Migration to Microsoft Office 365
Migration involves migrating Active Directory objects (such as users, contacts and groups) from the source domain to Microsoft Office 365, synchronizing calendars and migrating mailboxes from on-premises Exchange organization to Microsoft Exchange Online.
While migrating to Microsoft Office 365 you will need to use both Migration Manager for Active Directory and Migration Manager for Exchange as shown in the figure below:
Migration to Office 365 Considerations:
- Migration Agent for Exchange cannot process a message that is larger than 40MB. This limitation is set by Office 365 Exchange Web Services.
- If you want to change an agent instance for a collection that is being processed, you should stop the agent, wait until the current session is finished and then specify the agent instance you need.
- If a mailbox is added to more than one collection via groups or organizational units, the Migration Agent for Exchange processes this mailbox only for the collection that is the first in the synchronization order.
- One instance of Migration Agent for Exchange cannot process collections from on-premises Exchange migration and Microsoft Office 365 migration projects at the same time. You will need separate instances of Migration Agent for Exchange to process these migration projects.
- Likewise, one set of public folder synchronization agents cannot process collections from on-premises Exchange migration and Microsoft Office 365 migration projects at the same time.
Refer to Public Folder Synchronization Caveats for public folder synchronization considerations.
Provisioning User Accounts in Office 365
In the first step of migrating to Microsoft Office 365, you need to provision user accounts in Microsoft Office 365. All steps from this section should be performed in Migration Manager for Active Directory (Office 365) console:
Caution: Migration Manager for Active Directory always creates user accounts enabled in Microsoft Office 365 regardless of their states in Active Directory.
Installing Directory Migration Agent
Both migration and synchronization tasks are handled by the specific engine called Directory Migration Agent (abbreviated to DMA). Before you start your migration activities, be sure to install at least one DMA instance in your environment. For that, perform the following:
- Run the Migration Manager for Active Directory (Office 365) console.
- Select Directory Migration node in the management tree of the Migration Manager for Active Directory (Office 365) console.
- Go to Agents tab, and in the Action Items pane click the Install Agent item to the start the Install Agent wizard.
- Complete the wizard by specifying the following:
- A server where DMA should be installed.
- User credentials under which DMA should be installed and run.
Note: A server where you plan to install DMA must satisfy specific system requirements listed in the corresponding section of the System Requirements and Access Rights document.
Migration Manager for Active Directory (Office 365) uses Microsoft Graph API to access Azure Active Directory. Administrative consent is required in order to grant the "Quest Migration Manager for Active Directory" application access to the tenant data.
Consent can be granted at the time of adding a Migration Pair or in advance using this hyperlink https://login.microsoftonline.com/###-####-###-####/adminconsent?client_id=8edd986e-2f01-4f62-84d2-34576b05fc01 where ###-#####-###-##### must be replaced with an actual tenant id (which can be obtained via the Azure Admin console).
In order to grant admin consent, the account needs one of the following roles: Global Administrator or Privileged Role Administrator.
Once the Application has been granted access, the Migration Manager service account can function with the following minimal set of roles:
- For Matching only: Exchange Administrator role
- For Migration, the following minimal set of roles: Exchange Administrator, Directory Readers, Directory Writers
Configuring Migration Pair
All migration activities are performed between pairs of Active Directory domains and Microsoft Office 365 tenants. Such pairs along with corresponding configuration settings are referred as migration pairs in the console.
The first time you create a migration pair, an additional step is needed to obtain and install the latest version of the Microsoft Graph API, used to communicate with Microsoft 365. Microsoft PowerShell is used for this step. Once installed, this step is not required when setting up subsequent migration pairs.
To create a new migration pair, perform the following:
- Select the Directory Migration node in the management tree of the Migration Manager for Active Directory (Office 365) console.
- From the Home tab, under Action Items, choose the Create Migration Pair button.
- Alternatively, go to the Migration Pairs tab, and in the Action Items pane choose the Create Migration Pair item.
- In the Create Migration Pair wizard specify the Active Directory domain and configuration settings to use for connecting to it. Those settings include the following:
- Active Directory domain
- User credentials under which to connect to Active Directory
- SSL configuration options
- Preferred domain controller and global catalog (optionally)
- Specify the settings to use for connecting to a Microsoft Office 365 tenant. Those configuration settings include the following:
- User credentials under which to connect to Microsoft Office 365
- Proxy server and credentials, if necessary.
- If prompted (when using MFA or using Graph app for the first time across multiple tenants), sign into the Graph API to create the necessary connection to Microsoft 365.
Note: You can later edit the migration pair settings or delete it using the corresponding action items on the migration pair node in the management tree.
When you specify a set of configuration settings, it is saved as a specific entity called connection. The connection is a set of configuration settings that are used to access the Active Directory domain or Microsoft Office 365 tenant. You can use connections in future migrations instead of reentering the configuration settings.
Managing User Passwords
By default, when Migration Manager creates a user in Microsoft Office 365 during migration process, it generates a temporary password for the user and then sends it by email. However, you can choose not to send passwords to users. For that, select a migration pair node in the management tree, click the Edit Initial Password Settings item in the Actions pane and select the desired option in the dialog box opened.
Caution: Take the following into consideration:
- If you select not to send passwords to users, the Microsoft Office 365 administrator will need to reset and send passwords manually so that users can sign in to Microsoft Office 365.
- Passwords are not generated for user accounts created in federated domain, as such users sign in to Microsoft Office 365 using their domain credentials through Single Sign-On (SSO). Moreover, the Reset Password task does not affect users from federated domain.
TIP: You will be able to reset passwords for migrated users later using the Reset Password action item available on the collection node level. Note that when you reset password for a user using Migration Manager for Active Directory, the generated password is sent to the user by email automatically.