Microsoft 365 Cross Tenant Mailbox Migration (Native Tools) | Part 2

Configuration steps to enable your tenants for cross-tenant mailbox migrations

You must configure the target (destination) first. To complete these steps, you are not required to have or know the tenant admin credentials for both source and target tenant. Steps can be performed individually for each tenant by different administrators.

Prepare the target (destination) tenant by creating the migration application and secret

Navigate to Azure Active Directory admin portal > Applications App Registration

Azure AD App Registration

Under App Registrations click on + New Registration

Azure AD App Registration
Azure AD App Registration

Note down Application ID:

Azure AD App Registration (Target Tenant)

Next you need to add this permission “Mailbox.Migration“. Navigate to API Permissions > Add a Permission

Under Request API Permission click on APIs my organization uses and search by “Office 365 Exchange Online

Mailbox Migration API Permission

Click on Office 365 Exchange Online then select Application Permissions, under Mailbox check Mailbox.Migration and click on Add Permissions

Mailbox Migration API Permission
Mailbox Migration API Permission

Make sure admin consent is granted

Granting admin consent

Next you have to create secret for Application, under Certificate & Secrets click + New Client Secret. Note down string value after creating secret.

Configure Organization Relationship (Target Tenant)

Open up PowerShell and connect to Exchange Online and run this script

$sourceTenantId="Enter Source Tenant ID"
$existingOrgRel = $orgrels | ?{$_.DomainNames -like $sourceTenantId}
If ($null -ne $existingOrgRel)
    Set-OrganizationRelationship $existingOrgRel.Name -Enabled:$true -MailboxMoveEnabled:$true -MailboxMoveCapability Inbound
If ($null -eq $existingOrgRel)
    New-OrganizationRelationship "Target-to-Source" -Enabled:$true -MailboxMoveEnabled:$true -MailboxMoveCapability Inbound -DomainNames $sourceTenantId
Cross-Tenant Mailbox Migration Organization Relationship

Configure End Point Connector

Run this piece of script to do this

# Enable customization if tenant is dehydrate
$dehydrated=Get-OrganizationConfig | select isdehydrated
if ($dehydrated.isdehydrated -eq $true) {Enable-OrganizationCustomization}
$AppId = "Enter the Application ID which was created in previous steps"
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $AppId, (ConvertTo-SecureString -String "Enter the string value which is created in prevous steps" -AsPlainText -Force)
New-MigrationEndpoint -RemoteServer -RemoteTenant "Domain Name of Source Tenant" -Credentials $Credential -ExchangeRemoteMove:$true -Name "Enter the connector name" -ApplicationId $AppIdd
Cross Tenant Mailbox Migration – Configure End Point Connector

Preparing Target Users

Open up Exchange Admin Center, under Contacts Add Mail User

You need to copy Exchange GUID and LegacyDN of Source Mailbox

Get-Mailbox -identity <> | fl

Now you need to set GUID and Legacy

Set-MailUser -Identity <> -ExchangeGuid "Enter here GUID"
Set-MailUser -Identity <> -EmailAddresses @{add="x500:/ Enter here complete address"

Preparing Source Tenant

Run the following script to establish organization relationship

Create a Mail-Enabled Security group and add members which you want to migrate.

$targetTenantId="Enter the Target Tenant ID"
$appId="Application ID"
$existingOrgRel = $orgrels | ?{$_.DomainNames -like $targetTenantId}
If ($null -ne $existingOrgRel)
    Set-OrganizationRelationship $existingOrgRel.Name -Enabled:$true -MailboxMoveEnabled:$true -MailboxMoveCapability RemoteOutbound -OAuthApplicationId $appId -MailboxMovePublishedScopes $scope
If ($null -eq $existingOrgRel)
    New-OrganizationRelationship "Source-to-Target" -Enabled:$true -MailboxMoveEnabled:$true -MailboxMoveCapability RemoteOutbound -DomainNames $targetTenantId -OAuthApplicationId $appId -MailboxMovePublishedScopes $scope
Cross Tenant Mailbox Migration – Organization Relationships

Granting consent on source side, use the following URL and replace your source tenant domain and Application ID.<Source Domain Name>/adminconsent?client_id=Your-Application-ID&redirect_uri=
Tenant to Tenant Migration – Granting Consent

Creating *.CSV file for user mailbox migration

Creating Migration Batch

Select migration type

Add *.CSV file and your are good to go.

Once migration is completed the Mail User will be converted to User Mailbox automatically.

Migrated User Mailbox on source tenant will be converted to Mail User, so keep in mind it’s actually migration not just copying/syncing the contents.

Demystifying Microsoft 365 Cross-Tenant Migration: A Comprehensive Guide | Part 1

Share the Post:

Related Posts