Cross Tenant Personal OneDrive Data Migration

-

 

Personal Data migration OneDrive

In the previous chapters, it is stated: Teams make use of several M365 service. Especially for the personal side of Teams, Exchange and OneDrive are heavily involved.

Towards Teams migration, it is required, that ALL data is present in the target environment for Exchange Calendar and OneDrive (shared files).

Data Pre-Load

Data pre-load is much slow than you expected. This is the most important lesson learned.

While Exchange is faster than OneDrive, be aware of the time required for the data copying process.

Another important statement is: none of the existing solutions are SYNC solutions, data is only copied. Therefore, a co-existence and working parallel in both, source and target tenant can lead to data inconsistence. If data is changed in the target environment and in source, any delta sync will overwrite the target data, if source has a new change date. Same, if the target data is newer, changed source data will not be copied.

 

Throttling

All service in M365 are throttled !

Throttling limits are different across the tenants, smaller tenants have low limits than larger tenants.

For Exchange, throttling can be lifted upon certain stage. This must be requested via the support center in M365. But it is NOT removed.

For OneDrive, this is even more complex and throttling will occur. There is NO possibility lifting or removing throttling. Up on throttling limits are hit, the only possibility is WAITING and reducing the read/write request.

OneDrive, which is part of SharePoint Online has the following rough guidelines:

Avoid getting throttled or blocked in SharePoint Online | Microsoft Docs

The following table provides estimates of the type of speed you may achieve based on the types of content you're migrating.

Type of metadata

Examples

Maximum

Light

ISO files, video files

10 TB/day

Medium

List items, Office files (~1.5 MB)

1 TB/day

Heavy

List items with custom columns, small files (~50 kb)

250 GB /day

 

·       Large file size migrates faster than smaller ones. Small file size can result in larger overhead and processing time which directly impacts the performance.

·       Files migrate faster than objects and list items.

 

Lets do a quick and simple calculation. Assuming a tenant has 10.000 users and 500TB or SharePoint/ OneDrive data.

It can simply take up to 500 days migrating all data into the new target tenant!

 

Conclusion

Plan enough time for data migration. Test the speed between the production tenants. Be aware, that the migration slows down over time. If you are close to completion, the migration speed will be slower than the former average.

Speeding up the migration can only be archived by the following 2+1 solutions:

1.       Clean-up your environment. Delete and data not in use, or not required.

2.       Limit the amount of data required, e.g. do not copy version history, only data to certain date

3.       Use archiving/ backup solutions and store data anywhere else, e.g. Azure or on-premises.
Limiting the amount of data required to be copied.

 

There may be new tools in the future and it might get better and faster.

 

Co-existence DNS Domain issue

In the T2T migration, both tenant will have a co-existence phase. In each tenant DNS Names are registered and used for external service communication. This is from UPN login, Email (SMTP) and Teams SIP calls. A DNS name cannot be registered into two tenants at the same time. The Authority record will not allow this with M365.

There are solution, providing better user experience, but some service do not allow you working with both DNS names. Realtime solution, like Teams and data protection solution have no work-a-rounds.

For T2T migration you have two choices, either you apply the target DNS to all migrated users and service, while retire the source DNS domain. Second option is, migrating the source DNS domain into the target tenant during source tenant decommissioning.

1.       SMTP/ Email
Make use of an external cloud based SMTP redirect solution. This will allow an redirect of mail flow from source to target, keeping externally the same DNS domain in your emails send and received.

2.       Teams SIP/ Chat and Calls, Meetings
There is NOT possibility redirect or masking SIP flow with two DNS domains. Therefore, during user migration, a user migrated to the target tenant cannot have the source DNS SIP domain. You must use the existing DNS domain, or a temporary DNS domain.

3.       Data Protection (MIP/AIP)
MIP depends on an encryption key created in the source tenant, which is build based on the source DNS name. Therefore authentication/ de-/encryption is based on this.
Migrated content, not decrypted will only be accessible as long the source key exists. Therefore I suggest either migrating the key while you move the source DNS domain to the target tenant.
If the target DNS domain shall be used instead, you must de-crypt the data before copying and re-encrypt the data with the new MIP key in the target.

 

Another challenge are the shared services, like Teams Team/Channel or SPO and M365 groups service, as well as other service like Yammer, … There is no simple solution, providing access to a migrated user from target to source. Two possible solution you can think of:

1.       Keeping the user account in source active, while disabling the personal services if the user is migrated. The user must work in both tenants. This is complex situation for most of the users.

2.       Make us of Guest Access and provide for each user who is migrated a corresponding guest user access in the source tenant. This is at least a solution he could life with. But for the migration team, this is extremely complex and work intense.

The only way making a T2T less painful for users, is a proper Change & Adoptions approach. Key users, Champions and more would make a T2T migration more successful.

 

Cross-tenant Identity Mapping (preview) approach:

Cross-tenant mailbox migration - Microsoft 365 Enterprise

Cross-Tenant Identity Mapping is a feature that can be used during migrations from one Microsoft 365 organization to another (commonly referred to as a cross-tenant or tenant-2-tenant migration). It provides a secure method of establishing one-to-one object relationships across organization boundaries and automatically prepares the target objects for a successful migration.

With Cross-Tenant Identity Mapping, data remains within the Microsoft security boundary and is securely copied directly from the source organization to the target organization using specially configured Organization Relationships serving as a unidirectional trust.

This blog article is still designed for 3rd party tool usage and might be updated at a later stage.


Cross-tenant OneDrive migration approach:

Cross-tenant OneDrive migration overview - Microsoft 365 Enterprise

During mergers or divestitures, you commonly need the ability to move users OneDrive accounts into a new Microsoft 365 tenant. With Cross-tenant OneDrive migration, tenant administrators can use familiar tools like SharePoint Online PowerShell to transition users into their new organization.

SharePoint administrators of two separate tenants can use the Set-SPOCrossTenantRelationship cmdlet to establish an organization relationship, and the Start-SPOCrossTenantUserContentMove command to begin cross-tenant OneDrive moves.

Important Note:
Some special charaters in users names aren’t supported with ODB cross-tenant migration. This are: “_”, ….

Ensure the cross-tenant license has been assigned to a user before cross-tenant migration.



Comments

Post a Comment

Popular posts from this blog

How to hide users from GAL if they are AD Connect synchronized

-
Image
How to hide and un-hide users from Global Address List (GAL) in Exchange Online if they are AD Connect synchronized Hiding User from GAL isn't possible if those are synchronized form On-Premises Active Directory. The local AD is the leading system for all important attributes, like SMTP, UPN and hiding from GAL. Especially during a cross-tenant migration, you do not want to see not migrated user in the GAL. Those User aren't actively working until their cut-over day. Since the Exchange Online attribute  msExchHideFromAddressList s is an AD on-premises parameter, we have two possible ways hiding user in BME from GAL.   Modify the AD Connect for your teant with a custom rule, by using a extensionAttribute to set the HidefromGAL. In this rule, for users which have an entry in the extensionAttribute, hiding / un-hiding will be controlled by AD Connect This is the best option for Cross-Tenant Migration, if you run 2 or more AD Connect system We direct modify the AD hide at
Read more

Cannot join external Lync Meeting: Lync Edge Server Single IP Address (Lync Edge Server Single IP Web Conferenceing Problem)

-
Image
Lync Edge Server FQDN and IP PORTS (Version 1.2, Update 26.11.2014) As we all know, we can configure Lync Edge Server in several way. 1) Single Edge Server with a SINGLE IP ADDRESS 2) Single Edge Server with MULTIPLE IP ADDRESSES (3x IPs) 3) Multiple Edge Server in a Pool, with MULTIPLE IP ADDRESSES (Zx 3 IPs) Regardless what we are going to configure, there are common / well-known TCP Port necessary making Lync work, which are: Access: Port: 443 and 5061 Conferencing: Port: 443 and (444) AV: Port: 443 (I have not listed other ports, e.g. STUN or the dynamic port range. This is not required for the topic discussed here) External FQDN with single IP address: What can we see here? If we are going to choose a single IP address, we would have TCP Port overlapping. Therefore the only way avoiding this is assigning other ports. Additionally we will also see and are reminded that Lync highly depends on DNS. If we have single IP, we must have use single, unique FQDN fo
Read more

MFA with Guest Access and different tenants settings

-
Image
There is an update regarding MFA Multi Factor Authentication. If you are guest with a different Tenant, the MFA Settings are now reflecting the settings of all tenants in a different way. Each MFA setting is reflected and you can setup your MFA device as per tenant and the admin settings allow. Login to your Profile in Office 365/ Azure AD: https://account.activedirectory.windowsazure.com/r/#/profile or https://myapps.microsoft.com Go to your PROFILE: Sign in to https://myapps.microsoft.com Select your account name in the top right, then select profile. Select Additional security verification. If might be happen, your admin hast configured MFA, so you wouldn't see this menu. Simply switch the tenant to the guest tenant where you need to configure MFA. Once you go back to your profile and you will find the MFA device and other settings a usual:
Read more