As the encryption keys are stored in the original tenant, there are generally few approaches:
- migrate the original domain(s) and ensure all users keep any proxyaddresses associated with protected files
- the migration tool can decrypt and move the items (optionally re-encrypt them after migration with a suitable label from the target tenant),
- export the key (TPD), then reimport it in the protection solution for the target tenant (either AIP or AD RMS).
Details are here: https://techcommunity.microsoft.com/t5/security-compliance-and-identity/mergers-and-spinoffs/ba-p/910455