Migrating 2 companies to Exchange Online

Question

Migrating 2 companies to Exchange Online

JRV 561

Company A and Company B have the same owners, AD Domain, on-prem Exchange server, and Exchange Online Protection tenancy. They each have their own email domain.

Company B is being spun off. The goal for this email project is to have two, separate MS365 tenancies.

Company A will keep its existing tenancy and migrate mailboxes to it from the shared on-prem Exchange server via Cutover Migration.

Company B will have a new tenancy and migrate mailboxes to it from the shared on-prem Exchange server via Cutover Migration.

When I use the term "Cutover Migration" I am referring to the process documented here: https://learn.microsoft.com/en-us/exchange/mailbox-migration/cutover-migration-to-office-365

There are really 2 parts to this: The Company B EOP migration while both companies' mailboxes remain on-prem, then the mailbox migration.

I can't set up Company B's domain in their tenancy while EOP is still filtering their mail from Company A's tenancy. MS365 won't allow the same domain to be associated with 2 tenancies. So I have to work around that.

This is the EOP migration plan I've come up with:

Purchase EOP month-to-month for Company B mailboxes (month-to-month because it won’t be needed after mailbox migration; it’s included with MS365 mailboxes).
Configure EOP for Company B tenancy to match relevant portions of EOP in Company A tenancy.
Modify Company B SPF in advance to add new EOP in addition to existing.
Following steps need to be done in one sitting to avoid outages:
a. Point Company B MX to EOP host for Company B's tenancy.
b. Change on-prem Exchange smarthost for Company B to EOP host for Company B.

So now, Company A's tenancy EOP should be performing inbound and outbound filtering for Company A, and Company B's EOP tenancy for Company B. Anyone see any problems with that plan?

----------

Now, we migrate both companies' on-prem mailboxes to their respective MS365 tenancies. I am hopeful that MS365 will allow me to do 2 Cutover Migrations simultaneously from the same on-prem server. Seems like that SHOULD be possible...but does anyone know for sure?

Assuming 2 tenancies can do Cutover Migrations from 1 on-prem Exchange, then this becomes the plan:

Perform steps in https://learn.microsoft.com/en-us/exchange/mailbox-migration/cutover-migration-to-office-365, except that SPF and MX are already changed for Company B and they don't need to be for Company A because they're already set up for EOP.
At "step 5: Route your email directly to Microsoft 365 or Office 365"
a. Remove EOP connector in MS365 for Exchange
b. Remove canyongl.com Send Connector (and smarthost) on Exchange.
c. Remove EOP licenses as they’re no longer needed.
Complete remaining steps in Cutover Migration.

Again...does this seem like it should work? I think the major question is if I can do a Cutover with 2 tenancies and 1 on-prem server, or if I have to do each tenancy separately.

0 comments

3 answers

Your answer

Answer 1

JRV 561

Wow...I submitted this whole answer yesterday and it never showed up. Trying again.

OK. I'd have figured the OA connection would look for SMTP addresses on the mailboxes and import only those. But sounds like this should work.
OK.
OK.
While it is true that I can't verify @companyb.com in Tenant B while it's still associated with Tenant A, I can set up EOP in advance on Tenant B using the companyb.onmicrosoft.com domain. Then remove @companyb.com from Tenant A verify it on Tenant B, and immediately add it to EOP for inbound filtering. As I do so, while the Exchange server is still processing outbound messages, I will have to disable outbound filtering. That's because Exchange 2010 can't send messages from each domain through a different SmartHost. And Tenant A's SmartHost points specifically to their tenancy. Once @companyb.com is removed from Tenant A, the SmartHost will reject outbound emails from @companyb.com because they're from a domain that's no longer associated with Tenant A. Inbound doesn't have that problem: @companya.com and @companyb.com have their own MX's, and both MX's will end up pointing to the same host anyway. I can live without outbound filtering for duration of the migration. Will this not work?

As for your other suggestions, any antispam installed on the Exchange server or an edge server will require an expensive product purchase and configuration. Any month-to-month hosted antispam will have the same Smarthost issue as EOP and require expensive configuration. So to me, the best option is to use EOP month-to-month for Tenant B until migration is completed.

KyleXu-MSFT 26,406 Reputation points

2020-09-18T08:00:48.92+00:00

I sounds could work, one more thing that you need to pay attention to: generally, it takes several hours to change the DNS to take effect.
JRV 561 Reputation points

2020-09-23T21:28:09.013+00:00

Yes, unfortunately, DNS change latency is the one problem I won't be able to solve, no matter what I do. Best I can do is set TTL to 3600.

Thanks for your help; I think I finally have a plan.
JRV 561 Reputation points

2020-09-28T18:53:29.417+00:00

Kyle, one more question.

Would this work?

Buy the MS365 licenses we need and do not buy EOP licenses. Then add the Transport Rule that is used with EOP in Exchange Administration Console, and whatever EOP customization (whitelists, etc.) that were in Tenant A. Won't inbound mail be filtered and then forwarded to the Exchange server, just like EOP (and only EOP) was being used?

Since it's likely to be less than a month between the DNS change and the actual Cutover Migration anyway, it would save some steps.
KyleXu-MSFT 26,406 Reputation points

2020-10-01T09:00:47.36+00:00

Here is an article about mail flow in hybrid: Transport routing in Exchange hybrid deployments. It may be useful to you.

Answer 2

JRV 561

Thanks, KyleXu.

We have about 60 mailboxes between both companies, so we're well within the Cutover limit. And we don't have any practical choice. I'd prefer to use Hybrid Exchange, but the Exchange server is damaged and we can't install Update Rollups. We have to be within the most recent 2 URs to use Hybrid, but we're many URs behind.

"So, if you migrate two tenants at the same time, email address A and email address B mailboxes will be migrated twice." If the Company A tenancy has all users in Company A and none from Company B, it will still migrate email for Company B?

"Cutover migrate to Exchange online one by one." I'm not sure what you mean by, "one by one".

"Use EOP again." Don't MS 365 mailboxes include EOP?

"Stop using the EOP briefly, using Edge server or other third-party tools to filter emails for Exchange on-premises." Why? I think I can see that I'd need to stop filtering outbound because I can't scope Send Connectors for messages sent from specific domains to specific EOP smarthosts. Not filtering outbound is not ideal, but I can live with it for a few weeks. I'd have the same issue regardless of the mail filtering service unless filtering was hosted on the Exchange server itself. Inbound filtering is the big need; inbound seems like it would work just fine. Am I missing something?

KyleXu-MSFT 26,406 Reputation points

2020-09-03T01:55:12.09+00:00
Cutover is the operation for the entire organization, it will copy entire local users to tenant B, you cannot only copy email address B users to tenant B. Since there doesn't exist too many mailboxes, I think it will not be a question, just delete useless users after copying dat.

"One by one": mainly used to save time, since there doesn't exist too much mailbox, just ignore it.

Included

Because you said that you cannot verify domain in new tenant due to it has been verified in EOP that you used. So, using Edge server to replace independent EOP, you will could verify domain and do the next steps in cutover.
KyleXu-MSFT 26,406 Reputation points

2020-09-07T02:27:58.697+00:00

@JRV
Any update about this thread now? If the above suggestion helps, please be free to mark it as an answer for helping more people.

If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 3

Now, we migrate both companies' on-prem mailboxes to their respective MS365 tenancies. I am hopeful that MS365 will allow me to do 2 Cutover Migrations simultaneously from the same on-prem server. Seems like that SHOULD be possible...but does anyone know for sure?

Here are some limitation for Cutover Migration:

It suggested migrated mailbox fewer than 150, otherwise, it will consume a lot of time.
It will migrate all mailboxes. So, if you migrate two tenants at the same time, email address A and email address B mailboxes will be migrated twice.

So, I would suggest you:

Stop using the EOP briefly, using Edge server or other third-party tools to filter emails for Exchange on-premises.
You will could remove EOP and verify domain in new tenant.
Cutover migrate to Exchange online one by one.
Using EOP again.

If the response is helpful, please click "Accept Answer" and upvote it.

Share via

Migrating 2 companies to Exchange Online

3 answers

Your answer