Historically, when an Exchange Online admin needed to move mailboxes from one tenant to another, the typical way to do that was to offboard the mailbox from the source tenant and import it into a target tenant.
Today, we are thrilled to announce the Public Preview of a built-in cross-tenant mailbox migration service that enables you to move mailboxes between tenants with minimal on-premises infrastructure dependencies (the new service eliminates some but not all on-premises components). The new cross-tenant mailbox migration service eliminates the need to offboard and onboard mailboxes, resulting in a faster and lower-cost migration. This is particularly beneficial for organizations undergoing mergers, acquisitions, divestitures, or splits.
The new move process includes enhanced security, as well as the ability to scope moves. It uses an Enterprise Application in Azure Active Directory (Azure AD) and Azure Key Vault, allowing tenant admins to manage both authorization and the scoping of mailbox migrations from one tenant to another. Cross-tenant mailbox migrations use an invitation and consent model to establish the Azure AD Enterprise Application used for authentication between tenants.
Azure Key Vault is used to securely store and access the certificate/secret used to authorize and authenticate mailbox migration. For this reason, an Azure Key Vault subscription is required on the target tenant to perform cross-tenant mailbox migrations.
For the Public Preview, it is a recommended best practice to run the Microsoft-provided scripts with Global admin permissions to configure the Azure Key Vault storage and certificate, the move mailbox app, the migration endpoint, and the organization relationship.
In the source tenant, a mail-enabled security group is required prior to running setup. This group is used to scope the list of mailboxes that can move from the source tenant to the target tenant, which helps prevent unintended users from being moved.
You will also need the Tenant IDs for the source and target tenants, which you can find using these instructions.
After setting up the necessary prerequisites, including tenant relationships and configuration settings, admins with the Move Mailbox management role can use the New-MigrationBatch cmdlet to move mailboxes between tenants. The move process performs the necessary tenant authorization checks, and in all cases, the admin of the target tenant initiates the move (which we refer to as a pull move), just like the on-premises to cloud migrations. Currently, all moves are triggered using PowerShell, but support for the Exchange admin center is coming soon.
Be sure to read this article (documentation available soon), which covers the necessary prerequisites, walks you through the steps needed to use perform cross-tenant mailbox migrations, and it details about the Microsoft-provided scripts on GitHub.
We’re excited to have you try out this new feature, and we’d love to hear your feedback. Let us know what you think!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.