Driving Security and Productivity Feature Adoption

Tenant-to-tenant migration planning is usually a byproduct of a merger and acquisition IT integration project. Each project brings its challenges, whether it is the scale of the migration or the need to conduct a big bang cutover for all workloads and users over a weekend. A more measured approach where users move gradually is easier to manage, but that’s not always possible.

Outside the choice of Office 365 tenant-to-tenant migration tools to move user identities and data to the destination tenant, the user experience is a major success factor in any migration. It is critical to have proper communication templates in place to help users get through the migration along with any new security and productivity features.

In this article, I review the most common user experience scenarios to consider in your tenant-to-tenant migration planning and how to add in the adoption of security and productivity features.

Reconfiguration of Desktops for Microsoft 365 Services

Following a migration, a few steps might be necessary to get end-user desktops back online and operational. The Outlook profile probably needs to be reconfigured to point to their new mailbox in the target tenant. Permissions for shared mailboxes moved as part of the migration should be re-established. Users need to check calendar appointments and meetings to ensure that they are still valid. For example, the deep link in calendar events for online Teams meetings points to the source tenant and not the target tenant, so users should reschedule meetings in the target tenant.

For OneDrive for Business and Teams, the user must sign out of each application using the source UPN and sign back in using the target UPN. If not, the authentication token for the source tenant might remain valid for a period, which could lead to sign-ins continuing to connect to the source tenant. Users should be told to sign out of and shut down any applications utilizing Microsoft 365 services (Outlook, OneDrive, Teams) on their desktop before migration. If necessary, you can run the script below to revoke user authentication tokens:

#use global administrator credentials to connect to the source tenant

#use global administrator credentials to connect to the source tenant
Connect-AzureAD
#import list of UPNs for users, use ID as header in CSV file
$Users = Import-CSV C:\temp\userlist.csv
#retrieve objectID of users in Azure
$UserIDs = foreach ($user in $Users) {Get-AzureADUser -SearchString $user.ID}
#revoke access token
Foreach ($userID in $UserIDs) {Revoke-AzureADUserAllRefreshToken -ObjectId $userID.ObjectID}

Another issue to keep in mind with migrated OneDrive for Business documents is that a strong possibility exists that unless the migration tool reconfigures the sharing links for documents, users will need to reshare documents post-migration. You can read more about this scenario and how to help users to fix the problem here.

For Office desktop applications, if people use Microsoft apps for enterprise (Microsoft 365 Pro Plus) in both tenants, then they just need to sign out of any of the Office apps and sign back in with their target credentials to activate the Office license against the target tenant. There can be issues with activation caused by the access token for authentication and the source license activation not being properly cleared. A Microsoft support article covers these address activation issues.

Reconfiguration of Mobile Devices for Microsoft 365 Services

A variety of scenarios exist where it might be necessary to reconfigure mobile applications and mobile devices.

If a mobile device management (MDM) solution is in place, users might need to unenroll their device from the MDM solution in the source tenant and enroll the device in the MDM solution in the target tenant.

If mobile application management (MAM) policies for supported Microsoft 365 applications with Intune are in place or need to be deployed, the conditional access policies will need to be validated with the correct targeted users, Microsoft 365 applications, conditions, and access controls.

Security and Productivity Adoption Post-Migration

During tenant-to-tenant migration planning, it’s worth considering if the project can accelerate the adoption of security and productivity features in the target tenant. This might be necessary if the target tenant already uses security and productivity features that aren’t used in the source tenant.

The goal should be to normalize user adoption of these features while bringing everyone to the same feature set in the target tenant. Users might consider achieving the goal as positive or negative depending on what new features you want them to adopt.

A typical example that brings both security and productivity feature benefits is a push to move from Exchange ActiveSync clients to adopt Outlook Mobile as the preferred mail client on mobile devices and tablets. Productivity features include delegate access to M365 mailboxes and shared mailboxes. Security features include reading sensitivity labels applied to messages and leveraging MAM capabilities with copy and paste functionality and screenshot functionality, that are only available within the app and shared with other supported M365 applications. You can read more about the security and productivity features of Outlook Mobile here.

Details of how to use new features should be communicated separately to end users outside of the steps they will go through as part of the migration. Keeping the migration separate from new functionality will help avoid confusion.

An example of this is when a difference in Microsoft 365 and Enterprise Mobility + Security (EMS) licensing exists between the source and target tenants. You could have E3 licensing in the source and E5 licensing in the target, E5 in the source and E3 in the target, or a combination of E3 and other a la carte license options. From a user perspective, these differences can affect risk-based and intelligent data classification and labeling within Office, Exchange, Teams, and SharePoint Online/OneDrive for Business. Microsoft E3 and E5 differences include Teams phone system and telephony, which could be a factor if conferencing systems change as part of the migration.

During the migration, an opportunity exists to ask users to review access to data in the different workloads. Review mailbox access to see if other users still need to delegate access to other people’s mailboxes or shared mailboxes. In the same way, users can review access to OneDrive for Business content to consider whether appropriate access exists to documents and folders.

User Experience and Adoption Matters

The user experience is what people remember when going through a migration. Tenant-to-tenant migration planning must consider user adoption of security and productivity features to help transition into the new organization. Feedback from users to the service desk and project team helps gauge the success of the migration and identify areas to improve user productivity.

About the Author

Julian Stephan

Julian Stephan has been working with Microsoft technologies for over 16 years in various architecture, operation, and migration roles. As a Principal Consultant at Quest Software, he helps customers with planning and migrating to Microsoft 365 and Azure with a focus on tenant-to-tenant migrations, Exchange migration, Azure migration, identity migration, and automation.

Leave a Reply