On Demand Migration Current - Active Directory Domain Move Quick Start Guide

Differences between Basic and Advanced Email Relay Service Requirements On Demand Migration Project Setup

Step 1: Starting the Domain Cutover Step 2: Enabling Email Relay Step 3: Redirect MX Step 4: Move Domain Step 5: Restoring MX Step 6: Completing Domain Move(Step 6) Validating the Result

Frequently Asked Questions

Can I remove Global Administrator from my account after creating my project?

Yes, however, the Global Administrator role must be added back to the account during an active domain move as it is required to remove the domain from the source tenant and add it to the target tenant.

Can I use a wild card certificate for Advanced Email Relay Service?

Advanced Email Relay Service requires a single subject SSL certificate with both private and public keys attached. Wild Card certificates are not supported.

Domain Move Relay Service being discontinued after Dec 31, 2025.

The Domain Move Relay Feature which automatically redirects incoming email to target user mailboxes during domain transfer process will be discontinued after Dec 31, 2025. To facilitate this change, inbound email delivery can be temporarily interrupted to facilitate the domain migration between two M365 tenants. Typically, Internet mail servers will attempt to deliver new email for up to 24 hours. Email queuing can be achieved by changing the primary MX record from the M365 tenant to an unreachable domain.

However, note that using this method may result in some email returning as non-deliverable (NDR) if the primary MX record is not promptly restored to M365. Alternatively, a third-party email queuing service can be used to queue your email for extended periods (days or weeks). Once the migration is complete, queued messages will be delivered to the target M365 tenant.

During the migration of the domain, the system will prompt for redirecting the MX record. The admin may temporarily reconfigure the mail flow by changing the primary MX record to a non-deliverable domain. By default, email will be queued and retried for up to 24 hours.

I am receiving an error during the remove addresses step related to duplicated addresses. How can I locate the duplicate accounts?

On Demand Migration Active Directory replaces the email address and/or userprinciplename with the replacement domain name when the domain is removed that is under move. If the replacement address already exists in the directory, the domain move process will generate an error and alert migration administrators. An administrator can use the following PowerShell script to find objects that still have the domain name attached and perform any remediation needed.

Get-AzureADUser -All:$true | where { ($_.ImmutableId -ne $null) -and (($_.UserPrincipalName -like '*xxx.com') 

-or ($_.Mail -like '*xxxx.com') -or ($_.ProxyAddresses -like '*xxx.com')) } | select "UserPrincipalName", ImmutableId  

I am using the Basic Mode Email Relay Service for my domain move project. What is the best method to hold the email during the domain move and resume the delivery after the domain is moved?

The easiest solution is to change your MX records from Microsoft 365 to domain that is not reachable during the domain move. For more details, please refer to this Microsoft link.

MX record change - Stop inbound mail flow

Change your primary MX record from Office 365 to domain that is not reachable, i.e. "unreachable.example.com". Internet mail servers attempting to deliver new mail will queue the mail and attempt redelivery for 24 hours. Using this method, some email may return a non-delivery report (NDR) depending on the server attempting to deliver the email. If this is a problem use an MX record backup service. There are many third-party services that will queue your email for days or weeks. Once your migration is complete, these services will deliver the queued mail to your new Office 365 organization.

NOTE It is highly recommended to use either On Demand Migration Active Directory Email Relay Service or a third-party service to queue the email for final delivery to avoid any lost emails.

My company security policy does not allow the global administrator role to be assigned the account, can I still move my domain?

Yes, you can use On Demand Migration Active Directory to move your domain, but you will need to manually remove the domain from source tenant and add the domain to the target tenant at the appropriate time. The Domain Move project will alert you that it is unable to automatically remove the domain due to a lack of permissions, at that point you may manually remove and add the domain. Once you have completed these steps, you may skip to the add email addresses step by click on the Skip button.

The remove address step cannot continue because my hybrid objects in the cloud are still associated with my domain, what should I do?

On Demand Migration Active Directory removes the domain name from hybrid users by making changes to Active Directory on-premise objects. After the objects are updated on-premise, these changes must be synced to Microsoft Entra ID. Verify the changes are correctly synced to the cloud from the Microsoft Entra ID Sync log.

Will my end-users have to update or recreate their target Outlook Profiles when their Primary Email address is updated during a domain move?

No, Microsoft Outlook will automatically detect and update their Outlook profile when their primary address is changed.

Please select your product:

To serve you better, please complete the Purpose of your Chat:

Recommended Solutions for Your Problem