Traditionally, when Exchange Online tenants had to move mailboxes to another tenant within the same service, there was a need to offboard them from the source tenant and import data into the target tenant. Such tenant-to-tenant migrations typically involved the use of third-party tools and/or significant on-premises infrastructure dependency. Microsoft has introduced the new cross-tenant mailbox migration feature with which administrators can move mailboxes across the source and target tenants. This minimizes dependencies in their on-premises systems and eliminates the need to off-board and onboard mailboxes. In this article, we will explain the process involved in cross-tenant mailbox moves.
What Are the Prerequisites for Office 365 Cross-Tenant Migration?
The cross-tenant Exchange mailbox migration feature uses an invitation and consent model to establish an Azure Active Directory (Azure AD) application used for authentication between the two tenants. Cross tenant migration moves also require organization relationships, migration endpoints, and other components. Here are the prerequisites for Microsoft 365/ Office 365 cross-tenant migrations.
- Azure Key Vault for securely storing and accessing the certificate/secret to authenticate and authorize mailbox migration between tenants.
- Global admin permissions to run the deployment scripts to configure Azure Key Vault, Move Mailbox application, Exchange Online Migration Endpoint, and Organization Relationship.
- Mail-enabled security groups in the source tenant are required to scope the list of mailboxes that can move between tenants to prevent unintended users from being migrated.
- Microsoft 365 tenant ID of the trusted partner company with whom the mailboxes will be moved.
How to Prepare Target Tenant for Office 365 Cross Tenant Migration?
At a high level, the following configuration actions have to be performed in the target tenant for Office 365 cross tenant migration.
- Establish a Remote PowerShell connection with Exchange Online of the target tenant. Ensure that there are necessary permissions to run the PowerShell scripts for the setup.
- After downloading the scripts, ensure that the scripts are in the same location as the current Remote PowerShell session.
- Here is what happens while executing the PowerShell scripts.
- A new Azure Resource Group is created if one is not provided, in which a Key Vault is added.
- An Azure AD application and Access Policy is created for the Office 365 Exchange Online Mailbox Migration application followed by a certificate to hold the secret to the migration application.
- The certificate/secret generated in the previous step is uploaded to the migration application and mailbox migration permissions are assigned to it.
- At this stage, the target tenant admin has to manually provide consent to the permissions given to the migration application.
- After providing consent, an organization relationship is created with the target tenant, and a migration endpoint is created to pull mailboxes.
How to Prepare Source Tenant for Office 365 Cross Tenant Migration?
After the target admin setup is complete, the source tenant has to be prepared for cross tenant migration with the Exchange mailbox migration feature.
- Sign in to the mailbox with credentials generated by the target tenant admin during the setup.
- Click on ‘Get Started’ in the email invitation to authorize the migration application to pull mailboxes.
- Create mail-enabled security groups to control the list of mailboxes that can be allowed to be pulled from the tenant.
- Use PowerShell Script to create an organizational relationship with the target tenant to specify that the mailbox migration application should be used for OAuth verification to accept the move request.
How to Move Mailboxes Using Cross-Tenant Office 365 Migration Feature?
The process of performing cross-tenant Exchange mailbox migrations is similar to onboarding migration batches migrating from Exchange on-premises to Office 365/Microsoft 365. After setting up the necessary prerequisites, such as tenant relationships and configuration settings, admins with the Move Mailbox management role can use the New-MigrationBatch cmdlet to migrate mailboxes between tenants. The admin of the target tenant initiates the move to pull mailboxes after the necessary tenant authorization checks in a process that is similar to on-premises to cloud migrations. Mail users are finally updated with the target tenant address.
Apps4Rent Can Help with Cross-Tenant Migrations
While the cross-tenant Exchange mailbox migration feature simplifies Office 365 tenant-to-tenant migrations significantly, it has its drawbacks. The feature is initially only available with PowerShell as of now and requires technical knowledge to trigger important moves. Additionally, it cannot perform Microsoft Teams tenant-to-tenant migration or migrate Auto Expanded archives.
As a Tier 1 Microsoft CSP, Apps4Rent offers comprehensive Office 365 tenant-to-tenant migration to move Teams, SharePoint, OneDrive, and other components apart from Exchange Online as a part of our managed services. Contact Microsoft-certified Office 365 cloud migration consultants, available 24/7 via phone, chat, and email for assistance.