It’s been a while since we started using AIP then moved to MIP. Only one department ( TeamA ) is using this feature primarily. As it is a business requirement. For rest or the people, it is optional. Now we have a spin off scenario, where TeamA will split and have a separate tenant. Since only one group is using is primarily. We are thinking of moving the TPD with TeamA. We are expecting that this will provide access to all the documents after splitting off. Also, we are thinking about the documents that might be left protected in the source end. As tenant key is moved to these documents should not be accessible. I have the following questions on the above approach. 1. Is it possible to export the Microsoft Managed Tenant Key and import to the target tenant. 2. What are other dependencies on this approach a. Do we need to migrate the protection template as well ? b. How will user permissions get affected during this migration. As upn will may be different in target tenant. Please provide guidance on the above question and approach. Thank you in advance for your answers!

@Sundram Sontirkey Welcome to the Microsoft Q&A and thank you for posting your questions here. It’s understandable that you want to avoid using AD RMS. Fortunately, there are alternatives to migrating the TPD without reverting to AD RMS: Azure Information Protection (AIP) : You can continue using AIP for your protection needs. The key steps involve: Azure Information Protection (AIP) : You can continue using AIP for your protection needs. The key steps involve: Exporting the TPD : This can be done through a support case with Microsoft. Importing the TPD : Once exported, you can import it into the new tenant without needing AD RMS. Considerations : Protection Templates : Ensure that all protection templates are migrated to the new tenant to maintain document protection settings. User Permissions : Update user permissions to reflect any changes in UPNs in the new tenant. This might involve scripting or using tools to automate the process. Microsoft 365 Tenant-to-Tenant Migration : This approach can help streamline the migration process. Detailed guidance on this can be found in Microsoft’s documentation . By following these steps, you can achieve the migration without needing to switch back to AD RMS. Hope this helps. Do let us know if you any further queries. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

You can find Microsoft's guidance for tenant-to-tenant scenarios here: https://techcommunity.microsoft.com/t5/security-compliance-and-identity/mergers-and-spinoffs/ba-p/910455 As mentioned in the article above, you can export the TPD and import it to another tenant, but that requires a support case. There are other methods to consider though, so make sure you go over them.

Migration of TPD from One Tenant to Another for Company spinoff.

Accepted answer

phemanth 10,330 Reputation points Microsoft Vendor

2024-08-26T13:37:28.95+00:00
@Sundram Sontirkey

Welcome to the Microsoft Q&A and thank you for posting your questions here.

It’s understandable that you want to avoid using AD RMS. Fortunately, there are alternatives to migrating the TPD without reverting to AD RMS:

Azure Information Protection (AIP): You can continue using AIP for your protection needs. The key steps involve:

Azure Information Protection (AIP): You can continue using AIP for your protection needs. The key steps involve:

Exporting the TPD: This can be done through a support case with Microsoft.

Importing the TPD: Once exported, you can import it into the new tenant without needing AD RMS.

Considerations:

Protection Templates: Ensure that all protection templates are migrated to the new tenant to maintain document protection settings.

User Permissions: Update user permissions to reflect any changes in UPNs in the new tenant. This might involve scripting or using tools to automate the process.

Microsoft 365 Tenant-to-Tenant Migration: This approach can help streamline the migration process. Detailed guidance on this can be found in Microsoft’s documentation.

By following these steps, you can achieve the migration without needing to switch back to AD RMS.

Hope this helps. Do let us know if you any further queries.

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Please sign in to rate this answer.

1 person found this answer helpful.
phemanth 10,330 Reputation points Microsoft Vendor

2024-08-27T12:04:41.0266667+00:00

@Sundram Sontirkey Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Sundram Sontirkey 117 Reputation points

2024-08-28T15:20:28.8433333+00:00

Thank @phemanth for providing more clarity. This is really helpful.

Let me give the background that we want to address.

We have 2 Tenant Key currently being used. Only one key is Active Microsoft managed key other are BYOK.

So, there are older documents protected with BYOK Tenant Key. Also, there are new documents which are protected with the new Microsoft Managed Key.

We are sure that we would have to move the BYOK tenant. My concern is Microsoft managed key.

Now we have spin off scenarios. One part of company (say child company) is getting separated. SpinCo is the primary user of MIP. But other parts of the organization also use the MIP protection.

So, there are a large percentage of documents that will move with spinco. Also, there are documents that will stay in parent company. Currently protected with Microsoft managed key.

We have been thinking below approach for addressing the issue. Please correct me if I am wrong in any step.

Approach

Step 1 Rekey in Parent Company

This will create a new Tenant Key2. This will be used to protect all the new documents.

The older Tenant Key1 will get archived for consuming all the documents protected with Key1.

Step 2 Relabel all the documents that will stays in Parent Company

This will make sure that all the documents that stays in Parent Company will have access after the Key migration.

Step 3 Export the Tenant Key 1 from Parent Company and import it to Child company

Please let me know your thoughts on this. Also, let me know what else we must consider on the above scenario.

phemanth 10,330 Reputation points Microsoft Vendor

2024-08-28T16:02:30.8733333+00:00

@Sundram Sontirkey

Your approach seems well thought out. Here are some additional insights and considerations for each step:

Step 1: Rekey in Parent Company

Creating a New Tenant Key: This will indeed create a new Tenant Key2, which will be used to protect all new documents. The older Tenant Key1 will be archived, ensuring that documents protected with Key1 remain accessible.

Step 2: Relabel All Documents That Stay in Parent Company

Relabeling Documents: This step is crucial to ensure that all documents staying in the Parent Company are protected with the new Tenant Key2. This will help maintain access and protection consistency.

Step 3: Export Tenant Key1 from Parent Company and Import It to Child Company

Exporting and Importing Tenant Key1: Exporting Tenant Key1 from the Parent Company and importing it into the Child Company will ensure that documents protected with Key1 remain accessible to the Child Company.

Additional Considerations:

User Permissions: Ensure that user permissions are updated to reflect any changes in UPNs in the new tenant. This might involve scripting or using tools to automate the process.

Protection Templates: Migrate all protection templates to the new tenant to maintain document protection settings.

Communication and Training: Inform and train users about the changes to ensure a smooth transition. This includes explaining how to access protected documents and any new procedures they need to follow

By following these steps and considering the additional points, you should be able to achieve a smooth migration without needing to revert to AD RMS.

Hope this helps. Do let us know if you any further queries.

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Sundram Sontirkey 117 Reputation points

2024-08-29T04:13:13.1+00:00

Thank you @phemanth for the validating the steps and providing insights. It is clearer now what we can do. I will let you know if any confusion.

phemanth 10,330 Reputation points Microsoft Vendor

2024-08-30T11:24:12.7633333+00:00

@Sundram Sontirkey Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

phemanth 10,330 Reputation points Microsoft Vendor

2024-09-02T16:11:34.0033333+00:00

@Sundram Sontirkey Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Sundram Sontirkey 117 Reputation points

2024-09-03T15:25:21.2766667+00:00

Hi @phemanth , we have checking this and started to test in the LAB. Another query I got from the team. We are also migrating files of one drive and SharePoint.

The above-mentioned solution, will that work for files in SharePoint and OneDrive?

Is there anything else we should be taking care?

phemanth 10,330 Reputation points Microsoft Vendor

2024-09-04T09:09:49.74+00:00

Yes, the solution mentioned for migrating the TPD will also work for files in SharePoint and OneDrive.

Here are some additional considerations to ensure a smooth migration:

Migration Tools:

Use tools like the SharePoint Migration Tool (SPMT) or third-party solutions to migrate files from OneDrive and SharePoint. These tools help in transferring files while maintaining metadata and permissions.

Permissions and Access:

Ensure that permissions are correctly mapped in the new tenant. This might involve updating user permissions and ensuring that shared links and access controls are preserved.

Version History:

Check if you need to migrate version history for documents. Some tools allow you to migrate version history, which can be important for maintaining document integrity and audit trails.

Metadata and Custom Columns:

Ensure that any custom metadata or columns in SharePoint libraries are migrated. This might require additional configuration in your migration tool.

Testing and Validation:

Perform thorough testing in a lab environment before executing the migration in production. Validate that all files, permissions, and metadata have been correctly migrated.

By addressing these points, you can ensure a comprehensive and smooth migration process for your OneDrive and SharePoint files.

Hope this helps. Do let us know if you any further queries.

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Sundram Sontirkey 117 Reputation points

2024-09-04T15:54:55.8166667+00:00

Thanks @phemanth , for providing more clarity on the solution.

phemanth 10,330 Reputation points Microsoft Vendor

2024-09-04T16:09:11.1066667+00:00

@Sundram Sontirke

Just checking in to see if the below answer helped. If this answers your query, do click "Accept the answer” for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Migration of TPD from One Tenant to Another for Company spinoff.

1 additional answer

Your answer