Microsoft 365 Migration Checklists & Common Mistakes (Practical, Step-by-Step Guide)
Want MSAdvance to handle the entire migration?
We design your migration with waves, validations, security hardening, and a drama-free cutover. If you want business focus and zero data loss, we’re ready.
Introduction
Migrating to Microsoft 365 without data loss or productivity dips requires method. This functional guide brings together actionable checklists, a chronological runbook, sample scripts, and the most common mistakes (with fixes). It’s written so an IT team can execute it and audit each decision against official sources.
1) Step-by-step route (practical runbook)
Use this runbook as a backbone. Adjust dates, owners, and windows to your organization. We flag milestones as “T-” (before cutover) and “T+” (after).
| Milestone | Task | Expected outcome |
|---|---|---|
| T-30 to T-21 days | Assessment: inventory mailboxes; OneDrive/SharePoint; Teams; apps; devices; decide migration waves | Approved scope & timeline |
| T-20 to T-14 days | Baseline security (MFA/Conditional Access), licensing, OneDrive provisioning, basic DLP & sensitivity labels | Hardened destination tenant |
| T-14 to T-7 days | Configure Exchange batches, send/receive tests, validate critical links & permissions | Stable pilot |
| T-72 to T-48 hours | Lower MX TTL; change freeze; generate final wave CSVs | DNS ready for cutover |
| T-24 hours | Incremental sync; business “go/no-go” checklist | Go authorized |
| Day 0 (cutover) | Update MX/SPF/DKIM/DMARC; validate mail flow; staffed support | Stable mail |
| T+1 to T+7 days | Role-based UAT; access recertification; close gaps; KPI reports | Wave closed |
Tip: define a “point of no return”. If minimum criteria aren’t met at T-2 h, postpone cutover.
2) General pre-migration checklist
Before moving data, validate technical and business prerequisites. This “traffic light” avoids surprises.
| Item | Why it matters | How to verify | Status |
|---|---|---|---|
| Verified domains | UPN/routing without blockers | Admin Center → Settings → Domains | ☐ |
| MFA & Conditional Access | Lower risk during change | Entra ID → Security → Conditional Access | ☐ |
| Licenses assigned | Services active (ExO/OD/Teams) | Microsoft 365 Admin → Users → Licenses | ☐ |
| OneDrive provisioned | Avoids day-1 waits | Browse to https://tenant-my.sharepoint.com with the account | ☐ |
| Baseline DLP & labels | Minimum governance | Purview → Solutions → DLP / Labels | ☐ |
| Comms plan | Fewer tickets | T-14/T-7/Day 0 mailings + first-day guide | ☐ |
| Backup/rollback | Resilience | Snapshots/retention + written rollback plan | ☐ |
3) Exchange Online: checklist + mistakes
Email is sensitive and visible. Prepare batches, sync before cutover, and validate rules/delegations. See Microsoft’s migration best practices for factors that affect throughput and stability.
| Item | Operational detail | Command/Reference | Status |
|---|---|---|---|
| Mailbox inventory | List size, delegations, shared boxes, rules | Get-Mailbox · Get-MailboxStatistics | ☐ |
| Batches & CSV | Wave by size & criticality | New-MigrationBatch -CSVData $csv | ☐ |
| Sync | Enable incremental before cutover | Get-MigrationUserStatistics -IncludeReport | ☐ |
| MX/SPF/DKIM/DMARC | Lower TTL, switch records, validate signatures | Official docs (links below) | ☐ |
| Post-cutover checks | Transport rules, connectors, delegations | Exchange admin center | ☐ |
Common mistakes & fixes
- Not lowering TTL → Lower it 48–72 h beforehand for fast MX propagation.
- Leaving POP/IMAP enabled → Disable after migration to reduce attack surface.
- Ignoring transport rules → Export, recreate, and validate connectors/rules.
Batch tracking (PowerShell)
Connect-ExchangeOnline
Get-MigrationBatch | Select-Object Name,Status,TotalCount,InitialSyncCompleteTime
Get-MigrationUser | Get-MigrationUserStatistics -IncludeReport | `
Select-Object Identity,ItemsTransferred,PercentComplete,ErrorSummaryMore info: Exchange migration best practices · DKIM · DMARC
5) Microsoft Teams: checklist + mistakes
Decide what to migrate (files, conversations, apps) and what to recreate. Avoid dragging obsolete teams into the new tenant.
| Item | Operational detail | Reference | Status |
|---|---|---|---|
| Structure | Identify teams by process and activity | Teams admin center | ☐ |
| Files | Map libraries backing channels | SharePoint | ☐ |
| Apps/tabs | Planner, Power BI, 3rd-party: recreation plan | Teams center | ☐ |
| Recordings | Stream on SharePoint: permissions & retention | SharePoint | ☐ |
| Governance | Naming, expiry, guests | Microsoft 365 Admin/Entra | ☐ |
Common mistakes & fixes
- Migrating “everything” → Prioritize live teams; archive or recreate the rest.
- Forgetting tabs & apps → List dependencies and prep re-configuration.
- Misaligned permissions → Validate owners/members and guest policies.
More info: Teams governance
6) Identity (Microsoft Entra ID) & directory: checklist + mistakes
Identity underpins access, security, and licensing. Define UPN, groups, and Conditional Access before go-live.
| Item | Operational detail | Reference | Status |
|---|---|---|---|
| UPN & aliases | Unified scheme; avoid duplicates | Entra ID → Users | ☐ |
| Groups & roles | Microsoft 365/security groups; admin roles | Entra ID → Groups/Roles | ☐ |
| Conditional Access | Default MFA; controlled exceptions | Entra ID → Security | ☐ |
| Apps & permissions | Review OAuth/Graph; rotate secrets | Entra ID → App registrations | ☐ |
Common mistakes & fixes
- Poorly planned UPNs → Unify, communicate, and migrate aliases.
- No MFA/Conditional Access → Apply baseline, tune by risk.
- Expired app tokens → Rotate secrets and enforce least privilege.
More info: Conditional Access · Microsoft Graph permissions
7) Power Platform: checklist + mistakes
Connectors and credentials are fragile points. Ensure owners and service accounts.
| Item | Operational detail | Reference | Status |
|---|---|---|---|
| Environments | Dev/Test/Prod; capacity | Power Platform admin | ☐ |
| Connectors | Re-authenticate; least privilege | Power Apps/Automate centers | ☐ |
| Owners | Co-owners for continuity | Power Apps/Automate | ☐ |
| E2E tests | Business cases with sample data | Process UAT | ☐ |
Common mistakes & fixes
- Orphaned connections → Re-auth with service accounts.
- No co-owners → Define at least two owners per critical asset.
More info: Microsoft Learn: Power Platform
8) Devices & Intune: checklist + mistakes
Device experience shapes how people perceive the project. Define re-enrollment and communicate clear steps by device type.
| Item | Operational detail | Reference | Status |
|---|---|---|---|
| Policies | Compliance, configuration & apps | Intune admin | ☐ |
| Autopilot | Hashes, profiles, branding | Intune → Devices | ☐ |
| Role-based UX | Guides by type (corporate PC, BYOD) | Internal docs | ☐ |
Common mistakes & fixes
- Improvised re-enrollment → Wave plan with day-1 on-site support.
- Inconsistent profiles → Standardize and pilot first.
More info: Microsoft Intune
9) DNS & domains: checklist + mistakes
Domain cutover is the “visible moment”. Rehearse it and prepare everything to keep it clean.
| Item | Operational detail | Reference | Status |
|---|---|---|---|
| TTL | Lower MX TTL 48–72 h before | DNS panel | ☐ |
| Records | MX/SPF/DKIM/DMARC prepared | Official guides | ☐ |
| Validation | Delivery tests & DKIM signatures | Exchange admin | ☐ |
| Window | Off-peak time & on-call support | Internal calendar | ☐ |
Sample records
# MX to Exchange Online Protection
MX @ 0 → company-com.mail.protection.outlook.com
TXT @ "v=spf1 include:spf.protection.outlook.com -all"
CNAME selector1._domainkey → selector1-company-com._domainkey.company.onmicrosoft.com
TXT _dmarc "v=DMARC1; p=quarantine; rua=mailto:dmarc@company.com"More info: Create DNS records for Microsoft 365
10) Security & compliance: checklist + mistakes (expanded)
Hardening before migration lowers risk during change and prevents “open doors” afterward. Below is a practical approach combining Conditional Access, Defender for Office 365, and Microsoft Purview with simple defaults and a progressive maturity path.
10.1 Access & authentication (Entra ID)
| Policy | Scope | Conditions | Control | Notes |
|---|---|---|---|---|
| CA-00 Break-glass accounts | 2 cloud-only emergency accounts | Excluded from all CA | — | Long passwords, stored out-of-band, monitored (sign-ins). |
| CA-01 Require MFA | All users | All clients (browser & apps) | Require MFA | Prefer phishing-resistant methods: Passkeys/FIDO2/Windows Hello where possible. |
| CA-02 Block legacy auth | All users | Client apps: legacy | Block access | Allow temporary exceptions only with documented dependency. |
| CA-03 Require compliant device | Sensitive data users | Untrusted location or medium+ risk | Device compliance (Intune) | Use named locations for corporate IPs; consider risk-based CA (P2). |
| CA-04 Safer sessions | All users | Microsoft 365 apps | Sign-in frequency, session controls | 12–24 h frequency and Continuous Access Evaluation where applicable. |
References: Conditional Access overview · Authentication strengths (FIDO2/Passkeys) · Require MFA for all users
10.2 Secure email (Defender for Office 365)
| Control | Enable | Outcome |
|---|---|---|
| Safe Links | Rewrite + click-time protection | Blocks malicious URLs |
| Safe Attachments | Detonation in sandbox | Blocks dangerous files |
| Anti-phishing | Impersonation protection, spoof intelligence | Fewer impersonations |
| External sender tag | Native “[EXTERNAL]” marking | User awareness |
Enable external sender tag (Exchange Online)
Connect-ExchangeOnline
Set-ExternalInOutlook -Enabled $true| Record | Suggested value | Comment |
|---|---|---|
| SPF | v=spf1 include:spf.protection.outlook.com -all | Use -all once audited |
| DKIM | Two active selectors | Rotate periodically |
| DMARC | p=none → quarantine → reject | Gradual rollout with reports |
References: Defender for Office 365 · SPF · DKIM · DMARC
10.3 Information governance & compliance (Microsoft Purview)
| Window | Action | Goal |
|---|---|---|
| Day 1–7 | Baseline MIP labels: Public/Internal/Confidential | Visible, simple classification |
| Day 1–14 | DLP for email/SharePoint/OneDrive (PII templates) | Prevent common leaks |
| Day 7–30 | Retention policies for mail & critical sites | Legal/regulatory preservation |
| Day 15–45 | Auto-labeling (keywords/Trainable classifiers) | Less manual effort |
| Day 30–90 | Insider Risk (per license) & advanced audit | Early risk detection |
References: Information Protection · Data Loss Prevention · Records Management · eDiscovery
10.4 Security checklist (ready to tick)
| Item | Action | Status |
|---|---|---|
| Emergency accounts | 2 dedicated accounts, excluded from CA, monitored | ☐ |
| MFA for everyone | CA using appropriate Authentication strength | ☐ |
| Block legacy auth | CA “Block legacy clients” + review exceptions | ☐ |
| Risk-based access | Named locations and sign-in risk (if P2) | ☐ |
| Safe Links/Attachments | Org-wide policies enabled | ☐ |
| SPF/DKIM/DMARC | Validated with DMARC reports in p=none first | ☐ |
| MIP labels | Taxonomy + usage policy published | ☐ |
| Initial DLP | PII/financial templates; audit → block | ☐ |
| Retention | Basic policies for mail & critical sites | ☐ |
| Audit | Review Unified Audit Log & eDiscovery permissions | ☐ |
10.5 Frequent errors & how to avoid them
- No break-glass accounts → Create 2 with long passwords, CA exclusion, and sign-in monitoring.
- Permanent MFA exceptions → Use temporary access pass; remove exceptions after stabilization.
- Jumping straight to
p=rejectin DMARC → Start withp=none+ reporting; move toquarantine, thenreject. - Over-aggressive DLP on day 1 → Start in audit mode, measure false positives, then enforce blocking.
- Labels without training → Publish a one-pager with examples per role.
11) Communications, UAT & adoption
The best migration is the one nobody notices. Set expectations, provide a first-day guide, and test with real users.
Comms calendar
- T-14: general announcement — what changes and why.
- T-7: access instructions, apps, support channels.
- Day 0: reminder, support channel, 10-minute quickstart.
- T+7: productivity tips and satisfaction survey.
Role-based UAT
- Sales: Outlook + Teams meetings and external sharing.
- Finance: retention, labels, critical libraries.
- Operations: process-based channels and shift checklists.
12) KPIs & success control
Measure progress (volume), quality (errors), and adoption (OneDrive/Teams usage). Report daily during waves.
Users migrated within window ≥ 98%
Item retries < 1%
Tickets per user in week 1 < 0.3
Support MTTR < 4 hours
OneDrive adoption at 30 days > 80%
13) Top 25 mistakes and how to avoid them
| Mistake | Impact | How to avoid |
|---|---|---|
| Not lowering TTL before cutover | Unstable delivery | Lower TTL 48–72 h and rehearse MX |
| Leaving POP/IMAP enabled | Security risk | Disable post-migration |
| Ignoring transport rules | Broken flows | Export/validate rules & connectors |
| Long OneDrive/SharePoint paths | Skipped files | Normalize names/paths |
| Opaque inherited permissions | Improper access | Map & recertify |
| Forgetting Teams recordings | Lost history | Include Stream (SharePoint) |
| Conflicting UPN/aliases | Sign-in errors | Unified schema + comms |
| No MFA/Conditional Access day 1 | Security gaps | Baseline policies |
| Power Platform connections | Broken apps/flows | Re-auth with service accounts |
| No rollback plan | Paralysis | Simple, rehearsed rollback |
| Late communications | Ticket spikes | 14/7/0-day plan |
| No real UAT | Production errors | Role-based tests |
| OneDrive/SharePoint quotas | Upload cuts | Review & adjust |
| Expired app secrets | Integration outages | Scheduled rotation |
