Microsoft Office Tenant Migration

There are several scenarios where you have to migrate a Microsoft Office Tenant to a new one. Maybe your initally opened your tenant in the US region but now realize you need in Europe. Whatever case you have Microsoft does not really offer a build in solution to move the tenant to another region. Therefore you have to do the migration on your own. In this Blog post I will describe how I successfully migrate our tenant to Europe and each step I did. Hope it will be helpfull to you!


Microsoft Office Tenant Migration

Why did I have to move the tenant?

A few years ago my employer created a Microsoft Office tenant in the US region to use it with Microsoft Dynamics 365. The tenant was also used for Single Sign On (SSO) with Azure Active Directory and Azure AD Connect.

Since we are now starting to use Cloud services more we realized that we rather want to have the tenant in European region because our main user base is located in Europe. Microsoft can only move the Dynamics 365 instance to the new tenant, everything else has to be done manually by me. Since we didn’t use Microsoft Exchange Online yet, there were no Mailboxes to migrate. In case you are using Microsoft Exchange Online in your tenant you have to add this step to your roadmap.

Roadmap for the tenant migration:

  1. Create new tenant in Europe with new tenant name
  2. Cancel all licenses at old tenant and get new licenses for new tenant
  3. Detach Azure AD Connect from old tenant
  4. Get rid of all dependencies of the custom domain attached to old tenant (e.g. User Principal Name, SMTP Address etc.)
  5. Delete custom domain from old tenant
  6. Assign custom domain to new tenant
  7. Connect Azure AD Connect to new tenant
  8. Assign Licenses to Users in new tenant
  9. Configure new tenant (Company Branding etc.)
  10. Adding Enterprise Applications used for SSO
  11. OneDrive Configuration
  12. Test, Test, Test

Create new tenant with new tenant name

This is an easy task. Just create a new tenant in the region you prefer with a new tenant name since tenant names have to be unique globally.

Cancel all licenses at old tenant and get new licenses for new tenant

Licenses is something you have to check if you are using an Enterprise Agreement (EA) or retreive them from a Cloud Solution Partner (CSP). Ideally you can switch them over to the new region, but not every CSP offers their service in all regions.

Detach Azure AD Connect from old tenant

You can only synchronize your On-Premise Active Directory to one Microsoft Azure Active Directroy. Therefore you have to stop the current connection to the old tenant. On the server where you have installed Azure AD Connect run following Powershell commands:

Connect to your tenant:

Connect-MsolService

Deactive Azure AD Connect:

Set-MsolDirSyncEnabled -EnableDirSync $false

Custom Domain dependencies

You probably are using a TLD domain with your tenant. Before we can delete this custom domain we have to change all the User Prinicpal Names (UPN) to their old *.onmicrosoft.com format. With the following Powershell command you can change the UPN of all your users inside the tenant:

Get-MsolUser -All | foreach {Set-MsolUserPrincipalName -ObjectId $_.ObjectId -NewUserPrincipalName ($_.UserPrincipalName.Split(“@”)[0] + “@YOURTENANTNAME.onmicrosoft.com”)}

Depending on how many users you have in your Azure AD this can take a while to process.

The next step will be to add to all your Distribution Groups a new primary SMTP Address. This will move your custom domain SMTP address to the secondary one which we will then delete. For this you have first connect to the Exchange Online Powershell and then run the following Powershell command:

Save credentials for your tenant login:

$UserCredential = Get-Credential

Connect to Exchange Online Powershell:

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection

Import Session to run commands:

Import-PSSession $Session -DisableNameChecking

Powershell command to set new primary SMTP address:

Get-DistributionGroup -ResultSize Unlimited | ForEach {Set-DistributionGroup -Identity $_.Name -primarysmtpaddress ($_.primarysmtpaddress.Split(“@”)[0] + “@YOURTENANTNAME.onmicrosoft.com”)}

Delete all other SMTP addresses except the primary:

$users = Get-Mailbox -RecipientTypeDetails UserMailbox -ResultSize Unlimited | Where {$_.Emailaddresses.count -gt 1}
$i=0
foreach ($user in $users) {
foreach ($email in $user.emailaddresses){
if ($email -ne "SMTP:"+$user.PrimarySmtpAddress){
Set-Mailbox -Identity $user.name -EmailAddresses @{Remove=$email}
}
}
$i++
Write-host $user.primarysmtpaddress "has been processed" $i"/"$users.count
}

Remove Aliases from Distribution Groups:

$groups = Get-DistributionGroup -ResultSize Unlimited | Where {$_.Emailaddresses.count -gt 1}
$i=0
foreach ($group in $groups) {
foreach ($email in $group.emailaddresses){
if ($email -ne "SMTP:"+$group.PrimarySmtpAddress){
Set-DistributionGroup -Identity $group.name -EmailAddresses @{Remove=$email}
}
}
$i++
Write-host $group.primarysmtpaddress "has been processed" $i"/"$groups.count
}

To check if any user still has an E-Mail Adress connected to their account with the custom domain you can run the following command to list all them:

Get-MsolUser -DomainName yourcustomdomain.com -all

 

Delete custom domain from old tenant

In your old tenant under Azure Active Directory -> Custom domain names when you click on your domain you can see how often, and where, your custom domain is still attached:

After I ran all the powershell commands above I still had 13 resources left. You can’t delete the domain as long as it is still referenced in some resources. Most of them where accounts for Meeting Rooms that I had to change/delete manually in the Exchange Admin Center. I also had a few users who still had the domain attached somewhere, I deleted these users from the Azure AD since I don’t need them there anymore anyways.

As soon as the custom domain is not in use anymore you can delete it.

Assign custom domain to new tenant

Now it is time to assign the custom domain in the new tenant. You do it exactly like in the old tenant, you only have to change the TXT record in your domain dns so that it can be verified by Microsoft. You can do this immediately after you deleted it from your old tenant, there is no grace period where the domain is blocked for new tenants.

 

Connect Azure AD Connect to new tenant

To connect Azure AD Connect you either set up a new server or run the configuration again on your old server so that it can connect to the new tenant and start synchronizing all objects.

 

Assign licenses and configure your new tenant

As soon as the synchronization is done (took half an hour in my case) you can now configure your new tenant. Assign Global Administrators as before and new licenses to the users. If you had a company branding for the login page etc. you also have to do this again. The same goes for the Office Apps Portal in case you disabled applications etc.

If you used enterprise applications for SSO before you also have to add them again in the new tenant and update the Object ID and the XML files so that these applications look at the new tenant for user information.

Last but not least test your new tenant, and test it again, and test again ….. you will probably find something you forgot to set up 😉


 

Hope this blog post helped you a bit with your tenant migration! Let me know about it in the comments

Thanks to Hamza Housson on Medium.com for all the Powershell Scripts

Leave a Reply

Your email address will not be published. Required fields are marked *