Chat now with support
Chat with Support

On Demand Migration Current - Active Directory User Guide

Domain Move Requirements

Source and Target Domain Pairing  

During configuration, you will be asked to choose your source and target domains for each tenant. This process is called domain pairing.

 

Source & Target User Matching Attributes 

  • You will need to select a pair of attributes that will match exact values from the source user object to the target user object to discover and match the appropriate user accounts.

    • The available matching attributes are as follows, choose at least 1 with a maximum of 3:

      • userPrincipalName

      • mail

      • extensionAttribute1-15

Note: The userPrincipalName and mail attributes are matched based on the local part of the address and the paired Domains (e.g. Tom.Dean@contoso.onmicrosoft.com would use Tom.Dean@binarytree.onmicrosoft.com as a match against the target account.)

 

Multiple AD Forest Support  

If your organization has multiple Active Directory Forests are connected to your Microsoft 365 tenants, this is supported scenario for migration and integration. There are no additional requirements to support this deployment type.

 

Directory Synchronization  

Domain Move projects provide automatic orchestration of directory objects to provide capabilities to create and update directory objects during critical points within the migration or coexistence life cycle. To facilitate these activities the following is required for set up.

 

Local Agents for hybrid AD deployments  

For complete details about local Agents, visit Directory Sync Requirements.

 

Source & Target Organization Units for hybrid AD deployments  

Domain Move does not create Organizational Units. When deploying a Domain Move project that involves at least one (1) hybrid environment you must choose or create designated Organizational Units within your local AD Forest to allow new User or Contact objects be created.

 

Hybrid Tenant Support

The Active Directory forest attached to the Microsoft 365 Tenant must have the Microsoft Exchange 2010 SP3 (or later) schema extensions applied.

 

What is required to set up Directory Synchronization for Integration projects?  

For hybrid or mixed environments, where your local Active Directory (AD) is being synchronized to Microsoft Entra ID the following is required.

  1. At least one (1) Windows server to host the local Agent.
  2. During set up, install at least one (1) local Agent in each AD Forest. Up to 5 agents are supported. One (1) agent per server.
  3. Account credentials for one (1) AD account with permissions to create and update objects within the designated Organizational Units (OU).
  4. Account credentials for one (1) Global Administrator within your Microsoft 365 tenant.
  5. Designated OUs in each environment to create new objects.

For additional details about local Agents, visit Directory Sync Requirements.

For cloud only environments, where there is no local Active Directory the following is required.

  1. Account credentials for one (1) Global Administrator within your Microsoft 365 tenant.

For more information about account permissions, click here.

 

Local Agents for hybrid AD deployments  

For complete details about local Agents, visit Directory Sync Requirements.

 

Source & Target Organization Units for hybrid AD deployments  

When deploying a Premium Integration project that involves at least one (1) hybrid environment you must choose or create designated Organizational Units within your local AD Forest to allow new User or Contact objects be created.

 

Hybrid Tenant Support

The Active Directory forest attached to the Microsoft 365 Tenant must have the Microsoft Exchange 2010 SP3 (or later) schema extensions applied.

 

Domain Sharing (Email Relay Services)  

To deploy Email Relay Services (ERS) between tenants the following will need to be ready prior to the configuration of the service.

During initial project set up you may choose to configure ERS now, if you are ready or later after the initial discovery is complete.

ERS Deployment Checklist:

The following checklist provides a quick reference to the items or decisions required to begin configuration of ERS.

  1. Procure one (1) SSL single domain certificate for each tenant environment using one (1) of the accepted domains.
  2. The password associated with the SSL certificate will be required when uploading each certificate.
  3. Choose which domains will particulate in ERS.

Important Tip:When using advanced Email Relay Service, please ensure the MTA-STS policy includes the Email Relay Server’s MX record to avoid email disruption.

 

SSL Certificates  

To successfully configure the Email Relay Service, a valid SSL certificate must be procured for all source and target tenants. The certificate must contain a single accepted domain, one (1) for each tenant. The selected certificate cannot contain subject alternative names (SAN). The common name (Subject Name) must match one (1) of the Exchange Online accepted domains configured within the tenant.

This certificate is utilized to secure the Exchange Online connectors over TLS that will be used to transfer message between the Email Relay service and each tenant. The new certificates will be uploaded to the project using a PFX formatted certificate. PFX files contain the public key file (SSL Certificate file) and the associated private key file (password).

The requirements for the certificate are as follows: (Names are for example purposes only.)

  • Common Name: contoso.com
  • Cryptographic service provider: Microsoft RSA SChannel Cryptographic Provider
  • Bit length: 2048 or higher
  • Must be valid for Server Authentication and Client Authentication.
  • Must be signed by a trusted public root CA.
  • Must contain a private key (password).
  • Must not expire before the end of the project.
  • Must have a Friendly Name defined.

Important Tip: The domain listed on the certificate cannot be moved as part of a Domain Cutover process. If you plan to move all accepted domains, you should plan to acquire a certificate for a newly created accepted domain to use as a placeholder. This domain will not be moved or used; it will be used only as the subject for the TLS certificate.

 

Domain Cutover  

There are no additional requirements to set up Domain Cutover services, however it is recommended that the following related topics be reviewed prior to execution.

Important Tip: The domain listed on the SSL certificate cannot be moved as part of a Domain Cutover process. If you plan to move all accepted domains, you should plan to acquire a certificate for a newly created accepted domain to use as a placeholder. This domain will not be moved or used; it will be used only as the subject for the TLS certificate.

Setup

This user guide covers the steps required to configure and perform a Domain Move. The Domain Move Quick Start Guide summarizes these steps and addresses some frequently asked questions.

Projects

What is a Domain Move Project?  

A project in Domain Move allows you to configure and manage a subset of features, services and capabilities related to specific environments and/or user groups.

 

How do I create a new Project?  

To create a new project, follow these steps:

  1. Click New Project to open the start of a project.
  2. If a project option is not available, this means you do not have the required licenses.
  3. Follow the wizard which will guide you through the setup process until it is complete.

Environments

All Domain Move Projects require at least 2 Microsoft 365 environments be added to your Domain Move Project to establish at least one source and one target environment for integration activities. Additional environments can be added for more complex migration scenarios.

 

What is an Environment?  

A “tenant” or “environment” is this context is referring to an Microsoft 365 Worldwide subscription.

 

What should I prepare before adding a tenant?  

Before creating your project, it is recommended that an Application Service Account be created in each of your Microsoft 365 environments. This account will be used for the duration of the project or services requirement.

This account will be used to grant delegated permissions to Domain Move on-behalf of the signed-in user. The administrator consents to the permissions that the app requests and the app has delegated permission to act as the signed-in user when making calls to Microsoft Graph. Some higher-privileged permissions require administrator consent. Domain Move requires Global Administrator consent for 4 Graph permissions anytime a tenant is added or reconnected.

Follow these recommended steps to prepare your accounts for project setup:

  1. Create a cloud only Domain Move Application Service Account in each environment.
  2. The recommended name of the account would be “Domain Move App Services”.
  3. Set the account password expiration date to correspond with the project end date or set to “do not expire”.
  4. Assign Global Administrator Role to the account.
  5. Assign an Microsoft 365 License to the user. The minimal subscription should include Exchange Online.
  6. Login to the account for the first time in Microsoft 365 to verify access.
  7. Make the account information available to the authorized administrator for each client environment.

Please Note: It is acceptable to use an existing administrator account if that is preferred.

 

How do I add an environment to my project?  

During the start of your project setup you will be asked to add your environments. Follow these steps to complete the process.

  1. Click the New Project button or open your existing project.
  2. Navigate through the setup wizard to the add an environment step.

  3. Click the New button.

  4. When you add a tenant, you will be prompted for your Microsoft account.
  5. Enter the credentials of an administrative account for this Office365 tenant.

  6. Read and accept the permission notice related to MS Graph permissions required to manage your projects.  Note that two SharePoint Migration API permissions are included to allow OneDrive for Business Accelerated Velocity Mode migration to function.

    (click to view larger)

  7. You will then be returned to the Add Tenant screen. You will repeat this process for each tenant that is part of the project.

 

What happens when I add a Tenant to my Project for the first time?  

When setting up your project for the first time, a Binary Tree PowerShell account will be created in each tenant added to the project and the Domain Move App will be installed. This account is used for PowerShell related tasks and to provide full access to the source and target mailboxes for migration purposes.

To complete this process, each tenant must have at least 1 available Microsoft 365 license, so it may be assigned to the account.

  1. Domain Move will use your Application Service Account you created to connect to Microsoft 365. Credentials are never stored or transmitted between Domain Move and Microsoft 365.

  2. Domain Move will add the Domain Move App to your Tenant. See figure 2 below.

  3. Domain Move will create a cloud only account in your Microsoft 365 tenant for PowerShell.

  4. Domain Move will license your new account with the available subscription that has the Exchange Online plan. A lower cost license will be used if available. For example, if you have both E3 and E1; E1 will be used if a license is available.

  5. Domain Move by default will grant the Exchange and SharePoint Administrator Roles to this account.

    Figure 2: Example Domain Move App (click to view larger)

 

What permissions am I granting to Domain Move?  

Here is the list of minimal Graph permissions required to operate a Domain Move project.

  1. Read and write all users’ full profile (User.ReadWrite.All)

  2. Read and write all groups (Group.ReadWrite.All)

  3. Read and write directory data (Directory.ReadWrite.All)

 

How are these permissions being used?  

The following lists the basic need for each Graph permission.

  1. Read and write all users’ full profile (User.ReadWrite.All) - Used to read and move email addresses.

  2. Read and write all groups (Group.ReadWrite.All) – Used to read and move email addresses.

  3. Read and write directory data (Directory.ReadWrite.All) - Used to discover Azure directory and automate licensing.

 

Does Domain Move save my account password?  

Domain Move will not ask you to save or transmit your administrator credentials in any cloud environment endpoint configuration.

 

What account roles are required to manage my project(s)?  

For daily migration and integration operations and services, the minimum Microsoft 365 administrator roles required are:

  1. Global Administrator

 

What account roles are required to add or reconnect a tenant to my project(s)?  

Anytime a tenant is connected for the first time or reconnect later, the minimum Microsoft 365 administrator role required is:

  1. Global Administrator

 

When should I reconnect my tenant?  

There are a few reasons why you could be required to reconnect your Microsoft 365 tenant to your Domain Move project. The following lists the most common reasons this action is required.

  1. Office 365 OAuth Token has Expired – After 90 days a standard OAuth token will expire. So, if your project is running longer than 3 months, please be sure to update your token by reconnecting your tenant to your project.
  2. Before a Domain Cutover Event – Before a domain cutover event, it is required that you raise your application account’s role to Global Administrator to facilitate the domain move orchestration and automation.
  3. Application Account has Changed – If the Application Account is deleted, recreated or changed it will be required that you reconnect your tenant to the project to continue services.


Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating