Tenant to Tenant Migration from Existing Hybrid Model

Copper Contributor

Our company was recently acquired, and the desire is to migrate our tenant into theirs.

 

- we are in a Hybrid deployment (1 remaining OnPrem Exchange server** and using AzureAD Sync)

- we are a relatively small shop (~51 accounts w/<400GB total in mailboxes, 200GB in OneDrive, very little in SharePoint)

- we create users and mailboxes OnPrem and migrate them to O365 and manage them OnPrem


**In preparation and testing for this, I have taken our OnPrem Exchange server out of the mailflow, pointed the MX records to O365, disabled the connectors, etc and mail flows perfectly fine. I also created a test user in our LocalAD and synced that account to O365 (didn't create a mailbox on the local Exchange server), assigned licensing and let it create an ExchangeOnline mailbox and that mail flows fine as well.

- they are not hybrid - they are using Azure AD Sync. They create and manage users in their local AD and sync them to O365 (same as we do)

- they do not have any OnPrem Exchange, so all of their users mailboxes are created in the cloud automatically as licenses are applied.

The question is, what is the best approach?
We've looked at some third party utilities for the migration that look good, but the concern with that method is what happens then to my local AD and AzureAD Sync; managing the existing users that were created, synced and then migrated; and my local users authenticating to it, etc? Are we going to be able to fully decommission the last Exchange server and not lose the ability to manage our folks. I need them to authenticate to our Local AD so do I then point AzureAD Sync to the domain in the new tenant?

We talked about the possibility of simply creating the users manually in the other tenant, then exporting/importing their data to their new accounts (instead of migrating the account itself) to remove the need to maintain an OnPrem Exchange server if the users weren't created locally then migrated. How then does that affect them authenticating to our local AD since as I understand it, you cant sync from AzureAD back to a local AD.

What about the possibility (same as what I wrote in BOLD above) of recreating all of the users in my local AD (with a different UPN), not creating mailboxes locally, syncing them to 0365, assigning licensing and letting the ExchangeOnline mailbox be created automatically (no mailbox migration like we are currently doing). Then we could import their PST to their new mailbox. Now, the users WOULD exist in our localAD and when we migrate that new batch of users to the new tenant, we could point AzureAD Sync to the new tenant and it should sync. AND since they never had a mailbox on our OnPrem Exchange server, there would be no need to maintain it.

 

 

Appreciate any help on working through this!

4 Replies
The need for Exchange box on-premises is for staying in supported configuration, you can manage objects and attributes even without it just fine, you simply lose the "supportability" bit. Which seems to be the case for the other company anyway. Moreover, if you have migrated all mailboxes to ExO already, you can at least remove the Hybrid config, as you probably don't need it anymore. Regardless, you will have to make a decision on what the "end state" should be. Every configuration involving dirsync/AAD Connect "requires" the Exchange box.
If you want to manage objects centrally from AD, you will need the objects from the acquired company represented in AD. A more complex variation of the same theme is cross-forest migration, but since you plan to have all mailboxes in ExO anyway, that's an overkill. Probably the simplest solution is to do the migration to a single/consolidated tenant, either manually, leveraging the cross-tenant mailbox move functionality or via third-party tools, and ensuring there is a matching user object in your AD, so that you can continue managing them centrally.
Now, if you want mailboxes to be correctly represented on-premises, things get a bit more complicated, but judging from the above you have already opted to use the "simpler" model and are fine with it.

@Vasil Michev Appreciate the reply.

 

Yes, I was planning on stripping out the hybrid model first. I don't see any continuing need at this point.

 

The EndState:

- Company1.com domain moved to Company2's tenant

- Company1's users and data are migrated into Company2's tenant and associated with Company1.com

- all Company1's mailboxes are in ExO within Company2's tenant

- decommission Company1's last OnPremEX

- Company1's local AD sync's with Company1.com in AAD in Company2's tenant

- Company1's users and local resources continue to authenticate as always (against Company1's local AD)

 

If we simply move our existing domain into Company2's tenant then migrate the users in Company1 (my company) into Company2's tenant (including all of their data) and associate them with my domain there, am I able to continue to use Company1's local AD to manage and maintain users by just pointing AD Sync to the domain within the new tenant? AND will the local AD for Company1 continue to function for local authentication as it currently is?

Yes, though "just pointing ADSync" usually means you need to reinstall/reconfigure. But yeah, it's doable. Or you can just go the extra mile and consolidate both ADs.

thanks @Vasil Michev 

 

re-setting up sync isn't a big deal and we aren't ready to consolidate. I think this is the plan of attack we'll take.