Cross-Tenant Microsoft 365 Migration for a Global University System

TL;DR. Higher education, 500 users across multiple M365 source tenants, 4-month engagement. Mailboxes, OneDrive, Teams chats, and Entra ID-joined devices migrated with short-term coexistence using Quest On Demand Migration and ODMDS.

What was the client environment?

A global university system operating multiple campuses under separate Microsoft 365 tenants needed to consolidate its IT environment after an organizational restructuring. With 500 users spread across multiple source tenants, the university required a migration that covered not just mailboxes and data, but also Entra ID-joined devices and complex coexistence scenarios where users needed ongoing access to resources in both source and target environments.

What made this migration challenging?

University environments present unique migration challenges that go beyond standard corporate tenant consolidations:

• Multi-tenant source complexity. Users existed across multiple source tenants with different configurations, requiring scoped discovery and per-tenant migration planning.
• Entra ID device migration. Campus workstations joined to the source Entra ID needed to be migrated to the target tenant, a complex process involving Intune re-enrollment, bulk enrollment packages, and device compliance policies.
• Coexistence requirements. Migrated users needed continued access to source tenant resources, requiring post-migration guest account provisioning and cross-tenant access configurations.
• Delegate mailbox dependencies. Executive and shared mailboxes with delegate permissions required careful sequencing. Delegates needed to migrate alongside the mailboxes they managed to avoid access disruption.
• Licensing group automation. Users needed to be automatically assigned the correct M365 licenses in the target tenant based on their source licensing, using group-based licensing synchronized through directory sync.

How did LeadThem approach the migration?

Phase 1: Discovery and migration design

Our consultant began with a thorough discovery phase using Quest Enterprise Reporter to audit the source environments. This included scoped directory discoveries filtered by security groups across each source tenant, Exchange Online mailbox inventories, and OneDrive data assessments. The discovery informed a migration design that accounted for short-term coexistence, so migrated users would retain access to source tenant resources through guest accounts.

Week 1: Environment onboarding. Configured Quest On Demand Migration and ODMDS with service accounts across all source and target tenants. Installed Enterprise Reporter for source environment discovery. Ran scoped discovery collections across each campus tenant.

Week 2: Migration design and DirSync configuration. Finalized the migration design supporting short-term coexistence. Configured directory synchronization with custom Entra ID attribute filtering using the 'Fax' attribute to scope in-scope migration objects. Built provisioning templates with required attributes and automated licensing group assignments.

Week 3: Pilot testing and device migration. Provisioned and tested pilot user migrations including mailbox, OneDrive, and Teams data. Began Entra ID-joined device migration testing and resolved Intune policy conflicts that were preventing devices from joining the target tenant. Created custom ODMAD tasks for post-migration Intune user sync to bring devices into compliance.

Weeks 4-6: Production migration waves. Executed daily migration waves of 15-20 users including mailbox cutover, OneDrive data sync, Teams 1:1 chat migration, and device re-enrollment. Developed post-migration PowerShell scripts to provision guest accounts in source tenants and add users to cross-tenant Teams groups. Worked through complex delegate mailbox sequencing for executive migrations.

Weeks 7+: Executive migrations and cleanup. Completed high-profile CEO and CFO migrations with dedicated lab testing for delegate and meeting-link migration scenarios. Resolved mismatched user objects causing licensing conflicts. Continued daily migration batches with iterative process improvements.

What technical challenges did we solve?

• Intune enrollment policy conflicts. Target tenant policies blocked personal device joins, preventing migrated workstations from re-enrolling. Our engineer identified the conflicting policies, worked with the client to adjust Intune configuration, and created a custom ODMAD task to automate the post-migration Intune sync process.
• DirSync attribute synchronization. Standard Entra ID extended attributes did not synchronize the same way as AD extended attributes. Our team opened a support case and implemented a workaround using custom attribute read filters to properly scope migration objects.
• Photo attribute sync. Profile photo synchronization failed due to missing Microsoft Graph permissions. Our engineer identified that ProfilePhoto.ReadWrite.All needed to be granted to the Quest On Demand Migration enterprise application in the target tenant.
• Delegate mailbox migration sequencing. When delegates were migrated separately from the mailboxes they managed, meeting links and calendar delegation broke. Our team tested multiple scenarios in a lab environment and established the best practice of migrating delegates simultaneously with their managed mailboxes.
• User object mismatches. During production migration, four users were incorrectly matched to external user objects in the target tenant, causing licensing and mail delivery issues. Our engineer identified the root cause, unlatched the mismatched users, and rebuilt the correct associations.

What were the results?

All 500 users were successfully migrated from multiple source tenants to the consolidated target Microsoft 365 environment. Each user's mailbox, OneDrive data, Teams chats, and Entra ID-joined workstation were migrated with coexistence maintained throughout. The university now operates on a single, unified M365 platform with centralized management and consistent user experience across all campuses.

Which tools and technologies were used?

• Microsoft 365 (Exchange Online, OneDrive for Business, Microsoft Teams)
• Microsoft Entra ID and Intune for device management
• Quest On Demand Migration (ODM T5) for cross-tenant migration
• Quest ODMDS (Directory Synchronization) with custom attribute filtering
• Quest ODMAD for automated device migration tasks
• Quest Enterprise Reporter for source environment discovery
• PowerShell automation for post-migration guest account provisioning

Why LeadThem Consulting

This engagement shows LeadThem Consulting's ability to manage complex, multi-tenant Microsoft 365 migrations that go beyond simple mailbox moves. When device migration challenges threatened the timeline, our team did not just escalate. They troubleshot Intune policies, built custom automation, and tested solutions in lab environments before deploying to production. That combination of technical depth, proactive problem-solving, and transparent project management is what makes LeadThem the right partner for organizations facing complex M365 consolidations.

How long does a cross-tenant Microsoft 365 migration take for a 500-user university?

About four months end to end for this engagement, including discovery, pilot testing, device migration, daily production waves of 15-20 users, and post-migration cleanup. Most university tenant consolidations of this scale run three to five months depending on device-migration scope and coexistence requirements.

What tool does LeadThem use to migrate Entra ID-joined workstations between tenants?

Quest ODMAD with custom post-migration Intune sync tasks. The workstations are unenrolled from the source tenant, joined to the target Entra ID, and re-enrolled in the target tenant's Intune, with compliance and configuration policies reapplied automatically.

Can users keep access to the old tenant during the migration?

Yes. The migration design provisions guest accounts in the source tenants for migrated users and configures cross-tenant access so users can continue to use resources, Teams chats, and shared files in both environments until the source tenants are decommissioned.

What gets migrated in a cross-tenant M365 migration?

Exchange Online mailboxes (including delegates and calendar), OneDrive for Business content with permissions, Teams 1:1 and channel chats, SharePoint sites, M365 Groups, and Entra ID identities. For this engagement, Entra ID-joined workstations were also migrated to the target tenant with Intune re-enrollment.

How are delegate mailboxes handled during migration?

Delegates and the mailboxes they manage are migrated in the same wave. Migrating them separately breaks meeting links, calendar permissions, and shared inbox access, so sequencing them together is the established best practice for executive and shared mailbox migrations.