aware hence you may need to keep them into consideration while going thorough this identity consolidation. My assumption is based on the fact that the CSV file based Identity mapping is based on tenantID / ObjectID pair . Once mailbox migration is complete , you will need to flip UPN for all the users in tenant B . So UPN for userB@c2.com will change to userB@tenantB.onmicrosoft.com and you would need to change every attribute where c2.com domain is used because we need to delete this domain from tenantB and move it to tenantA. You might need to remove it from Exchange admin console along with Teams console and also see if any office 365 groups have been created using this UPN suffix or not .

The important thing to keep in mind here is that you need to make sure that the tenantA must have enough number of Exchange online licenses so that user's mailbox could be created immediately after it gets synced to azure AD. The amount of time all the mailboxes migrate from tenantB to tenantA and the mail suffix c2.com gets verified in tenant A will be the time of disruption for the user. I would suggest you to calculate the average speed that the tool allows for Mailbox migration and estimate total time as per the number of mailboxes and their sizes . And after you have verified c2.com in the tenant A , you can run a full sync and the UPN will get flipped so userB@tenantA.onmicrosoft.com will become userB@c2.com as it was earlier with a new Identity/Object ID of course.

Hope the above information helps. In case of any other queries , please let us know and we will try to help . If the information is helpful , please do accept the posts as answer so that it increases the relevancy of this question and improves search rankings for customers searching for similar questions.

Thank you.

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

syswiz avatar image
0 Votes"
syswiz answered ·

Hi, thanks for the response, much appreciated. The 3rd party tool is fairly straight forward. It will migrate emails from userb@c2.com to userb@tenantA.onmicrosoft.com. In order to do this the accounts must be provisioned in tenant A. For that to happen new accounts must be created in the on-premise AD then synced to tenant A. An exchange licence will then need to be applied in O365 on these new accounts. The issue and disruption for the end users here is huge. As they will lose their existing usernames and will be logging into their workstations using the new username as those will become the parent accounts for the user after the domain has migrated. This means new windows profiles too for their machines.

The issue here is that the accounts all live in one AD forest/domain. If it were two different forests then a 2 way trust could be established and ADMT could be used to copy the passwords across to the destination AD forest. This is a very disruptive project and I'm amazed to learn that there isn't a less disruptive route here...

· 6 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I this you may not need to create new accounts for these users in on-premise. You can just make changes in filtering on AAD connect server for TenantA and let the useers from B to sync in to the tenantA.onmicrosoft.com . I dont think new windows profiles will be created because the on-premise directory is same as you have mentioned in the first picture in your question. So windows profile are going to be the same. How do users logon in on-premise do they use Domain\username format or user@domain.com format to logon ? If this is a very large project , I would suggest you to engage Microsoft services via your partner/reseller or Technical account manager and they can customize some solution for you which may reduce the disruptions but some disruptions will be there in this process as far as my experiences with these scenario's go. I understand its not something we want but we have to work with it nevertheless due to general technical restrictions.

0 Votes 0 ·

thanks, yes we will definitely engage with a partner too, but I thought it would be good to scope out the approach. This is the part that confuses me. I thought it was not possible to sync users from B and to A at the same time, as the user object can't exist in multiple tenancies. If it can, then this will solve everything! It shows as an unsupported topology here: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-topologies

yes, users log using the domain\username format.

0 Votes 0 ·

I understand your point and agree that its always good to discuss and get some clarity on these projects because proper planning is the huge part in them. I believe you currently have this setup https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-topologies#each-object-only-once-in-an-azure-ad-tenant which is supported because you have the seperate UPN suffixes registered in on-prem directory and each user is represented once uniquely within the on-prem domain as well as the tenant they are synced to. However while migration you will get into a state which is a transitional state and that state is where you will have same user from on-premise represented in two different tenants with different UPNs and that is what is unsupported scenario. In your scenario , there is no other way without moving to unsupported scenario and then coming back to supported one. Hope the clarifications helped. Do accept as answer if you feel the discussion helped.

Thank you.

0 Votes 0 ·
Show more comments
NickA-9660 avatar image
0 Votes"
NickA-9660 answered ·

I am facing the exact same scenario, excellent information.


One question though which I cannot find any answer to: Lets say one of the tenants is @company-x.com and its being merged to tenant @company-y.com.


In @company-y.com, 50 guest accounts from @company-x.com exist in AzureAD for Teams/Sharepoint. What happens to those @company-x.com guest accounts when you remove their domain name from their tenant and add it into company-y.com's tenant? Do the guest accounts get converted to users? Do you have to remove them all from AzureAD and let them resync from AAD Connect? Does Teams/Sharepoint link explicitly by email address or is it SID (meaning does all content/permissions get reset)?


· 1 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@NickA-9660 ,
As the comment have a limitation of 1000 characters , i have provided the answer to your queries as a separate post within this thread. thank you.

0 Votes 0 ·
shashishailaj avatar image
1 Vote"
shashishailaj answered ·

@NickA-9660 ,


The guest accounts are just a reference to the original account and whenever we invite any user from a different AAD tenant a new object gets created within the local azure AD which references to the external Azure AD account . You can see the source for these users would be External Azure Active Directory as shown in image below.


9676-jd01.jpg


In your case if you have 50 guest accounts from @company-x.com in @company-y.com and you remove the domain from the tenant of @company-x.com those accounts do not get removed from the @company-y.com tenant and you would need to delete them before inviting the accounts again. The guest accounts do not get converted to users . yes , you have to remove them and let them resync from Azure AD connect . and in case of sharepoint/teams , you will have to re-invite / re-add them again because its not the same object now . The moment the domain was moved to another new tenant and the users were synced to this new tenant even though the UPN looks same but the object ID and SID in the Azure back-end changes. Same goes for the guest accounts . So any tenant which has invited these users earlier would have to delete their old guest account and re-invite them .


So for example if you have moved the domain(c2.com) from one tenant (tenant A) to another tenant(tenant A) and now have the same user synced having same resultant UPN address as before user@c2.com , and you try to logon to the old sharepoint where user@c2.com was invited and still exists in the AAD as a guest user , you will see the following error.


9670-jd02.jpg


this will happen despite the user being present as a guest with same UPN , but that user is a different one with different object ID so they may look same but are not same and old user (user@c2.com) may need to be deleted and an invite sent again to the new user user@c2.com from the new Azure AD tenant.


I hope this was helpful and answers your queries. Consolidations are always a little complicated due to technical imitations of what can/cannot be done. In case of any further queries please let us know and we will be happy to help . If the information provided helped , please accept this as answer so that its helpful for other members of the community .


Thank you.



jd01.jpg (40.8 KiB)
jd02.jpg (62.1 KiB)
·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.