SharePoint Extranet & intranet migration to SPO

Iron Contributor

I am trying to understand the possible appraches I can take for migrating my company's extranet & intranet  to SharePoint online.

Below are some keys facts about existing extranet:

 

1. Identity provider for SharePoint extranet is CA site minder.

2. Each extranet user has a registered account in the Site minder LDAP. This enables SSO between SharePoint and non-SharePoint sites.

3. All internal company users also has an identity in the Site minder LDAP (created through a sync job) through which they also access the extranet sites. 

4. User profiles exists for both company users & external users in SharePoint extranet.

 

Intranet is pretty plain SharePoint installation with company AD as identity provider. User profile for intranet is seperate from extranet.

 

Below are some approaches we are exploring:

 

Option1: Merge intranet & extranet into single office 365 tenant: 

Pros: 1. No double license required for company users(around 3k users) 2. External users can be purchased free AAD licenses.

Cons: 1. Challenges on how to make sure internal sites people picker show only internal users. 2. Internal content can be shared to external user by accident.

 

Option 2: Seperate office 365 tenant for intranet & extranet:

 Pros: 1. No data security issue. 2. Less technical challenges.

Cons : Double billing for internal company users, as they need to have access to extranet also.

 

Has anybody here done similar migrations and what are the feasible approach?

12 Replies

Hi, I am in a similar situation and was disappointed that your post had not attracted more attention or response. Curious to hear what progress or decision you made.

We are currently using another external platform (Jive-X) to engage with a select subset of clients. We do not limit the amount of client accounts who have access. We are billed by usage or clicks.   

Hi Nadine, I am still evaluating extranet strategy in SharePoint Online. But since the original posts is old, I can update on some key things:
Option 1 is the most feasible approach and extranet users can be added to tenant as "external users" and they need not be assigned any licenses . Good governance (making sure internal sites have sharing disabled) can prevent accidental sharing of intranet sites with external users. The main disadvantage is since extranet users are present in our company Azure AD , they will appear in SharePoint people picker even in the internal sites.

Option 2 : For this there is no double licensing involved as company users can be added as guests to new tenant and reuse their existing licenses in the second tenant. There is clear separation of internal and extranet tenants. Additional tenant needs to be purchased with minimum 250 seats.

what about using B2C or B2B for external users, that way you can have better control over what people can share with whom.

Azure AD B2C is a very good candidate conceptually as it provides social logins and cost model is based on number of sign-ins etc, but it does not work with o365. o365 works only with Azure AD B2B tenant.

then  B2B is best option as it  solves your problem of content getting shared with external users since you can control external sharing at site collection level

Thank you for the update - it was useful. 

Dear all,
We had the same challenge internally to migrate around 3000 On Premise SharePoint Site collections dispatched across 17 SP2007 farms.

In those farm one was dedicated to Extranet usage with Extranet dedicated AD (B2B domain) joined to our internal AD forest.

We evaluated the 2 options you specified and the second case is too complex to manage at the end, so we decided to migrate all the site collections (excluding the non used) to only one Tenant URL https://xxx.sharepoint.com

To separate the 2 kind of sites we created a dedicated masterpage (oslo based) with horizontal menu focused on the Doc Library for the Extranet and the standard for the Intranet sites. We also defined a clear naming convention for the Site Collection URL similar to:
- Intranet = https://xxx.sharepoint.com/sites/[geoscope]-[businessorFunction]-[ShortSiteName]
- Extranet = https://xxx.sharepoint.com/sites/ext-[geoscope]-[businessorFunction]-[ShortSiteName]

Finally we used the Sharegate tool with a mapping XML file (based on a created script) for the Users accounts to migrate all the sites to SPO and the Extranet sites was migrated without the External user accounts
After the migration, the site owners had to invite the External user via the standard external Sharing process (mapped to MS Identity).
If you need technical details, feel free to contact me

Fab

PS1: This MS identity invitation process also help us to prepare the GPDR process because we gave back the Identity ownership to the invited external user, we don't maintain anymore the external user password or account for SharePoint Online

PS2: That also help us to switch some intranet site to extranet site without big technical issue, we only have to enable the External Sharing option for the site collection. By default, all the created site are Intranet mode with external sharing disable

PS3: the migration project required us for this volume around 1 year of work, so it's possible to and except few number of case, no big issue observed. The main challenge is the SPlist with huge number of items (more than 20'000), and you have to detect that before the migration execution.

Thanks for sharing these info. Did you have any issue with people picker? Did the external users end up in people picker for internal sites, since they are in the same AAD?

There is only one AAD in our case, but when you invite an external user, the system will create a mapped user into your internal AAD pointing the MS Identity system he/she used.

You can filter that when you go into the AAD portal and select the GUEST user type.

 

So the people Picker is using that AAD list as source when you add someone into and work quite well.

The main issue observed is related with the invitation sent to someone "USERA" who (for any personal reason) decided to transfer the invitation email to someone else "USERB" (his/her assistant, colleague, …), that will create a mapping into the AAD and SharePoint with a name displayed with "USERA" but with the USERB email address.

 

That create a mess internally and we have many support case related to that cleanup task, because the only solution is to remove totally that account from our SharePoint and AAD.

 

I detailed that case issue here (in French):

 - http://blogs.developpeur.org/fabrice69/archive/2018/05/11/office-365-comment-supprimer-un-compte-ext...

 

Fab

 

You can prevent USERA transfer invites to USERB , by enabling the setting "External users must accept sharing invitations using the same account that the invitations were sent to" . But coming back to my question regarding people picker. Since you have a single tenant , all external users will be present in your AAD as Guest accounts. So, these users will end up in people picker of the internal sites as well. How did you solve this problem? Since in my case external users are like 50k+ , so finding some common name users will be tricky as there can be multiple people with the same names. Yes, it does show the email in the people picker , but did you find any solution to avoid showing the external users in internal site people picker?

This is a real good question, and to be honest I did not evaluate that question.

I never took attention for that people picker question in Intranet site calling the Guest accounts

 

But for your question I tested our case to call someone in our AAD from an Intranet site and that is not working

 

So did you observed that issue or it's only a risk you imagine to have ?

 

Fab

Thanks for the screenshot. We do see Guest accounts in people picker for site collections where Sharing is disabled. Could you confirm this is not the case for you?