Cross-tenant User Data Migration is Now Generally Available!

Microsoft has announced that Cross-tenant user data migration is now generally available. What means User data and how the Identity will move between the organizations with the mailbox move?

Read the announcement here.

Let’s see what this solutions is about.


Some notes

Cross-tenant Exchange mailbox migrations are supported for tenants in hybrid or cloud only, or any combination of the two.

Users migrating must be present in the target tenant Exchange Online system as Mail-Users, marked with specific attributes to enable the cross-tenant moves.

Target side preparation

It will use App registration with application permissions for the migration.

And permissions have to be Consented by an Admin.

Read from my previous posts more on the consenting choices.

Microsoft is saying in the documentation to consent with an URL like this.

Then need some PowerShell to generate Organizational trust and Migration Endpoints.

Source side preparation

Then you will create and Organizational trust in the source side also.


First have to note that Microsoft is developing a feature called Cross-tenant Identity mapping.

Some of notes for it:

  • By automatically configuring variables like ExchangeGuid, ArchiveGuid, and all required X500 proxy addresses, Cross-Tenant Identity Mapping reduces the possibility of errors while configuring what may possibly be thousands of target objects for a migration.
  • Decreases the number of manual processes where an error could cause migrations to fail.
    Identifies automatically the objects that must be migrated from the source organization to the target organization.
  • Creates a 1:1 mapping between a Mailbox User object in the source organization and a Mail Enabled User object that already exists in the target organization.
  • Automates populating necessary properties from Mailbox User in the source organization to the target organization Mail Enabled User provides a list of objects that are ready for cross-tenant mailbox migration based on the PrimarySmtpAddress value of the source organization users.

But for now it will have these constrains:

  • ExchangeGUID must match or the migration won’t start.
  • ArchiveGUID must also match.
  • LegacyExchangeDN has to presented in X500:LegacyExchangeDN format inside user ProxyAddresses attribute.
  • UserPrincipalName will be presented in the target tenant format.
  • PrimarySmtpAddress will also be presented in the target tenant format.
  • TargetAddress attribute will assigned the value of PrimarySmtpAddress if not populated.
  • You cannot add ProxyAddress from the source tenant. As the Custom Domain will reside in the source and it can be added in one Azure AD tenant at the time.

You have to keep Recovered Items size under 30gb or to enable msExchELCMailboxFlags and automatically increase mailbox size to 100gb (see below the limits for mailboxes)

FeatureMicrosoft 365 Business Basic and StandardMicrosoft 365 Business PremiumMicrosoft 365 Enterprise E3/E5Office 365 Enterprise E1Office 365 Enterprise E3/E5Office 365 Enterprise F3
Storage quota for Recoverable Items folder in primary mailbox (not on hold)30 GB30 GB30 GB30 GB30 GB30 GB
Storage quota for Recoverable Items folder in primary mailbox (on hold)100 GB100 GB100 GB100 GB100 GB100 GB
Storage quota for Recoverable Items folder in archive mailbox (on hold)100 GB1.5 TB1.5 TB100 GB1.5 TB100 GB

You can assign a license to the object in advance but keep in this in mind.

If the target MailUser was previously licensed for or had an ExchangeGuid that does not match the Source ExchangeGuid, you need to perform a cleanup of the cloud MEU. For these cloud MEUs, you can run

Here is some tips for the CSV that is needed for creating the batch. The most equivalent is Cross-forest enterprise move but you will discard to Target database as it will be automatically assigned when migration finishes.

You will create the migration batch with the following command.

And more information here.


Notes on OneDrive

  • You have to remove CMK (Customer Managed Keys) from your OneDrive before migrating.
  • For Enterprise Agreement customers, Cross Tenant User Data Migration is an add-on. Licenses for users are per migration (onetime fee)
  • You have to pre-create users and assign a license to them.

Here is an excellent Learn documentation on how to do it, you can do it with the same CSV that you did the mailbox migration previously, just modify those headers.

  • Anyone who clicks on a shared link to the old location after a OneDrive account has been converted will be forwarded to the new one, providing they still have access to the destination. Until the originating tenant is deprovisioned, the redirects are in place. Redirects can also be removed individually by the admin.
  • If they were listed in the identity mapping file, users having access rights to OneDrive content will continue to be able to do so. More on the Identity mapping file

More information here.

Tenant-to-tenant migration

Microsoft has release an PDF for seeing the possibilities this feature gives.


Excellent stuff, just excellent. This is a game changer for acquisitions and mergers. When you also remember that Tenant rename came generally available, you can really do wonders with this solution.

Of course there are still use cases for third-party migrations tools but this a real step forward.

Read my post when this was still in Public preview

And the public documentation on the feature.

Author: Harri Jaakkonen

Leave a Reply

Your email address will not be published. Required fields are marked *