Migrating to Exchange Online

There are numerous third party tools available today that will help with migrating from just about any email platform to Office 365. While these tools are extremely valuable it is possible to leverage the built in tools to perform the migration in certain scenarios. All of these methods of migration require that someone with elevate privileges to perform the operations which can present a challenge to a customer of a partner who does not have the necessary permissions. Also, it possible that the individuals responsible for the migration will not have the appropriate privileges either. The good news is that the built in tools provide a way to automate the migration, which means it is possible to provide a way to perform the migration and not require elevate privileges.

In order to help Cloud Solution Provider partners who find themselves in this type of scenario I have put together the HEX Migration Toolkit. It is a web portal protected by Azure AD authentication that enables individuals from a customer to add new environments to be migrated and create migration batches. When a migration batch is created the customer has to specify a date for when the batch migration should start. This enables the customer to schedule the cutover migration. This toolkit is an open source project that only has community based support. Additional functionality will be added to this tool over time, but I wanted to take this opportunity to introduce it and allow partners to provide feedback through the issue tracker.

Whenever a user logins into the portal the necessary validation tasks are performed to verify the authenticating user belongs to a customer that has a relationship with the configured partner, and that the user has the necessary privileges to access this portal (these privileges are configurable by the partner when the solution is implemented). After the user has successfully authenticated they can create new environments or manage existing ones.



When an environment is created the toolkit will enqueue a request to create a migration endpoint in Exchange Online and request a list of mailboxes from the configured endpoint. All of this is accomplished by an Azure WebJob that leverages PowerShell Remoting to perform the specified tasks. It worth noting that the customer will not need to enter Office 365 details at this point because the partner should have already provisioned the appropriate Office 365 subscription for the customer, and the partner has delegated administrative privileges over the tenant which enables this toolkit to perform operations in Exchange Online on the customers behalf. Since credentials for the customer’s environment are required to perform additional operations it is vital that those credentials be protected. In order to provide the proper protection all passwords are stored in an instance of Azure Key Vault. Key Vault utilizes hardware security modules to protect this sensitive information.


Since there is a chance new mailboxes might be added after the creation of the environment the ability to refresh an environment is important. When a customer clicks on the Refresh link the toolkit will ensure the migration endpoint has been created and request a complete list of the current mailboxes from the configured endpoint. When a customer clicks on the Delete link it will delete all migration batches and the environment information from the toolkit. When a customer clicks on the Batches link they will be taken to page that allows them to create, delete, and view existing migration batches.

When a new migration batch is added the customer must select which mailboxes they would like to be a member of the batch. Currently the ability to modify members of a batch after it has been created is not supported.


It is recommended that the value for the target delivery domain be set to the [tenant-name].mail.onmicrosoft.com. Be sure to replace the tenant-name value with the appropriate value based on the customer Azure AD tenant. As an example if the customer’s Azure AD tenant is fabrikam.onmicrosoft.com then the target delivery domain value should be configured to fabrikam.mail.onmicrosoft.com.


If you would like information on how to deploy this project then checkout the deployment documentation. Additional functionality will be added to the toolkit overtime. There are certain elements that I have already identified, such as reporting, that needs to be added in order to make this a more complete solution. If you would like to utilize this toolkit prior toolkit before I can get reporting added you can leverage Power BI to construct the reports that you need. Since this toolkit utilizes Azure storage tables to store all migration details (except credentials) you can easily construct any report that you see fit.