Microsoft 365 Tenant-to-Tenant Migration with Quest On Demand: A Complete Step-by-Step Guide

Introduction

In mergers, acquisitions, or reorganizations, moving collaboration and data across Microsoft 365 tenants without slowing the business is critical. This guide walks you through a tenant-to-tenant migration with Quest On Demand Migration (ODM): from granting consents and matching identities, to building wave-based batches per workload (Exchange, OneDrive, SharePoint, Teams), running coexistence with Directory Sync and Email/Domain Rewrite, and cutting the domain cleanly. We keep the language practical and add vetted external references at each step.

1. What is Quest On Demand Migration (ODM)?

Quest ODM is a SaaS platform hosted in Azure that centralizes tenant-to-tenant migration of Exchange Online, OneDrive, SharePoint, and Microsoft Teams. It adds discovery, assessment, identity mapping, dashboards, and reporting—plus coexistence options such as Directory Sync and Email/Domain Rewrite to keep users productive during the move. Think of it as a single control plane to orchestrate migration with telemetry and guardrails. :contentReference[oaicite:0]{index=0}

2. Prerequisites & permissions

Before creating a single batch, register source and target tenants in ODM and grant the application consents per workload (Exchange, SharePoint/OneDrive, Teams/Graph). Clarify scope early (users, groups, shared mailboxes; sites and permissions; teams and channels; OneDrive per user). For Exchange migrations with ODM, Quest recommends an E3 or higher license on the admin mailbox used to run EWS-based operations—CTUDM is not required for ODM because ODM performs copy-style migrations via APIs.

• Use a global admin (or workload-specific admin) to grant app consents in both tenants.
• Review holds, retention, and eDiscovery in the source to avoid unexpected blockers.
• Decide identity matching strategy: identical UPNs, different suffixes, or a CSV mapping.

3. Project methodology

Waves reduce friction and help you learn fast: pilot → first business areas → critical areas → stabilization. ODM supports pre-staging (load history ahead of cutover) and scheduling incremental syncs where available so Day 0 is a non-event for end users. :contentReference[oaicite:3]{index=3}

4. ODM setup: project, tenants, and identity matching

Open On Demand Migration, create a project, add source and target tenants, and grant the requested consents (per workload). Then import or generate the identity matching (auto-match by UPN or upload a CSV). :contentReference[oaicite:4]{index=4}

Step-by-step

1. Create a project in ODM and select the workloads you’ll migrate.
2. Connect tenants (source and target) and grant consents.
3. Run discovery (users, groups, mailboxes; OneDrive; sites; teams).
4. Define matching (UPN→UPN). If they differ, use CSV (sample below).
5. Plan waves and windows (pilot → wave 1 → wave 2 → cutover).

CSV sample (identity match)

If you manage identities on-prem, document the handling of ImmutableID/mS-DS-ConsistencyGuid to avoid misalignment later.

5. Exchange Online (mail, calendars, shared mailboxes)

Email is the heartbeat of daily work. In ODM you create mailbox migration tasks in waves, with reporting, retries, and pre-cutover syncs. A proven pattern is: discover → select mailboxes (user, shared, resource) → run a pilot → scale to waves → run a final delta → cut MX. :contentReference[oaicite:5]{index=5}

Step-by-step

1. Select mailboxes (users, shared, resources) from inventory.
2. Map permissions (delegations, SendAs, FullAccess) to target per rules.
3. Create a batch in ODM and schedule during off-peak hours.
4. Monitor progress (items migrated, errors, retries).
5. Run a delta before cutover and validate with key users.

6. OneDrive (users, versions, and links)

ODM moves each user’s OneDrive content to their counterpart in the target tenant. Plan how you’ll treat version history and shared links (internal/external), and communicate the “after” state clearly. :contentReference[oaicite:6]{index=6}

Step-by-step

1. Pre-provision users in target and validate identity matching.
2. Select OneDrives and run migrations in groups (by department/volume).
3. Validate permissions and critical external shares after each pass.
4. Recertify access during the first post-go-live week.

7. SharePoint (sites, permissions, metadata)

SharePoint hosts critical libraries and automations. In ODM you can discover sites, assess size/structure, and migrate them in batches, preserving key permissions and metadata where the APIs allow. Normalize path lengths and names to avoid platform limits. :contentReference[oaicite:7]{index=7}

Step-by-step

1. Audit owners, inheritance, and apps (extensions, flows).
2. Choose a strategy (by site, by hub, or by critical libraries).
3. Run batches and review error reports (long paths, invalid names).
4. Recertify permissions when each wave completes.

8. Microsoft Teams (teams, channels, chats)

ODM supports Microsoft Teams migrations: team/channel structure, files, membership, and—based on Microsoft’s Graph migration mode—importing historical messages into Teams where applicable. The usual flow is: discover → map source teams to destination → migrate files (to SharePoint/OneDrive) → import conversations via Graph migration mode → complete the team. :contentReference[oaicite:8]{index=8}

Step-by-step

1. Discover teams and classify by criticality (project, department, confidentiality).
2. Define mapping (Team A → Team A′ in target; private ↔ private channels).
3. Migrate files (land in SharePoint/OneDrive) and verify permissions.
4. Import conversations with Graph’s migration mode; complete the team at the end. :contentReference[oaicite:9]{index=9}
5. Validate apps/tabs (Planner, Forms, Power BI, etc.) and re-authorize connectors.

9. Coexistence with ODM: Directory Sync & Email/Domain Rewrite

For longer coexistence or multi-domain scenarios, combine On Demand Directory Sync (keeps users, groups—and in some cases devices—synchronized, builds a unified address list) with On Demand Email/Domain Rewrite to present a single email brand across tenants while routing mail to the right mailbox. Add Exchange organization relationships for Free/Busy between tenants. :contentReference[oaicite:11]{index=11}

Exchange Free/Busy between tenants

Connect-ExchangeOnline
New-OrganizationRelationship -Name "Rel-Target-Tenant" `
  -DomainNames "contoso.com" -FreeBusyAccessEnabled $true `
  -FreeBusyAccessLevel LimitedDetails

10. Desktop Update Agent: Outlook/OneDrive/Teams switch

To make “the day after” smooth, deploy Quest’s Desktop Update Agent (DUA). It reconfigures the user’s Outlook profile, OneDrive client, and Teams app automatically, dramatically shrinking first-day ticket volume. Note: in some environments, the Teams step can report success even if the user remains signed into the source—plan a quick sign-out/sign-in check as part of your first-day script. :contentReference[oaicite:12]{index=12}

Step-by-step

1. Generate the agent token in your ODM project.
2. Deploy the MSI via GPO/Intune (transform with your TOKEN and a PASSPHRASE as per the guide).
3. Schedule the “Switch” around your mail/OneDrive cutover.
4. User steps: close apps, run DUA, confirm Outlook opens with the new profile and OneDrive points to the target tenant.

11. Domain cutover & DNS (MX/SPF/DKIM/DMARC)

The domain move is the visible milestone. Rehearse it and lower TTL in advance. Remove the domain from the source (no references in UPNs, proxyAddresses, groups, apps), add it in the target with MX/SPF/DKIM/DMARC, and validate delivery/signing before moving DMARC from p=none to quarantine/reject. For Microsoft 365 record formats and guidance, use the official DNS reference. :contentReference[oaicite:14]{index=14}

# MX to Exchange Online Protection
MX @ 0 → contoso-com.mail.protection.outlook.com

# SPF / DKIM / DMARC
TXT @ "v=spf1 include:spf.protection.outlook.com -all"
CNAME selector1._domainkey → selector1-contoso-com._domainkey.contoso.onmicrosoft.com
TXT _dmarc "v=DMARC1; p=quarantine; rua=mailto:dmarc@contoso.com"

12. Security & compliance (Purview, Conditional Access, Defender)

Harden the target tenant from Day 1: MFA + Conditional Access, Defender for Office 365 (Safe Links/Attachments, anti-phishing), and Microsoft Purview for sensitivity labels, DLP, retention, and eDiscovery. Recreate policies and review guest access after each wave. :contentReference[oaicite:15]{index=15}

13. Microsoft 365 licensing after the move

Post-migration, align licenses by profile:

Check Microsoft’s official plan comparison tables for the latest details. :contentReference[oaicite:16]{index=16}

14. Performance, limits, and throttling

Microsoft enforces service and Graph API throttling. Size your batches, choose off-peak windows, and monitor health. For Teams message import, expect specific migration-mode constraints (like 5 RPS per channel) and a “complete migration” step. :contentReference[oaicite:17]{index=17}

• Concurrency: set batch sizes (e.g., 10–20% per wave).
• Retries: use ODM telemetry to pinpoint failed items and relaunch.
• Windows: schedule outside peak hours and communicate impacts.

15. Operational checklists (pre, during, post)

Before you migrate

• Tenants connected and consents granted in ODM (per workload). :contentReference[oaicite:18]{index=18}
• Identity matching defined (UPN/CSV).
• Waves and windows agreed; role-based comms plan ready.
• Pilot runs per workload (Exchange/OneDrive/SharePoint/Teams).
• DUA packaged (MSI + transform) and token generated. :contentReference[oaicite:19]{index=19}

During migration

• Monitor tasks; triage errors and run targeted retries.
• Run Exchange deltas; validate critical mailboxes.
• Recertify permissions in OneDrive/SharePoint per batch.

After

• Domain cutover validations (MX, DKIM/DMARC). :contentReference[oaicite:20]{index=20}
• Desktop switch with DUA (Outlook/OneDrive/Teams). :contentReference[oaicite:21]{index=21}
• Week-1 hypercare and role-based training.

16. KPIs, UAT, and acceptance

17. Common risks & mitigations

18. CSV & helpful snippets

SourceUPN,TargetUPN
ana.perez@source.com,ana.perez@target.com
juan.garcia@source.com,juan.garcia@target.com

Connect-ExchangeOnline
New-OrganizationRelationship -Name "Rel-Target-Tenant" `
  -DomainNames "contoso.com" -FreeBusyAccessEnabled $true `
  -FreeBusyAccessLevel LimitedDetails

# MX to Exchange Online Protection
MX @ 0 → contoso-com.mail.protection.outlook.com
TXT @ "v=spf1 include:spf.protection.outlook.com -all"
CNAME selector1._domainkey → selector1-contoso-com._domainkey.contoso.onmicrosoft.com
TXT _dmarc "v=DMARC1; p=quarantine; rua=mailto:dmarc@contoso.com"

19. Frequently asked questions

20. Official resources

• Quest — On Demand Migration (overview) :contentReference[oaicite:25]{index=25}
• Quest — On Demand Migration (User Guide) :contentReference[oaicite:26]{index=26}
• Quest — Desktop Update Agent (User Guide) :contentReference[oaicite:27]{index=27}
• Quest — On Demand Email/Domain Rewrite :contentReference[oaicite:28]{index=28}
• Quest — On Demand Directory Sync :contentReference[oaicite:29]{index=29}
• Microsoft — Import messages to Teams (migration mode) :contentReference[oaicite:30]{index=30}
• Microsoft Graph — Throttling limits :contentReference[oaicite:31]{index=31}
• Microsoft — Create DNS records for Microsoft 365 :contentReference[oaicite:32]{index=32}
• Quest — Exchange Online pre-requisites (EWS & licensing)
• Quest — ODM overview video (Teams/DUA highlights) :contentReference[oaicite:34]{index=34}

Explore how we orchestrate end-to-end migrations: Microsoft 365 migrations, Azure architecture, and all our services.

21. Conclusion + CTA

A tenant-to-tenant migration with Quest On Demand is far smoother when you follow a clear path: solid consents and identity matching, wave-based pre-staging, well-designed coexistence, and a desktop switch with DUA so users barely notice the change. With measurable pilots, known limits, and honest communications, go-live becomes predictable.