Migration phases actions and impacts for the migration from Microsoft Cloud Deutschland
Tenant migrations from Microsoft Cloud Deutschland (MCD) to the region "Germany" of Microsoft's Office 365 Global services are executed as a set of phases and their configured actions for each workload. This figure shows the ten phases of migration to the new German datacenters.
The migration process will complete over many weeks depending on the overall size and complexity of the organization. While the migration is underway, users and administrators are able to continue utilizing the services with notable changes detailed in this documentation. The graphic and table define phases and steps during the migration.
The migration of Azure services is not part of this documentation. For that information, see Migration guidance for Azure Germany.
|Opt-In||Hours||Customer||Opt your organization into the migration.|
|Pre-Work||Days||Customer||Complete the work needed to prepare users, workstations, and network for migration.|
|Azure Active Directory (Azure AD)||1-2 days||Microsoft||Migrate Azure AD organization to worldwide.|
|Azure||Weeks||Customer||Create new worldwide Azure subscriptions and transition Azure services.|
|Subscription & License Transition||1-2 days||Microsoft||Purchase worldwide subscriptions, cancel Microsoft Cloud Deutschland subscriptions, and transition user licenses.|
|SharePoint and OneDrive||15+ days||Microsoft||Migrate SharePoint and OneDrive for Business content, persisting sharepoint.de URLs.|
|Exchange Online||15+ days||Microsoft||Migrate Exchange Online content and transition to worldwide URLs.|
|Security & Compliance||1-2 days||Microsoft||Transition security & compliance policies and content.|
|Skype for Business||1-2 days||Microsoft||Transition from Skype for Business to Microsoft Teams.|
|Power BI & Dynamics 365||15+ days||Microsoft||Migrate Power BI and Dynamics 365 content.|
|Finalize Azure AD||1-2 days||Microsoft||Complete tenant cutover to worldwide.|
|Clean-Up||1-2 days||Customer||Clean up legacy connections to Microsoft Cloud Deutschland, such as Active Directory Federation Services (AD FS) Relying Party Trust, Azure AD Connect, and Office client restarts.|
|Endpoints Disabled||30 days||Microsoft||30 days after the finalization of Azure AD, the Microsoft Cloud Deutschland Azure AD service will stop endpoint access for the transitioned organization. Endpoint requests such as Authentication will fail from this point forward against the Microsoft Cloud Deutschland service. Customers running Azure workloads in the instance linked to Office 365 services in Microsoft Cloud Deutschland will be moved to the final migration phase later on.|
The phases and their actions ensure that critical data and experiences are migrated to the Office 365 Global services. After your tenant is added to the migration queue, each workload will be completed as a set of steps that are executed on the backend service. Some workloads may require actions by the administrator (or user), or the migration may affect usage for the phases that are executed and discussed in How is the migration organized?
The following sections contain actions and effects for workloads as they progress through various phases of the migration. Review the tables and determine which actions or effects are applicable to your organization. Ensure that you're prepared to execute the steps in the respective phases as required. Failure to complete necessary steps may result in service outage and might delay completion of the migration to the Office 365 services.
Applies to: All customers with an Office 365 tenant hosted in the Microsoft Cloud Deutschland (MCD) Microsoft can't migrate Office 365 tenants hosted in the MCD without consent.
|Customer Task: Grant consent for migration||Customer grants consent for the migration so that Microsoft gains the right to migrate and to orchestrate the transition of data and services to the Office 365 Global services instance. There are two ways:
|Tenant Admin: Monitor messages||The tenant administrator must monitor the Office 365 Message Center for updates on the migration phase status from this time on.||Customer can execute necessary tasks in time.|
Phase 1: Before the migration starts
Make sure that you are familiar with the migration preparation steps that apply to all customers.
In case you have set a DNS CNAME called msoid in one or many DNS namespaces that you own, you have to remove the CNAME until the end of phase 8 at the latest. You can remove the CNAME msoid any time before the end of phase 8. See the prework for DNS.
In case you are using single sign on for Office 365 and Azure in the Microsoft Cloud Deutschland instance, you must prepare and schedule your Azure subscription migration accordingly. Make sure that you understand the prework for Microsoft Azure.
Azure AD Connect with AD FS federation
Applies to: Customers with AD FS federation
When applied: Before phase 2 starts
If you are using Active Directory Federation Services (AD FS), make sure to back up your ADFS configuration before and after adding the relying party trust for the Office 365 Global service before the beginning of phase 2.
Phase 2: Azure AD Migration
In this phase the Azure Active Directory will be migrated to the new datacenter region and become active. The old Azure AD endpoints will be still available.
Exchange Online Hybrid - Modify AuthServer on-premises
Applies to: All customers using an active Exchange Hybrid Configuration with Exchange servers on-premises
When applied: After phase 2 ends
The AuthServer on-premises must be pointing to global Security Token Service (STS) for authentication after Azure AD migration is complete. This ensures that authentication requests for Exchange availability requests from users in migration state that target the hybrid on-premises environment are authenticated to access the on-premises service. Similarly, this will ensure authentication of requests from on-premises to Office 365 Global services endpoints. After Azure AD migration (phase 2) is complete, the administrator of the on-premises Exchange (hybrid) topology must add a new authentication service endpoint for the Office 365 Global services.
With this command from Exchange PowerShell, replace
<TenantID> with your organization's tenant ID found in the Azure portal on Azure Active Directory.
New-AuthServer GlobalMicrosoftSts -AuthMetadataUrl https://accounts.accesscontrol.windows.net/<TenantID>/metadata/json/1
Failing to complete this task may result in hybrid free-busy requests failing to provide information for mailbox users who have been migrated from Microsoft Cloud Deutschland to Office 365 services.
Phase 3: Subscription transfer
Applies to: All customers with an Office 365 tenant hosted in the Microsoft Cloud Deutschland (MCD)
|Subscriptions are transferred||The Microsoft Cloud Deutschland subscription will be migrated to corresponding Office 365 Global services subscription.
|Licenses are reassigned||Users with assigned Microsoft Cloud Deutschland licenses will be assigned licenses in the Office 365 Global instance.||
|Admin task Disable features||The admin needs to take an explicit action to disable those features, if needed.||
For information about how to disable service plans that are assigned to users' licenses, see Disable access to Microsoft 365 services while assigning user licenses.
|Admin task||Revise any customer processes that have dependencies on Microsoft Cloud Deutschland subscriptions or SKU GUIDs with the Office 365 services offering||Customer processes continue to work.|
Applies to: Microsoft Partners which are using the Office 365 Partner Portal
Between Phase 2 and phase 3, Partner Portal may not be accessible. During this time, Partner may not be able to access the tenant's information on the Partner Portal. Since each migration is different, the duration of in-accessibility could be in hours.
Additional information for Cloud Solution Providers is available in Partner tenant migration.
Phase 4: SharePoint Online
Applies to: All customers using SharePoint Online
In case you are still using SharePoint 2013 workflows, limit the use of SharePoint 2013 workflows during the SharePoint Online migration.
|SharePoint and OneDrive are transitioned||SharePoint Online and OneDrive for Business are migrated from Microsoft Cloud Deutschland to Office 365 Global services in this phase.
|SPO Admin: Republish SharePoint 2013 workflows||A SharePoint Online admin republishes the SharePoint 2013 workflows after the migration.||This is a required action. Failure to do so may result in user confusion, help desk calls and decreased productivity.|
|PowerShell user: Update to new module||All users of the SharePoint Online PowerShell module need to update module/Microsoft.SharePointOnline.CSOM to version 16.0.20717.12000 or above after the SharePoint Online migration is completed. Completion is communicated in the message center.||SharePoint Online via PowerShell or the client-side object model will no longer fail.|
- If your organization still uses SharePoint 2010 workflows, they'll no longer function after December 31, 2021. SharePoint 2013 workflows will remain supported, although turned off by default for new tenants starting on November 1, 2020. After migration to the SharePoint Online service is complete, we recommend that you to move to Power Automate or other supported solutions.
- Microsoft Cloud Deutschland customers whose SharePoint Online instance is not yet migrated need to stay on SharePoint Online PowerShell module/Microsoft.SharePointOnline.CSOM version 16.0.20616.12000 or below. Otherwise, connections to SharePoint Online via PowerShell or the client-side object model will fail.
- During this phase, the IP addresses behind the SharePoint URLs will change. After the transition to Office 365 Global services, the addresses for the preserved tenant URLs (for example,
contoso-my.sharepoint.de) will be changed to the Worldwide Microsoft 365 URLs and IP address ranges (SharePoint Online and OneDrive for Business).
- While SharePoint and OneDrive services are transitioned, Office Online may not work as expected.
- If a custom search configuration has been applied, import the search configuration after the transition is finished. The search configuration has to be exported before the transition as described in the pre-migration steps for SharePoint Online.
In case you are using eDiscovery, make sure you are aware of the eDiscovery migration experience.
Phase 5: Exchange Online
Starting with phase 5, Exchange Online mailboxes are moved from Microsoft Cloud Deutschland to Office 365 Global services.
The Office 365 Global services region is set as default, which enables the internal load-balancing service to redistribute mailboxes to the appropriate default region in Office 365 services. In this transition, users on either side (MCD or Global services) are in the same organization and can use either URL endpoint.
The new region "Germany" is added to the organization setup. Exchange Online configuration adds the new go-local German region to the transitioning organization.
- Transition users and services from your legacy MCD URLs (
https://outlook.office.de) to new Office 365 services URLs (
- The Exchange Online services (Outlook Web Access and Exchange Admin Center) for the new German datacenter region will be available from this phase, they will not be available before.
- Users may continue to access the service through legacy MCD URLs during the migration, however they need to stop using the legacy URLs on completion of the migration.
- Users should transition to using the worldwide Office portal for Office Online features (Calendar, Mail, People). Navigation to services that aren't yet migrated to Office 365 services won't function until they are migrated.
- This limitation applies to background services like "My Account" as well. My Account for Global services will become available after completion of phase 9. Until this, users must use the MCD portal to manage their account settings.
- The Outlook Web App won't provide the public folder experience during migration.
If you want to modify user photos during phase 5, see Exchange Online PowerShell - Set-UserPhoto during phase 5.
DNS Record for Autodiscover in Exchange Online
Applies to: Customers using Exchange Online with a custom domain
Customer-managed DNS settings for Autodiscover that currently point to Microsoft Cloud Deutschland need to be updated to refer to the Office 365 Global endpoint on completion of the Exchange Online phase (phase 5).
Existing DNS entries with CNAME pointing to autodiscover-outlook.office.de need to be updated to point to autodiscover.outlook.com.
Customers who do not perform these DNS updates upon completion of the migration phase 9 may experience service issues when the migration is finalized.
Validation errors in the Admin Center for custom domains for the Autodiscover entry can be ignored. Services will work properly only when the CNAME record has been changed to autodiscover.outlook.com.
Exchange Online PowerShell
Applies to: Exchange Online Administrators using Exchange Online PowerShell
During the migration phase, using the PowerShell cmdlets New-MigrationEndpoint, Set-MigrationEndpoint, and Test-MigrationsServerAvailability can result in errors (error on proxy). This happens when the arbitration mailbox has migrated to worldwide but the admin mailbox hasn't or vice-versa. To resolve this, while creating the tenant PowerShell session, use the arbitration mailbox as the routing hint in the ConnectionUri. For example:
New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "https://outlook.office365.com/powershell-liveid?email=Migration.8f3e7716-2011-43e4-96b1-aba62d229136@<tenant>.onmicrosoft.de" -Credential $UserCredential -Authentication Basic -AllowRedirection
Using the PowerShell cmdlet Set-UserPhoto results in an error if a user mailbox has been migrated but an administrator mailbox hasn't been migrated, or vice-versa. In this situation, an admin must pass the email-ID of the user whose photo needs to be changed in
ConnectionUri while creating the tenant PowerShell session:
<user_email> is the placeholder for the email-ID of the user mailbox.
- Users of Outlook Web App that access a shared mailbox in the other environment (for example, a user in the MCD environment accesses a shared mailbox in the Global environment) will be prompted to authenticate a second time. The user must first authenticate and access their mailbox in
outlook.office.de, then open the shared mailbox that is in
outlook.office365.com. They'll need to authenticate a second time when accessing the shared resources that are hosted in the other service.
- For existing Microsoft Cloud Deutschland customers or those in transition, when a shared mailbox is added to Outlook by using File > Info > Add Account, viewing calendar permissions may fail (the Outlook client attempts to use the Rest API
https://outlook.office.de/api/v2.0/Me/Calendars). Customers who want to add an account to view calendar permissions can add the registry key as described in User experience changes for sharing a calendar in Outlook to ensure this action will succeed. This registry key can be deployed organization-wide by using Group Policy.
- All customers using an active Exchange Hybrid Configuration are not able to move mailboxes from on-premises Exchange Server to Exchange Online, neither to Microsoft Cloud Deutschland, nor to the new datacenter region in Germany. Customers need to ensure that ongoing mailbox moves have been completed prior to phase 5 and will be resumed after completion this phase.
Test-MigrationServerAvailabiilty, a PowerShell cmdlet, during migration of Exchange from Microsoft Cloud Deutschland to Office 365 services might not work. However, it will work properly after migration is complete.
- If clients run into issues with credentials or authorization after mailboxes are migrated, reenter the on-premises administrator credentials in the migration endpoint by running
Set-MigrationEndpoint -Identity <endpointName> -Credential $(Get-Credential), or by setting the same by using Exchange Control Panel (ECP).
- Ensure that all users using legacy protocols (POP3/IMAP4/SMTP) for their devices are prepared to change the endpoints in their client after their Exchange mailbox has been moved to the new German datacenter region as described in the pre-migration steps for Exchange Online.
- Scheduling Skype for Business meetings in Outlook Web App is not available anymore after the mailbox has been migrated. If necessary, users have to use Outlook instead.
To find out more about the differences for organizations in migration and after Exchange Online resources are migrated, review the information in Customer experience during the migration to Office 365 services in the new German datacenter regions.
Phase 6: Exchange Online Protection / Security and Compliance
Applies to: All customers using Exchange Online
Back-end Exchange Online Protection (EOP) features are copied to the new region "Germany". Exchange Online enables routing from external hosts to Office 365 and historical tenant details are being migrated, which also includes back-end services for Security and Compliance features.
Customers using Exchange Online capabilities only (Non-Hybrid) do not need to pay attention at this stage.
Exchange Online Hybrid deployments
Applies to: All customers using an active Exchange Hybrid Configuration with Exchange servers on-premises
Make sure the Exchange prework have been applied before the migration step phase 5 begins. Exchange Online hybrid customers must run the latest version of the Exchange Hybrid Configuration Wizard (HCW) in "Office 365 Germany" mode to prepare the on-premises configuration for the migration to Office 365 global services.
- Between the start of the migration phase 6 and the completion of the migration phase 9 (when the Message Center notice is published), you need to run the HCW again using Office 365 Worldwide settings to point your on-premises systems to the Office 365 Global services. Failing to complete this task before phase 9 [Migration Complete] may result in NDRs for mail routed between your on-premises Exchange deployment and Office 365.
- Stop or delete any onboarding or offboarding mailbox moves, namely don't move mailboxes between Exchange on-premises and Exchange Online. This ensures the mailbox move requests don't fail with an error. Failure to do so may result in failure of the service or Office clients.
- Additional Send-Connectors that have been created besides the connector created by the HCW and which are targeting to Exchange Online must be updated in this phase immediately after the HCW run has been executed, otherwise they will stop working. The TLS domain must be updated for these Send-Connectors.
To update the TLS domain, use the following PowerShell command in your Exchange Server environment:
Set-SendConnector -Identity <SendConnectorName> -TlsDomain "mail.protection.outlook.com"
Phase 7: Skype for Business Online - Transition to Microsoft Teams
Applies to: All customers using Skype for Business Online
Review the pre-migration steps for Skype for Business Online migration and make sure you completed all steps. In this phase, Skype for Business will be migrated to Microsoft Teams. Existing Skype for Business customers are migrated to Office 365 Global services in Europe and then transitioned to Microsoft Teams in the region "Germany" of Office 365 services.
- Users won't be able to sign in to Skype for Business on the migration date. Ten days before migration, the customer will receive a message in the Admin center which announces when the migration will take place, and again when the migration begins.
- Policy configuration is migrated.
- Users will be migrated to Teams and will no longer have access to Skype for Business after migration.
- Users must have the Microsoft Teams desktop client installed. Installation will happen during the 10 days via policy on the Skype for Business infrastructure, but if this fails, users will still need to download the client or connect with a supported browser.
- Contacts and meetings will be migrated to Microsoft Teams.
- Users won't be able to sign in to Skype for Business between time service transitions to Office 365 services, and not until customer DNS entries are completed.
- Contacts and existing meetings will continue to function as Skype for Business meetings.
When a vanity domain has been configured for Skype for Business, the DNS entries must be updated. Please refer to Domains in the Microsoft 365 admin center and apply the changes in your DNS configuration.
If you have to connect to Skype for Business Online with PowerShell after migration phase 9 has been completed, use the following PowerShell code to connect:
Import-Module MicrosoftTeams $userCredential = Get-Credential Connect-MicrosoftTeams -Credential $userCredential
Known limitations until finalizing Azure AD migration
Microsoft Teams is leveraging features of Azure AD. While the migration of Azure AD is not completed, some features of Microsoft Teams are not fully available. After phase 9, when the migration of Azure AD has been finalized, the following features become fully available:
- Apps cannot be managed in the Microsoft Teams admin center.
- New teams can be created in the Microsoft Teams client only unless the Teams administrator has limited the permissions for users to create new teams. New teams cannot be created in the Microsoft Teams admin center.
- The web version of Microsoft Teams is not available.
Phase 8: Dynamics 365
Applies to: All customers using Microsoft Dynamics 365
Make sure that you are familiar with the prework for your Microsoft Dynamics 365 installation procedure.
Customers with Dynamics 365 require additional engagement to migrate the organization's Dynamics organizations independently.
|Microsoft Dynamics resources||Customers with Microsoft Dynamics will be engaged by Microsoft Engineering or Microsoft FastTrack to transition Microsoft Dynamics 365 to the Office 365 Global services instance.*||
* (i) Customers with Microsoft Dynamics 365 must take action in this migration scenario as defined by the migration process provided. (ii) Failure by the customer to take action will mean that Microsoft will be unable to complete the migration. (iii) When Microsoft is unable to complete the migration due to the customer's inaction, then the customer's subscription will expire on October 29, 2021.
Phase 8: Power BI
Applies to: All customers using Microsoft Power BI (PBI)
|Migration of Power BI resources||Customers with Microsoft Power BI (PBI) will be engaged by Microsoft Engineering or Microsoft FastTrack after manually triggering an existing PBI migration tool to transition Power BI to the Office 365 Global services instance.**||
** (i) Customers with Microsoft Power BI must take action in this migration scenario as defined by the Migration process provided. (ii) Failure by the customer to take action will mean that Microsoft will be unable to complete the migration. (iii) When Microsoft is unable to complete the migration due to the customer's inaction, then the customer's subscription will expire on October 29, 2021.
Phase 9: Office Apps
Applies to: All customers using Office desktop applications (Word, Excel, PowerPoint, Outlook, OneDrive ...)
In this phase, all client applications and Office Online are performing the client cutover. Azure AD finalizes the tenant scope to point to the Office 365 services and the related endpoints.
Office 365 tenants transitioning to the region "Germany" require all users to close, sign out from Office 365 and back in for all Office desktop applications (Word, Excel, PowerPoint, Outlook, etc.) and OneDrive for Business client after the tenant migration has reached phase 9. Signing out and in, allows the Office services to obtain new authentication tokens from the global Azure AD service.
In case the Office desktop applications will not work after performing signing out and signing in from the applications, we strongly recommend running the Office Client Cutover Tool (OCCT) on the affected machine to fix the problem.
If the Office Client Cutover Tool (OCCT) has been deployed and scheduled on Windows clients in advance, the sign-out/sign-in procedure is not required.
The best user experience can be ensured by using most recent Office applications. Enterprises should consider using the Monthly Enterprise Channel.
Make sure you have completed the prework for mobile devices procedure.
- Notify users to close all Office apps and then sign back in (or force clients to restart and users to sign in) to enable Office clients to pick up the change.
- Notify users and help desk staff that users may see an Office banner that prompts them to reactivate Office apps within 72 hours of the cutover.
- All Office applications on personal machines must be closed, and users must sign out then sign in again. In the Yellow activation bar, sign in to reactivate against Office 365 services.
- Shared machines will require actions that are similar to personal machines, and won't require a special procedure.
- On mobile devices, users must sign out of apps, close them, and then sign in again.
Phase 9: Line-of-business apps
Applies to: All customers using line-of-business apps connected to Office 365
In case you have line-of-business apps, make sure you have completed the prework for line-of-business apps procedure.
Phase 9 & 10: Azure AD Finalization
Applies to: All customers
When the Office 365 tenant completes the final step of the migration (Phase 9: Azure AD Finalization), all services are transitioned to worldwide. No application or user should be accessing resources for the tenant against any of the Microsoft Cloud Deutschland endpoints. Automatically, 30 days after the finalization completes, the Microsoft Cloud Deutschland Azure AD service will stop endpoint access for the transitioned tenant. Endpoint requests such as authentication will fail from this point forward against the Microsoft Cloud Deutschland service.
Microsoft Azure customers must transition their Azure workloads following the steps described in the Azure migration playbook as soon as their tenant completes the migration to worldwide (Phase 9).
|Update user endpoints||Ensure all users access the service using the proper Microsoft worldwide endpoints||30 days after the migration finalizes, the Microsoft Cloud Deutschland endpoints will stop honoring requests; client or application traffic will fail.|
|Update Azure AD application endpoints||You must update Authentication, Azure Active Directory (Azure AD) Graph, and MS Graph endpoints for your applications to those of the Microsoft Worldwide service.||30 days after the migration finalizes, the Microsoft Cloud Deutschland endpoints will stop honoring requests; client or application traffic will fail.|
|Migrate Azure Workloads||Azure services customers must provision new worldwide subscriptions for Azure services and execute migration per the Azure migration playbook.||When fully transitioned to the worldwide service (Phase 10), customers will no longer be able to access Azure workloads present in the Microsoft Cloud Deutschland Azure portal.|
Applies to: Customers with Azure AD registered or joined devices
After phase 9 has been completed, Azure AD registered and joined devices must be connected to the transitioned Azure AD instance in the new German datacenter region. Devices that are not re-joined to Azure AD may no longer operate at the end of phase 10. For detailed instructions and further details, please refer to the additional information about devices.
Azure AD Connect
Applies to: All customers synchronizing identities with Azure AD connect
|Update Azure AD Connect.||After the cut over to Azure AD is complete, the organization is fully using Office 365 services and is no longer connected to Microsoft Cloud Deutschland. At this point, the customer needs to ensure that the delta sync process has been finalized, and after that, change the string value of
||Change the value of
Make sure you read the post migration activities article and execute them accordingly.