Chat now with support
Chat with Support

NOTICE! We are upgrading our support telephone services, implementing Genesys, starting the week of May 19, 2025

On Demand Migration Current - User Guide

About On Demand Migration Working with On Demand Migration Account Migration Mailbox Migration OneDrive Migration Microsoft Teams Migration Microsoft 365 Groups Migration SharePoint Migration Public Folders Migration Power BI Migration Troubleshooting Finalizing the Migration Appendix A: Using PowerShell Appendix B: How Queuing Works

Sensitivity Labels

Sensitivity labels in Azure are part of a broader information protection strategy to ensure that sensitive data is identified, classified, and appropriately protected, enhancing security and compliance across your organization. Sensitivity labels are a feature within the Microsoft Purview Information Protection solution (formerly part of Azure Information Protection).

The primary goal of sensitivity labels is to ensure that sensitive information is properly protected throughout its lifecycle. This includes:

  • Classifying data based on its sensitivity level (e.g., "Confidential", "Highly Confidential").
  • Protecting data by applying security settings, such as encryption, rights management, or watermarking.
  • Governance of how sensitive data is shared, accessed, and retained.

Sensitivity labels are integrated into various Microsoft 365 apps, such as Outlook, Word, and Teams, and protect sensitive information across Microsoft 365 services (like Word, Excel, PowerPoint, SharePoint, and OneDrive) and other cloud services. They allow seamless classification and protection of emails, documents, and other content directly from within the apps.

For more information about Sensitivity labels, see the Microsoft article Get started with sensitivity labels.

Sensitivity label definitions are not migrated. After you create the labels in the target tenant, you can discover and match the labels between your tenants to prepare On Demand Migration to migrate items with these labels across your tenants.

In this topic:

Prerequisites

The following application consents must be granted:

AIP protected content migration - Read

This application is required for the source tenant to migrate Sensitivity Labels applied to emails, calendar items, Office files and PDFs in Mail, OneDrive, SharePoint and Teams migrations. It cannot be used for the target tenant. The consent granted with this application is the minimal consent required to allow On Demand Migration to read from the Microsoft Information Protection Sync Service and the Azure Rights Management Service.

AIP protected content migration - Write

This application is required for the target tenant to migrate Sensitivity Labels applied to emails, calendar items, Office files and PDFs in Mail, OneDrive, SharePoint and Teams migrations. It cannot be used for the source tenant. The consent granted with this application is the consent required to allow On Demand Migration to read from the Microsoft Information Protection Sync Service and write to the Azure Rights Management Service.

Sensitivity Labels List View

The Sensitivity Labels List View is comprised of the following components:

Notification panel - presents relevant information and shortcuts to migration activities. It appears only when there is a notification.

Filter panel - consists of predefined filters for the Sensitivity List view. The predefined filters are:

  • Status - tracks the state of the account from discovery to migration from source to target tenant. See the Status column description below for a description of each status:

List View Actions Menu - contains links to sensitivity label activities and the search box. Each action is explained in greater detail in subsequent topics. See Searching for more information about working with the search box.

List View Columns - displays information about sensitivity labels in the source and target tenant. Some columns may be hidden by default. Use Edit Columns to show or hide columns in the list. The columns are as described below:

  • Source Label - Sensitivity Label discovered in the source tenant.
  • Target Label - Sensitivity Label in the target tenant.
  • Status - tracks the state of the sensitivity label from discovery to migration from source to target tenant. The description of each status is provided in the table below:

    Column Value Description
    Discovered Sensitivity Labels have been discovered in the source tenant.
    Matching Sensitivity Labels are being matched.
    Matched Sensitivity Labels have been successfully matched.
    Match Failed Sensitivity Labels matching task encountered one or more errors and did not complete.
    Stopped Sensitivity Labels matching task was stopped by a user.

  • Source Active - indicates whether or not the label is active in the source tenant.
  • Source Description - description for the label in the source tenant defined by the administrator.
  • Target Active - indicates whether or not the label is active in the target tenant.
  • Target Description - description for the label in the target tenant defined by the administrator.

Discovering Sensitivity Labels

  1. Log in to Quest On Demand and choose an organization if you have set up multiple organizations.
  2. From the navigation pane, click Migrate > Projects to open the My Projects list.
  3. Create a new project or open an existing project.
  4. From the Sensitivity Labels tile on the project dashboard click Open. Then select the Sensitivity Labels tab.
  5. Click Discover All in the menu. The New Discover Sensitivity Labels Task wizard starts. Each step is described below:
  6. Start
    1. Task Name - You can specify a custom name. The default name is Discover Sensitivity Labels Task.
    2. Click Next.
  7. Notification
    1. Send notification email once the task is completed - select this option to send a notification email when a discovery task completes.
      • Only in a case of failure - Select this option to send the email if the discovery task fails to complete successfully.
    2. Recipients - enter the email address of the recipients of this email. You can specify multiple recipient email addresses separated by semicolon.
  8. Schedule
    1. Choose from one of three options to schedule the task. The scheduler will be activated after you complete the task wizard.
      • Run now - task runs immediately.
      • Run later - task must be started manually.
      • Schedule - task will be started at a future date and time entered in the corresponding calendar field.
    2. Click Next.
  9. Summary
    1. Verify the task specifications as described below:
      1. Name - name of the task. The default name is Discover Sensitivity Labels Task. You can specify a custom name.
      2. Source tenant - name of the source tenant.
      3. Scheduled start - date and time when the task will start. Now indicates that the task will start immediately.
    2. Click Back to revise or review a previous step or click Finish to complete the task wizard and start the task as scheduled.
  10. When the task completes, the Sensitivity Labels list is updated.

Matching Sensitivity Labels

There are two ways you can match sensitivity labels from the source to sensitivity labels in the target tenant:

Matching labels selected from the list
  1. Log in to Quest On Demand and choose an organization if you have multiple organizations.
  2. From the navigation pane, click Migrate > Projects to open the My Projects list.
  3. Create a new project or open an existing project.
  4. Click the Sensitivity Labels tile, or click Open from the Sensitivity Labels tile to open the Sensitivity Labels workspace.
  5. Select the Sensitivity Labels tab and click Match > Match Selected. The New Sensitivity Labels Matching Task wizard starts. Each step is described below:
  6. Start
    1. Task Name - You can specify a custom name. The default name is Sensitivity Labels Matching Task.
  7. Matching
    1. Clear existing matches - select this option to clear previous matches of the selected sensitivity labels. The task clears only the match information stored in the On Demand repository, and does not impact the tenants.
    2. Match by path attribute - select this option to match labels based on the relative path of the selected sensitivity labels.
    3. Click Next.
  8. Notification
    1. Send notification email once the task is completed - select this option to send a notification email when a discovery task completes.
      • Only in a case of failure - Select this option to send the email if the discovery task fails to complete successfully.
    2. Recipients - enter the email address of the recipients of this email. You can specify multiple recipient email addresses separated by semicolon.
  9. Schedule
    1. Choose from one of three options to schedule the task. The scheduler will be activated after you complete the task wizard.
      • Run now - task runs immediately.
      • Run later - task must be started manually.
      • Schedule - task will be started at a future date and time entered in the corresponding calendar field.
    2. Click Next.
  10. Summary
    1. Verify the task specifications as described below:
      1. Name - name of the task. The default name is Sensitivity Labels Matching Task. You can specify a custom name.
      2. Source tenant - name of the source tenant.
      3. Target tenant - name of the target tenant.
      4. Scheduled start - date and time when the task will start. Now indicates that the task will start immediately.
    2. Click Back to revise or review a previous step or click Finish to complete the task wizard and start the task as scheduled.
  11. When the task completes, the Sensitivity Labels list is updated.
Matching labels from a CSV file

The CSV file lets you specify the labels that you want to match and ignore the rest. You can then use this file in the New Sensitivity Labels Matching from File Task wizard to match labels from the source to the target tenant.

The steps are as follows:

Download the relevant CSV template
  1. Log in to Quest On Demand and choose an organization if you have multiple organizations.
  2. From the navigation pane, click Migrate > Projects to open the My Projects list.
  3. Create a new project or open an existing project.
  4. Click the Sensitivity Labels tile, or click Open from the Sensitivity Labels tile to open the Sensitivity Labels workspace.
  5. Select the Sensitivity Labels tab and click Match > Match from file. The New Sensitivity Labels Matching from File Task wizard starts. Each step is described below:
  6. Start
    1. Task Name - You can specify a custom name. The default name is Sensitivity Labels Matching from File Task.
  7. Matching File
    1. Click Download Example File for the template that you want to use: One uses label ids and the other uses path and label names.
    2. Click Cancel to exit the wizard.
Prepare the CSV file
  1. Create a CSV file and add the attributes of the sensitivity label that you want to use to match the source with the target tenant labels. You can use any of the two formats shown below:
    1. Format 1Using sensitivity label ids
      1. SourceSensitivityLabelId - GUID of the label from the Microsoft Purview portal of the source tenant.
      2. TargetSensitivityLabelId - GUID of the label from the Microsoft Purview portal of the target tenant.
    2. Format 2Using label paths and names
      1. SourceLabelPath - relative path and name of the sensitivity label in the source tenant.
      2. TargetLabelPath - relative path and name of the sensitivity label in the target tenant.
  2. Save the CSV file that you created.
Start the Sensitivity Labels Matching from File Task
  1. Log in to Quest On Demand and choose an organization if you have multiple organizations.
  2. From the navigation pane, click Migrate > Projects to open the My Projects list.
  3. Create a new project or open an existing project.
  4. Click the Sensitivity Labels tile, or click Open from the Sensitivity Labels tile to open the Sensitivity Labels workspace.
  5. Select the Sensitivity Labels tab and click Match > Match from file. The New Sensitivity Labels Matching from File Task wizard starts. Each step is described below:
  6. Start
    1. Task Name - You can specify a custom name. The default name is Sensitivity Labels Matching from File Task.
  7. Matching File
    1. Click Browse and select the CSV file with the sensitivity label specifications that you prepared.
    2. Click Next.
  8. Notification
    1. Send notification email once the task is completed - select this option to send a notification email when a discovery task completes.
      • Only in a case of failure - Select this option to send the email if the discovery task fails to complete successfully.
    2. Recipients - enter the email address of the recipients of this email. You can specify multiple recipient email addresses separated by semicolon.
  9. Schedule
    1. Choose from one of three options to schedule the task. The scheduler will be activated after you complete the task wizard.
      • Run now - task runs immediately.
      • Run later - task must be started manually.
      • Schedule - task will be started at a future date and time entered in the corresponding calendar field.
    2. Click Next.
  10. Summary
    1. Verify the task specifications as described below:
      1. Name - name of the task. The default name is Sensitivity Labels Matching from File Task. You can specify a custom name.
      2. Source tenant - name of the source tenant.
      3. Target tenant - name of the target tenant.
      4. Scheduled start - date and time when the task will start. Now indicates that the task will start immediately.
    2. Click Back to revise or review a previous step or click Finish to complete the task wizard and start the task as scheduled.
  11. When the task completes, the Sensitivity Labels list is updated.

Exporting Sensitivity Labels

  1. Select one or more sensitivity labels from the list view that you want to export.
  2. Click Export the actions menu.
  3. Open the CSV file by extracting it from the ZIP file that is downloaded to your computer.

Deleting Sensitivity Labels

  1. Select one or more sensitivity labels from the list view that you want to delete.
  2. Click Delete in the actions menu.
  3. Click Yes in the Delete Sensitivity Label popup to confirm the action.

Migrating data with sensitivity labels

Sensitivity Labels are not migrated. On Demand Migration migrates your Microsoft 365 data assets like Mailboxes, OneDrive, and SharePoint files that are tagged with sensitivity labels. You can control what happens to the labels when the data is migrated through the following migration wizards:

Account Migration

In this chapter:

 

What We Migrate

The On Demand Migration service for Accounts migration support for the listed attributes of user account types is indicated in the table below:

Attribute Non Mail Enabled User Mail Enabled User Mailbox Enabled User Notes
AccountStatus  
Alias  
City  
Country  
Department  
DisplayName  
ExternalEmailAddress  
Fax  
HomePhone includes Business Phone and Mobile Phone.
LastName  
MailNickname  
Name  
PhysicalDeliveryOfficeName  
PostalCode  
PreferredDataLocation  
RecipientTypeDetails  
StateOrProvince  
StreetAddress  
TelephoneNumber  
UserPrincipalName  
Visibility  
UsageLocation  

The On Demand Migration service for Accounts migrates discovered user accounts and the following types of discovered groups:

  • Microsoft 365 Groups
    • ownership (for accounts that have a pair on the target tenant )
    • membership (for accounts that have a pair on the target tenant )
    • email address for migrated Microsoft 365 Groups will be created in default target domain. See Microsoft Teams Migration for details on how to migrate Microsoft 365 Groups associated with Teams.
  • Security groups
    • ownership (for accounts that have a pair on the target tenant )
    • membership (for accounts that have a pair on the target tenant )
  • Mail-enabled security groups
    • ownership (for accounts that have a pair on the target tenant )
    • membership (for accounts that have a pair on the target tenant )
    • membership approval
    • delivery management
    • message approval
    • MailTip
    • group delegation
    • visibility in GAL
  • Distribution lists
    • ownership (for accounts that have a pair on the target tenant )
    • membership ( for accounts that have a pair on the target tenant )
    • membership approval
    • delivery management
    • message approval
    • MailTip
    • group delegation
    • SendAs and SendOnBehalf group delegates
    • visibility in GAL

Migrating distribution lists with group delegations

On Demand migrates distribution lists with group delegations like SendAs and SendOnBehalf, including scenarios where the distribution list in the target exists or does not exist, or exists and does or does not have group delegations. When the distribution list with group delegations exists in the target then only newly added group delegations are migrated, and group delegations are ignored if anything is deleted at the source. Existing SendAs and SendOnBehalf group delegations on the target, either preexisting before On Demand migration or migrated by On Demand will be left intact and merged with the one migrated from the source.

Delegated accounts are migrated as follows:

  Mail User Mail Box Mail Enabled Security Group Distribution List
SendAs Y Y Y  
SendOnBehalf Y Y Y Y

 

NOTE: Microsoft does not support the following delegated account types so they do not apply to the migration.

  • For SendAS: AAD User, External/Guest User, Distribution List, Security Group
  • For SendOnBehalf: AAD User, External / Guest User, Security Group

NOTE: The temporary Migration Service account of the target tenant will be added as an owner to all target mail-enabled security groups, distribution groups and Microsoft 365 Groups.

 

Accounts and User Data Migration Workspace

In this topic:

NOTE: The Accounts and User Data migration workspace is common for the Accounts, Mailbox and OneDrive migration services, and the Desktop Agents.

Dashboard

The components of the dashboard are as described below:

Notification panel - presents relevant information and shortcuts to migration activities.

Dashboard Menu - contains the following links to common activities in the migration process.

  • Configure connections - You can configure granular permissions for the source and target tenants in addition to advanced configurations such as concurrent PowerShell connections and custom EWS URL specification. For more information see Configuring Connections.
  • Discover accounts - Starts the New Account Discovery Task wizard to collect information about accounts in the source tenant. For more information see Discovering Accounts.
  • Enable calendar sharing - Starts the New Calendar Sharing Task wizard to allow users to retrieve calendar availability information after migration. For more information see Calendar Sharing.
  • Browse accounts - Opens the Accounts List view where you can search and filter for accounts, and manage all the account migration activities. For more information see
  • Download agent - Allows you to download a lightweight user desktop application (update agent) for users workstations that is needed to complete a migration project.

Dashboard Tiles

  • Getting Started - Presents quick start links to the various actions for preparing and migrating accounts.
  • Accounts - Presents a summary of the accounts in various migration states. Click Show All to open the Accounts List view to inspect the accounts.
  • Mailboxes - Presents a summary of the mailboxes in various migration states. Click Show All to open the Mailboxes List view to inspect the mailboxes.
  • OneDrive - Presents a summary of users with OneDrive in various migration states. Click Show All to open the OneDrive List view to inspect the OneDrive information.
  • Tasks - Displays the five most recent tasks that were completed in the Accounts and User Data migration workspace. The title displays the total number of tasks. Click Show All to open the Tasks List view.
  • Events - Displays the five most recent events that were completed in the Accounts and User Data migration workspace. The title displays the total number of events. Click Show All to open the Events List view .

Accounts List View

The Accounts List View is comprised of the following components:

Notification panel - presents relevant information and shortcuts to migration activities.

Filter panel - consists of predefined filters for the Accounts List view and tabs to switch between the Accounts List view and the Assessment view. See Filtering for more information about working with filters. The predefined filters are:

  • Account State - returns a list of Accounts by specific state values. See Account State column description in the List View below for a list of values.
  • Matching - returns a list of Accounts by source accounts that are matched with a target account. Valid values are Any, Matched and Not matched.
  • Source Type and Target Type - search by specific account types as defined in Active Directory.
    • Any
    • User accounts like Guest, Mailbox-enabled, Mail-enabled and Non-mail-enabled.
    • Resource mailboxes like Equipment, Room, Scheduled and Shared.
    • Groups like Distribution, Mail-enabled-security, Microsoft 365 Group - Dynamic, Microsoft 365 - Assigned, Security - Dynamic, Security - Assigned, Teams - Dynamic and Teams - Assigned.
  • Environment - returns a list of Accounts by location of the Active Directory with which the account is synchronized. Valid values are Synced with Active Directory (synchronized with on-premise Active Directory) and In Cloud (synchronized with Azure Active Directory). This filter corresponds to the Sync Status column in the Accounts list.
  • ODM Licensed - returns a list of Accounts by license utilization. Valid values are Yes, No, Not required.

List View Actions Menu - contains links to account migration activities and the search box. Each action is explained in greater detail in subsequent topics. See Searching for more information about working with the search box.

List View Columns - displays information about accounts in the source tenant and the migration status of each account. Some columns are hidden by default. Use Edit Columns to show or hide columns in the list. The columns are as described below:

NOTE: If you don't see the Sync Status or object description in the Type column, rerun the account discovery task as indicated in the Notification panel.

  • Sync Status - indicates whether the account is synchronized with the on-premise Active Directory or Azure Active Directory. The tool tip displays the status value.
  • Name - name of the account
  • Source Type - account type defined in Microsoft Active Directory for the source tenant. The account type can be one of the following:
    • Any
    • User accounts like Guest, Mailbox-enabled, Mail-enabled and Non-mail-enabled.
    • Resource mailboxes like Equipment, Room, Scheduled and Shared.
    • Groups like Distribution, Mail-enabled-security, Microsoft 365 Group, Security Group, Teams.
  • Target Type - account type defined in Microsoft Active Directory for the target tenant. The account type can be one of the following:
    • Any
    • User accounts like Guest, Mailbox-enabled, Mail-enabled and Non-mail-enabled.
    • Resource mailboxes like Equipment, Room, Scheduled and Shared.
    • Groups like Distribution, Mail-enabled-security, Microsoft 365 Group, Security Group, Teams.
  • ODM Licensed - indicates whether or not an On Demand Migration license has been consumed when the migration task is started. Values are Yes, No, Not required.
  • Status - status of the most recent task that was run for this account. Valid values are New, Stopped, In Progress, Failed and Completed. The Status column displays a progress bar that tracks the update for each account when the Matching and Migration tasks are running.
  • Account State - tracks the state of the account from discovery to migration from source to target tenant. The column values are as follows:
    Column Value Description
    Discovered Account has been discovered in the source tenant.
    Match failed Account matching failed
    Matched Account has been successfully matched.
    Matching Account is being matched.
    Matching Stopped Account matching task was stopped by a user.
    Mapped Account mapping is complete and successful.
    Mapping Account mapping of this object has started.
    Mapping Failed Account mapping did not succeed.
    Mapping Stopped Account mapping task was stopped by a user.
    Migrated Account migration is complete and successful.
    Migrated with Issues Account migration completed with errors.
    Migrating Account migration of this object has started.
    Migration failed Account migration did not succeed
    Migration stopped Account migration canceled by the user
  • Source UPN - account name in the source tenant in the format of an email address based on the Internet standard RFC 822.
  • Target UPN - account name in the target tenant in the format of an email address based on the Internet standard RFC 822.
  • Source Mailbox - account mailbox in the source tenant.
  • Target Mailbox - account mailbox in the target tenant.
  • Source Group Type - group membership type in the source tenant. Valid values are Assigned or Dynamic.
    • Assigned - indicates that members are manually added or removed from the group.
    • Dynamic - indicates that users are added or removed dynamically once the membership rules are defined.
  • Target Group Type - group membership type in the target tenant. Valid values are Assigned or Dynamic.
    • Assigned - indicates that members are manually added or removed from the group.
    • Dynamic - indicates that users are added or removed dynamically once the membership rules are defined.
  • Title - Job title of the user account. Does not apply to group accounts.
  • Department - department of the user account. Does not apply to group accounts.
  • Country - country of the user account. Does not apply to group accounts.
  • City - city of the user account. Does not apply to group accounts.
  • Collections - indicates the most recent collection where the account is added and the number of additional collections that also contain this object.

Accounts Assessment

Contains summary reports about the discovered data to analyze your domain structure and track potential problems, misconfiguration, and risks that might adversely affect the migration. For more information see Assessment.

Account Details

When you select an account from the List View, the Account Detail pane opens. The information in the pane is described below:

  • Source Email - email address of the selected account in the source tenant.
  • Target Email - email address of the selected account in the target tenant.
  • Source Type - account type defined in Microsoft Active Directory for the source tenant.
  • Target Type - account type defined in Microsoft Active Directory for the target tenant.
  • Status - status of the selected account. Valid values are New, In Progress, Failed and Completed.
  • Account State - tracks the state of the account from discovery to migration from source to target tenant.
  • Events - count of the events that occurred during account processing through one or more tasks.
  • Collections - list of collections that contain the selected account.
  • Tasks - list of tasks invoked for the selected account.

 

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating