On Demand Migration Current - Active Directory User Guide

Home

Domain Move

Platform Requirements

Supported Environment Deployments  

Domain move between two Microsoft 365 tenants cloud-only or hybrid tenants is supported.

Exchange Hybrid Deployments  

Domain Move currently provides limited support for Exchange hybrid deployments. Environments with an Exchange Server 2013 (or later) hybrid deployment are supported, but with the following limits on functionality:

• Support for the Email Relay Service is limited to mail flow configurations that use Microsoft 365 for message ingress and egress. Centralized mail flow configurations that use the on-premises Exchange environment for inbound and outbound message delivery may require custom configuration with Support.

Application Service Account Requirements  

To set up a Domain Move project the following must be provided by the owner of each of the associated Microsoft 365 tenants.

1. Application Account: One (1) dedicated and licensed application service account to grant permissions and automatically orchestrate various activities within the project. This account must have the Exchange Online plan assigned to facilitate automatic email communications to end-users and project administrators during cutover activities, otherwise all communications will appear to be sent from the PowerShell account.
2. Roles: The Global Administrator role is required for connecting environments for projects and workflows to grant permissions and to create a PowerShell account within each configured tenant.
3. Licenses: At least one (1) E1 or above license must be available to be assigned to the PowerShell account for Migration/Integration Projects.

What are the minimum administrator roles required to manage a project?  

At a minimum, after project set up the following Microsoft 365 Role is required to automatically manage various aspects of your project.

1. Global Administrator Role

Important Tip: For the best application experience, it is always recommended to use the Global Administrator role. However, it is only required during the initial Project setup, reconnections to the tenant or during a Domain Cutover event, where more authority is required. All account and role management are strictly the responsibility of the tenant administrators.

Modern Authentication Requirements  

Domain Move projects take advantage of Modern Authentication to help manage your projects. Modern Authentication is the default behavior for all Microsoft 365 tenants. Unless it was disabled, no action is required. However, we recommend the following configuration parameter is validated prior to deployment.

Get-OrganizationConfig | Format-Table Name,OAuth* -Auto

If Modern Authentication is disabled it must be enabled prior to any migration activities can proceed. To enable Modern Authentication for Exchange Online, run this command under the correct authority.

Set-OrganizationConfig -OAuth2ClientProfileEnabled:$true

Here is some additional information about how to Enable modern authentication in Exchange Online.

PowerShell  

The following accounts are required:

• Account: One Cloud-only account will automatically be created during project setup.
• Microsoft 365 Administrator Roles: Automatically assigned the Exchange and SharePoint Administrator roles.
• Microsoft 365 License Requirements: Automatically assigned one available license (E1 minimum) for destination tenants.

Important Note: This account will automatically be assigned the Global Administrator role at the start of a Domain Cutover event, where more authority is required to complete the process.

Domain Move Requirements

Source and Target Domain Pairing  

During configuration, you will be asked to choose your source and target domains for each tenant. This process is called domain pairing.

Source & Target User Matching Attributes 

• You will need to select a pair of attributes that will match exact values from the source user object to the target user object to discover and match the appropriate user accounts.

  • The available matching attributes are as follows, choose at least 1 with a maximum of 3:

    • userPrincipalName

    • mail

    • extensionAttribute1-15

Note: The userPrincipalName and mail attributes are matched based on the local part of the address and the paired Domains (e.g. Tom.Dean@contoso.onmicrosoft.com would use Tom.Dean@binarytree.onmicrosoft.com as a match against the target account.)

Multiple AD Forest Support  

If your organization has multiple Active Directory Forests are connected to your Microsoft 365 tenants, this is supported scenario for migration and integration. There are no additional requirements to support this deployment type.

Directory Synchronization  

Domain Move projects provide automatic orchestration of directory objects to provide capabilities to create and update directory objects during critical points within the migration or coexistence life cycle. To facilitate these activities the following is required for set up.

Local Agents for hybrid AD deployments  

For complete details about local Agents, visit Directory Sync Requirements.

Source & Target Organization Units for hybrid AD deployments  

Domain Move does not create Organizational Units. When deploying a Domain Move project that involves at least one (1) hybrid environment you must choose or create designated Organizational Units within your local AD Forest to allow new User or Contact objects be created.

Hybrid Tenant Support

The Active Directory forest attached to the Microsoft 365 Tenant must have the Microsoft Exchange 2010 SP3 (or later) schema extensions applied.

What is required to set up Directory Synchronization for Integration projects?  

For hybrid or mixed environments, where your local Active Directory (AD) is being synchronized to Azure AD the following is required.

1. At least one (1) Windows server to host the local Agent.
2. During set up, install at least one (1) local Agent in each AD Forest. Up to 5 agents are supported. One (1) agent per server.
3. Account credentials for one (1) AD account with permissions to create and update objects within the designated Organizational Units (OU).
4. Account credentials for one (1) Global Administrator within your Microsoft 365 tenant.
5. Designated OUs in each environment to create new objects.

For additional details about local Agents, visit Directory Sync Requirements.

For cloud only environments, where there is no local Active Directory the following is required.

1. Account credentials for one (1) Global Administrator within your Microsoft 365 tenant.

For more information about account permissions, click here.

Local Agents for hybrid AD deployments  

For complete details about local Agents, visit Directory Sync Requirements.

Source & Target Organization Units for hybrid AD deployments  

When deploying a Premium Integration project that involves at least one (1) hybrid environment you must choose or create designated Organizational Units within your local AD Forest to allow new User or Contact objects be created.

Hybrid Tenant Support

The Active Directory forest attached to the Microsoft 365 Tenant must have the Microsoft Exchange 2010 SP3 (or later) schema extensions applied.

Domain Sharing (Email Relay Services)  

To deploy Email Relay Services (ERS) between tenants the following will need to be ready prior to the configuration of the service.

During initial project set up you may choose to configure ERS now, if you are ready or later after the initial discovery is complete.

ERS Deployment Checklist:

The following checklist provides a quick reference to the items or decisions required to begin configuration of ERS.

1. Procure one (1) SSL single domain certificate for each tenant environment using one (1) of the accepted domains.
2. The password associated with the SSL certificate will be required when uploading each certificate.
3. Choose which domains will particulate in ERS.

Important Tip:When using advanced Email Relay Service, please ensure the MTA-STS policy includes the Email Relay Server’s MX record to avoid email disruption.

SSL Certificates  

To successfully configure the Email Relay Service, a valid SSL certificate must be procured for all source and target tenants. The certificate must contain a single accepted domain, one (1) for each tenant. The selected certificate cannot contain subject alternative names (SAN). The common name (Subject Name) must match one (1) of the Exchange Online accepted domains configured within the tenant.

This certificate is utilized to secure the Exchange Online connectors over TLS that will be used to transfer message between the Email Relay service and each tenant. The new certificates will be uploaded to the project using a PFX formatted certificate. PFX files contain the public key file (SSL Certificate file) and the associated private key file (password).

The requirements for the certificate are as follows: (Names are for example purposes only.)

• Common Name: contoso.com
• Cryptographic service provider: Microsoft RSA SChannel Cryptographic Provider
• Bit length: 2048 or higher
• Must be valid for Server Authentication and Client Authentication.
• Must be signed by a trusted public root CA.
• Must contain a private key (password).
• Must not expire before the end of the project.
• Must have a Friendly Name defined.

Important Tip: The domain listed on the certificate cannot be moved as part of a Domain Cutover process. If you plan to move all accepted domains, you should plan to acquire a certificate for a newly created accepted domain to use as a placeholder. This domain will not be moved or used; it will be used only as the subject for the TLS certificate.

Domain Cutover  

There are no additional requirements to set up Domain Cutover services, however it is recommended that the following related topics be reviewed prior to execution.

Important Tip: The domain listed on the SSL certificate cannot be moved as part of a Domain Cutover process. If you plan to move all accepted domains, you should plan to acquire a certificate for a newly created accepted domain to use as a placeholder. This domain will not be moved or used; it will be used only as the subject for the TLS certificate.