Intractable Problems Involved in Merging Office 365 Tenants
Microsoft Makes It Easy to Move to Office 365
Microsoft launched Office 365 in June 2011 and has achieved great market success since then. They make it tremendously easy for companies to move to the cloud, offer hybrid connectivity to ease migration, and continue to deliver new functionality at a staggering rate. It is all good.
Although Microsoft’s FastTrack program is available to help companies move to Office 365, no tools exist to combine or divide Office 365 tenants. This is a surprising situation to be in because it does not reflect the reality of how business works.
Business evolves through competition and does not remain nicely packaged in forms that stay intact for extended periods. Instead, companies merge and split as industries flex and change over time. Mergers and acquisitions are a vital part of how companies grow, evolve, enter new markets, resist competition, and divest assets belonging to businesses associated with markets that they no longer want to be in.
Say Goodbye to Traditional PC Lifecycle Management
Traditional IT tools, including Microsoft SCCM, Ghost Solution Suite, and KACE, often require considerable custom configurations by T3 technicians (an expensive and often elusive IT resource) to enable management of a hybrid onsite + remote workforce. In many cases, even with the best resources, organizations are finding that these on-premise tools simply cannot support remote endpoints consistently and reliably due to infrastructure limitations.
Static Office 365
For all intents and purposes, Office 365 takes a static view of tenants. No mechanisms exist within Office 365 to split off a group of accounts if part the company divests itself of some operating units or absorbs an incoming batch of accounts from an acquisition.
Given that Office 365 (for business) now has more than 100 million monthly active users, it is strange to discover that Microsoft’s only advice on the topic is a support article describing how to migrate mailboxes between tenants. If you need to handle anything else but mailboxes, like migrating SharePoint data, you need to talk to a partner.
An Unsolvable Problem?
Perhaps Microsoft sees this as an unsolvable problem. And to a certain degree, they are right. Mergers and acquisitions are complex processes from both a legal and technical perspective. Although matters can be relatively simple when two small companies combine, difficulties and complexities escalate quickly when larger organizations are involved, especially for multi-national corporations. It is also true that mergers and acquisition projects come in a variety of scenarios, including:
- Both acquired and acquired companies have Office 365 tenants.
- Acquirer has Office 365 and acquired has hybrid/on-premises.
- Acquirer has hybrid/on-premises and acquired has Office 365.
- Acquirer has on-premises and acquired uses Office 365.
- Divestiture of selected parts of companies to form a new company following a merger of other companies.
And so on, including the need to move a participating company from a non-Microsoft platform like Lotus Notes. Add in the need to minimize downtown, to never drop any email in transit, to meet merger timelines, and to minimize the impact on users and you begin to realize the complexity of the problem.
Bespoke Solutions Are the Order of the Day
To some degree, it is understandable that Microsoft has no desire to create functionality that they know might run into difficulties in many cases. Instead, the approach appears to be to leave merges and splits of Office 365 tenants to consultants, who can build bespoke solutions (lots of PowerShell scripts and custom code) to meet the needs of the companies involved. Mergers and acquisitions are expensive anyway, so perhaps it is acceptable to add a little extra to the IT costs involved in these exercises.
Although many small companies use mergers and acquisitions as part of their corporate growth, the challenges involved in these exercises are more pronounced in larger companies. More users need to be deal with, more data processed, and issues such as data sovereignty and different regulatory regimes accommodated.
Dealing with Basic Office 365 Workloads
One thing is for sure: the more use you make of Office 365 functionality, the harder and more expensive it is to combine or split tenants. Dealing with Exchange and SharePoint sites is relatively straightforward. These applications are the basic workloads within Office 365 and have existed as cloud services for a long time. As such, strong ecosystems surround both Exchange and SharePoint, including a mixture of Microsoft and third-party tools is available to move mailboxes and documents around.
Recently, Microsoft has made more storage available to hold Exchange and SharePoint data. For instance, the default mailbox quota is now 100 GB for many Office 365 plans. Users fill these mailboxes because Exchange Online does not automatically remove information from the Deleted Items folder after a period as usually happens for on-premises systems. The net result is that users likely store more data than expected, a factor which can slow movement of mailboxes and sites from one tenant to another.
Public folders are an issue as no method exists to merge and split public folders. However, third-party tools can help by transforming public folders into more usable repositories like shared mailboxes or Office 365 Groups.
Ensuring that Email Continues to Work
Any competent messaging consultant will be able to make sure that mailboxes end up in the right tenant, even if a round-trip via on-premises servers is sometimes necessary. They will also be able to switch DNS (carefully), configure Autodiscover, make sure that MX records point to the right place, permissions for shared mailboxes and mailbox delegates stay intact, and all the other details that underpin messaging. Small details might never work, like Skype for Business meeting links buried in meetings that become invalid when the users who schedule the meetings transfer from one tenant to another.
Attention to detail is always necessary to make sure that mailboxes and other mail-enabled objects have routable email addresses that remain valid during the transition. In addition, transport rules that exist must continue working during the transition to ensure continued compliance with regulations, to apply protection through rights management, prevent the leakage of sensitive data, and so on.
Work might be necessary to make sure that directory synchronization works properly after tenants split or merge together with associated items like single sign-on, federation, and multi-factor authentication. Policies for ActiveSync, data retention, and Data Loss Prevention (DLP) also must be considered to ensure that data continues to be managed.
SharePoint Should be OK, Too
The same is true for SharePoint and OneDrive for Business sites as the necessary tools are available to move documents around. The big issue for SharePoint might be the loss of sharing as any sharing invitations extended by users become invalid if those users move out of a tenant.
One of the reasons why companies can tackle the movement of Exchange and SharePoint data between tenants with confidence is that tools developed over years to handle migrations from on-premises deployments are available to help move mailboxes and documents around. However, complexity escalates when the components that do not exist on-premises are thrown into the mix. Good as the third-party migration tools are, they tend to focus on a single aspect of Office 365, like moving mailboxes or sites, and do not take the newer applications and their data into account.
The Increasingly Complex App Mix Within Office 365
Take Office 365 Groups for instance. Aside from its implementation as Outlook Groups, Office 365 Groups delivers a membership service to other Office 365 applications like Planner, Teams, and StaffHub. The first issue is how to move group conversations and files. Migration tools might be able to help with the SharePoint document library, but you might need to write some code based on the Microsoft Graph API to read group conversations from one tenant and write them into target groups in another tenant. Further issues exist in how to handle the data used for Planner (plan metadata) and Teams (chats). Again, no off-the-shelf method exists to move plan data from one tenant to another.
Groups also link to Dynamics 365 and Power BI, so more planning is necessary to move data from those applications. And what about Office 365 Video (or Microsoft Stream), Sway, OneNote, and so on. As Microsoft increases the number of applications built using Office 365, challenges abound for those charged with the planning for mergers and acquisitions.
The need to deal with compliance issues creates another area of complexity. Inactive mailboxes might have to be restored to move their contents to a different tenant. It might be necessary to bring eDiscovery cases, including those specific to Exchange Online and SharePoint Online, to a conclusion before the data that comes under the scope of these cases can be moved. The resolution of these cases might include a decision about how to deal with information kept through in-place or legal holds. It can be even trickier to handle the data marked as formal records by Office 365 classification labels because the lock placed on this content by Office 365 cannot be removed or modified.
Finally, any data needed for compliance or regulatory purposes must remain immutable while it goes through a merger or acquisition. It is also important to preserve the chain of custody for archival data, especially when keeping information to satisfy strict legal requirements. Failure to ensure immutability and the chain of custody means that it is much harder to defend data legally if challenged in court.
On-premises servers often act as an intermediate transition point for mailbox migration. If very large primary or archive mailboxes exist, it might be impossible to move the mailboxes back to on-premises server before moving them to another tenant.
Encryption is another area of concern. The keys used to secure information through Rights Management services (including Azure Information Protection and transport rules) and Office 365 message encryption belong to a single tenant. It is not going to be possible to decrypt the content of messages moved with mailboxes to another tenant because the original encryption keys are not available to that tenant. Therefore, any critical information protected by encryption must be decrypted before it is moved.
From a licensing perspective, a mismatch might exist between tenants. Take the example where users move from a tenant where E5 licenses are the norm to one where E3 licenses are in place. When his happens, the moved users will lose functionality, like access to the MyAnalytics personal dashboard, unless you upgrade or replace the E3 licenses. Similar issues might exist around Azure Active Directory Premium or the Enterprise Mobility and Security Suite.
It is reasonable to assume that the Office 365 tenant owned by the acquiring company is the end target. In other words, users and data from the acquired company will move to this tenant. In some cases, the easiest approach might be to set up a brand-new Office 365 tenant and use it as the target for all the users who will belong to the company that ends up in place after tenants merge.
Some Glimmer of Light
Despite all the problems involved in making Office 365 tenant merge happen, some hope is on the horizon. Binary Tree has launched their Power365 product to help companies move data between tenants. The current implementation focuses on email and public folders, so it only scratches the surface of the complexity involved in some Office 365 tenants. However, it should be good enough for many.
The nice thing about a company like Binary Tree stepping up to the mark to launch a product is that it validates the need in the market. Other ISVs who work in the migration space like BitTitan, Metalogix, AvePoint, and Quadrotech will have noted Binary Tree’s move to claim the space. I am sure that we will see comparable products appear at or before the Microsoft Ignite conference in September. Depending on their heritage and available software assets, some will approach the problem from Exchange and some from SharePoint. Over time, the prospect exists that full end-to-end solutions will be available.
Follow Tony on Twitter @12Knocksinna.
Want to know more about how to manage Office 365? Find what you need to know in “Office 365 for IT Pros”, the most comprehensive eBook covering all aspects of Office 365. Available in PDF and EPUB formats (suitable for iBooks) or for Amazon Kindle.