Semiconductor Acquisition M365 Migration with Purview-Encrypted Data

TL;DR. Semiconductor acquisition, 365+ users, Purview/AIP-encrypted source data tripled ODM sync times. Migrator Pro for Active Directory DirSync, AD agent via SCCM, Secure Copy for ITAR-regulated NetApp file servers, custom hosts-file cutover task.

What was the client environment?

A major semiconductor manufacturer acquired a division from another semiconductor company, requiring a full cross-tenant Microsoft 365 and Active Directory migration. The acquired division's O365 data was protected by Microsoft Purview / Azure Information Protection (AIP) sensitivity labels, encrypting mailboxes, OneDrive files, and SharePoint content. This encryption added an unprecedented layer of complexity, tripling the time required for data synchronization and requiring a specialized ODM feature flag to process encrypted content.

What made this migration challenging?

Semiconductor acquisitions involve highly sensitive intellectual property, regulated data (including ITAR-controlled content), and engineering environments that cannot tolerate extended downtime:

• Purview/AIP-encrypted data at scale. The source tenant had Microsoft Purview sensitivity labels applied across mailboxes, OneDrive, and SharePoint, meaning all migrated data was encrypted. Standard ODM sync operations took at least three times longer than unencrypted migrations, compressing an already tight timeline.
• No target user accounts at project start. The acquiring company could not create target O365 user accounts until HR census data was transferred from the source company. The dependency remained unresolved for weeks, blocking ODM account matching and data synchronization.
• Workstation migration across network boundaries. End-user PCs and shared factory floor workstations needed to be migrated from the source domain to the target, requiring Migrator Pro for Active Directory DirSync, AD agent deployment via SCCM, and ReACL operations, all complicated by limited network access in the target environment.
• ITAR-regulated file server data. Unstructured data on NetApp file servers included ITAR-controlled folders that required Secure Copy migration with strict permission preservation, complicated by NetApp symlink paths that caused initial copy failures.
• Conflicting Teams names. Teams and M365 Groups in the source tenant had names that conflicted with existing groups in the target tenant, requiring discovery, mapping, and rename coordination before migration.
• Post-cutover application failures. After device cutover, O365 applications failed to sign in due to SSO policy conflicts, Intune management complications (PCs were Intune-managed when originally reported as unmanaged), and missing PC management infrastructure in the target network.

How did LeadThem approach the migration?

Phased: workstation first, then T2T data migration

Weeks 1-2: Discovery and infrastructure setup. Ran discovery sessions with extended teams across both organizations. Prepared discovery scripts for on-prem AD. Reviewed T2T prerequisites with IDM and InfoSec teams. Navigated VPN provisioning, service account creation, and Migrator Pro for Active Directory server deployment, adapting the work plan daily as prerequisites arrived incrementally. Completed sensitivity label discovery across the source tenant.

Weeks 3-5: Workstation migration and Secure Copy. Deployed AD agents via SCCM to end-user and shared factory PCs. Ran ReACL operations across all registered devices. Tested and resolved Secure Copy failures on NetApp symlink paths for ITAR-controlled folders. Implemented custom cutover task to update hosts file during device migration. Established migration waves for end-user PCs, shared PCs, and factory floor systems.

Weeks 6-8: PC cutover execution. Executed shared PC cutovers across factory floor and office environments. Troubleshot post-cutover issues including O365 sign-in failures, Intune management conflicts, and missing wired network access. Ran end-user PC migrations in coordinated waves while managing a compressed 10-day cutover deadline. Delivered BitLocker recovery key export scripts for source AD.

Weeks 9-12: ODM T2T data migration and cutover. Configured ODM T2T project with specialized Purview/AIP feature flag for encrypted data migration. Ran mailbox, OneDrive, Teams, and SharePoint initial syncs, managing the 3x sync time impact of encrypted data. Executed staged delta syncs and final cutover syncs. Resolved Teams naming conflicts with target tenant. Completed archive mailbox syncs and post-cutover support.

What technical challenges did we solve?

• Purview/AIP encrypted data sync. Standard ODM sync cannot process Purview-encrypted content without a specialized feature flag. Our consultant identified the encryption impact during discovery, opened a support case to enable the encrypted data migration feature flag, and restructured the sync timeline to account for the 3x time multiplier, ensuring the cutover date remained achievable despite the extended sync windows.
• NetApp symlink Secure Copy failures. ITAR-controlled folders on NetApp file servers were accessed via symlink paths that caused Secure Copy to crash or report zero files found. Our consultant tested direct share paths (bypassing symlinks), resolved the issue, and validated permission synchronization for regulated content.
• Custom hosts file cutover task. Network access in the target environment required custom DNS resolution during the transition period. Our consultant implemented a custom task within the device migration workflow to automatically update the hosts file during cutover, eliminating a manual step that would have slowed each individual PC migration.
• Intune management surprise. PCs were originally reported as unmanaged, but during cutover testing it was discovered they were Intune-enrolled in the source tenant. With no PC management infrastructure (Intune or SCCM) available in the target network, our consultant worked with both IT teams to develop a remediation path for post-cutover device management.
• HR data dependency blocking T2T. Target O365 user accounts could not be created until the source company transferred HR census data, a process that slipped by weeks. Our consultant flagged the risk in RAID updates, restructured the project to complete all workstation migrations first, and had ODM T2T fully configured and ready to start syncs the moment accounts became available.
• Teams naming conflicts. Multiple Teams and M365 Groups had names that already existed in the target tenant. Our consultant ran ODM discovery, identified all conflicts, provided the acquiring company with a rename mapping document, and configured ODM rename templates before migration, preventing post-cutover confusion.

What were the results?

The semiconductor division was successfully migrated to the acquiring company's M365 platform, with all Purview/AIP-encrypted mailboxes, OneDrive data, Teams, SharePoint sites, and workstations transitioned despite the 3x sync time impact of encrypted data. Factory floor shared PCs, end-user workstations, and ITAR-controlled file server data were all migrated with permissions preserved. The project adapted to weeks of HR data delays, Intune surprises, and network access limitations while still delivering a successful cutover.

Which tools and technologies were used?

• Quest On Demand Migration (ODM T2T) with Purview/AIP feature flag for encrypted data
• Quest Migrator Pro for Active Directory (DirSync component) for cross-domain synchronization
• Quest Secure Copy for ITAR-regulated file server migration
• AD Agent and ReACL for workstation domain migration
• SCCM for remote agent deployment across factory and office PCs
• Custom hosts file task for network cutover automation
• Microsoft 365 (Exchange Online, OneDrive, Teams, SharePoint)
• Microsoft Purview / Azure Information Protection sensitivity labels

Why LeadThem Consulting

Migrations involving Purview/AIP-encrypted data are among the rarest and most complex scenarios in the M365 ecosystem. Most migration partners have never encountered them. LeadThem Consulting's consultant identified the encryption impact during discovery, secured the specialized ODM feature flag, and restructured the entire project timeline around the 3x sync multiplier. When HR data delays blocked T2T for weeks, we pivoted to complete all workstation migrations first. When Intune surprises and network access issues emerged during cutover, we troubleshot in real-time on the factory floor. That is the difference between a partner who adapts and one who follows a plan.

Can Microsoft Purview / AIP-encrypted data be migrated between tenants?

Yes, but standard Quest ODM sync cannot process Purview-encrypted content. A specialized feature flag must be enabled on the ODM project to decrypt and re-encrypt the content for the target tenant. The trade-off is that encrypted content takes roughly 3x longer to sync than unencrypted content of the same size.

How is ITAR-regulated file server data migrated to a new domain?

Through Quest Secure Copy with strict permission preservation. ITAR-controlled folders are migrated with NTFS permissions intact, audit logging is enabled throughout, and access is validated post-migration before the source data is decommissioned. NetApp symlinks should be bypassed in favor of direct share paths to avoid copy failures.

What happens when target tenant user accounts cannot be created at the start of an acquisition migration?

The work is restructured. Workstation migration, sensitivity label discovery, infrastructure deployment, and SCCM agent rollout can all proceed in parallel while waiting on HR data. ODM T2T is configured and ready to start syncs the moment target accounts become available, minimizing the schedule impact.

How are Teams and M365 Groups with conflicting names handled?

Discovery identifies all conflicts upfront. The acquiring company provides a rename mapping document. ODM rename templates are configured before migration so each conflicting Team or Group is renamed on arrival, avoiding post-cutover confusion or merge conflicts.

How long does a Purview-encrypted M365 migration take?

This engagement ran approximately 12 weeks across workstation migration, Secure Copy file server moves, and ODM T2T data migration. The 3x sync multiplier on encrypted data extended sync windows significantly, but parallel workstreams (workstation cutovers before T2T data migration) kept the overall cutover date on track.