With all the proper planning, budgeting, and coordination complete, its now time to focus on the actual technical challenges that will be encountered when doing a tenant to tenant migration. Each area within Azure AD and Office 365 will provide common and unique challenges. However, the two areas that are typically the most challenging are identity and Exchange. Identity is the core foundation of Azure AD and Office 365 and is always the first workload to consider and plan for migration. Without it, nothing would work. Email is still a crucial form of business communication and is most commonly the first workload considered in any migration scenario (tenant to tenant or on-premise to cloud). These two areas typically have the most restrictive or extensive challenges to address and overcome when performing a tenant to tenant migration.
Azure Active Directory Identity
When we consider Identity, it’s typical that users will need to maintain their same username and move to the new tenant. The greatest challenge with any tenant to tenant migration is a Microsoft restriction that a single domain (i.e. contoso.com) can only exist in one tenant at a time. A domain cannot be removed from a tenant until all associated objects have been either removed or converted to another domain name, such as the initial onmicrosoft.com name space. The picture below depicts that the domain acquiredcompany.com cannot exist in the ParentCompany.com Azure AD environment while also existing in the source tenant.
If you are using Azure AD Connect to synchronize your on-premises Active Directory, you are unable to switch the sync to the destination tenant until the domain is removed from the source tenant. However, Azure AD Connect can be fully staged and ready to go once the domain removal takes place. If the acquired company is already using Azure AD Connect, ensure that you export or copy any existing customization or filtering that is in use to ensure consistency when re-syncing to the new tenant.
The actual username and object identities are the highest priority to plan for. However, there is much more that just the user accounts. As depicted below, both organizations, whether merging or acquiring, most likely have their own level of security and compliance policies, governance, and delegated permissions. There can also be several different provisioning procedures and naming conventions. Finally, sign in methods (Managed or Federated Single Sign On) may be different between two organizations.
In a small acquisition, the parent company usually enforces their own policies onto the acquired company. However, in a merger situation, these policies, methods, and management aspects need to be analyzed and properly anticipated so that once the migration is complete, both entities can at minimum continue to perform day to day operations.
Another consideration when it comes to identity is which identity is going to be used for which workload during the transition. While coexistence may be possible for some workloads, there may be a situation in the transition period where end users will be forced to use an alternative user name, such as firstname.lastname@example.org, to access data from the legacy tenant.
The second workload that encounters the most obstacles is Exchange Online. In this day and age, email is well-embedded into an organizations communication structure and typically still considered a critical business communication method.
The following chart lists the top challenges that come with most Exchange Online tenant to tenant migrations:
Links in Graphic Above: This Process
In the next and last part of this series, we will dive deeper into technical challenges for all other areas within Azure AD and Office 365 for tenant to tenant migrations. Enabling Technologies can help you enable secure productivity in the cloud by properly preparing you for moving to Azure AD and Office 365 based on Microsoft Best Practices. You can check out more in the Cloud section of our website.