Smooth Google migration

Migrate from Google Drive to M365 the right way

Learn more
Search
Follow us
9
 min read
Migration

Consolidating Entra ID tenants after an acquisition: What IT admins need to know

By 
ShareGate Team
Published on 
June 18, 2026
No items found.

Master Hacks: Migrate like a pro

Check out our video series to help you turn migration projects into masterpieces!

Watch now

Table of contents

Text Link

TL;DR: Merging two Microsoft 365 tenants after an acquisition starts with getting identity right. This blog walks through what that actually involves and what breaks if you skip it.

The acquisition closed. Leadership wants everyone on the new tenant. IT now owns two separate Microsoft 365 environments and needs to make them one.

Mailboxes can feel like the obvious starting point, but they're not. Before a single mailbox moves, users, groups, and licenses need to exist correctly in the target tenant. Get that wrong and mailboxes fail, permissions break, and the acquired team can't access their files on Monday morning.

This article covers what makes post-acquisition consolidation harder than a standard migration, the right order to do things, what Microsoft gives you natively, and what to plan for after cutover.

Why post-acquisition tenant consolidation is harder than a standard migration

The target tenant isn't empty. In a standard migration, you move into a clean destination. Here, you're merging into a tenant that already has thousands of users. Groups named Finance, HR, IT, and Marketing already exist. Migration tools can duplicate them, confuse them, and give the wrong group access to sensitive sites.

User matching needs more care than you might expect. Common surnames like Smith or Patel across two tenants can result in the wrong person being mapped to a sensitive site. The mapping file needs to include the source and target UPN, source and target group names, and target licenses.

The acquired company's domain has to move. Many acquired companies keep their email domain after consolidation. That domain has to be released from the source tenant before it can be added to the target. Microsoft won't let you remove a domain while any users, aliases, groups, or contacts still reference it. Every reference has to be stripped first.

DNS propagation has no SLA. After the domain is validated in the target tenant, propagation can take anywhere from five minutes to over ten hours. Microsoft gives no timing guarantee. Companies sometimes lose credentials to their DNS registry. Confirm DNS access before you start.


The right order: identity, mailboxes, workloads

1. Identity

Before any content moves, users and groups need to exist in the target tenant: member users, guest users, security groups, and Microsoft 365 groups, with the correct UPNs, attributes, and licenses.

Identity means groups too. The most common mistake is treating identity as just user accounts. Security groups and Microsoft 365 groups are also used to assign permissions. Get groups wrong and permissions break silently when content arrives.

Migration tools will move OneDrive, Teams, and SharePoint content even if identities are missing. But incremental migrations don't backfill permissions if the identity foundation wasn't right from the start.

2. Provision early, hand out keys late

Provisioning users and handing out credentials are two separate events, weeks apart. Users and groups go into the target tenant weeks before cutover, with sign-in disabled. Credentials go out at cutover or after. Put both in the same weekend and every user hits MFA enrollment at the same time on Monday morning.

3. Mailboxes

Mailbox migration depends on users existing in the target with specific attributes already stamped: ExchangeGuid, ArchiveGuid, LegacyExchangeDN, and PrimarySmtpAddress. The move won't proceed without them.

Mailbox delegate permissions (Full Access, Send As, Send on Behalf) live on the mailbox object itself, not in the mail content. They don't come across automatically. Handle them during migration.

4. Workloads

OneDrive, SharePoint, and Teams follow mailboxes. Room and equipment mailbox access doesn't come over automatically. Handle it directly.

Related reading: Two identity migration mistakes that derail M365 tenant-to-tenant cutovers

What Microsoft gives you natively

Microsoft has a few tools that come up. Two of them help. One of them doesn't and it's worth knowing which is which before you start.

Cross-tenant synchronization isn't a consolidation tool. Microsoft says so directly: "Cross-tenant synchronization isn't a migration tool because the source tenant is needed for synchronized users to authenticate." If you're consolidating to one tenant and shutting down the other, it won't work.

Cross-Tenant Identity Mapping (CTIM) is a PowerShell-based tool that maps source users to target MailUser objects and stamps the attributes Exchange Online needs. It runs through five phases: Scoping, Copying, Mapping, Writing, and an extra step for hybrid target tenants. It needs Global Administrator access in both tenants to grant application permissions.


Migration Orchestrator moves content: Exchange Online mailboxes, OneDrive, Teams meetings and chats. It doesn't move shared data like SharePoint sites or Teams channels, and it doesn't handle identity. Mailboxes on hold are blocked from migration. A per-user license is needed and pricing at general availability hasn't been published.

For a full tool comparison, check out our blog Comparing Entra ID migration tools for your tenant-to-tenant project.

What to plan for after cutover

  • Keep the source tenant alive. Don't cancel the source subscription right after cutover. Keep it minimally licensed for 30 days to six months. Use that time to check for anything missed: Power Platform, Planner, Microsoft Project, Loop, Bookings. Microsoft automatically deletes a tenant after approximately 90 to 180 days once all paid subscriptions are cancelled.
  • OneDrive URLs change when UPNs change. When UPNs are updated to the new domain after cutover, every OneDrive site URL changes. The mapping used during staging stops working. Run a post-cutover delta migration to pick up changes and use the updated URLs.
  • Help desk volume will spike. For the first week or two after cutover, the help desk will run hot. The four most common ticket categories: passwords, MFA enrollment, device sign-in, and users who can't find their data. Plan 50% to 100% extra help desk capacity for at least one week.

If your project is a cloud-to-cloud consolidation after an acquisition, ShareGate Migrate handles identity, mailboxes, and workloads in one workflow, in the right sequence, at a flat annual price.

Migration
Articles

Entra ID migration re-runs: What they cost and what to look for in an identity migration tool

By 
ShareGate Team
Published 
June 17, 2016
Watch now
Migration
Articles

Comparing Entra ID migration tools for your tenant-to-tenant project

By 
ShareGate Team
Published 
June 16, 2026
Watch now
Migration
Articles

Two identity migration mistakes that derail M365 tenant-to-tenant cutovers

By 
ShareGate Team
Published 
June 16, 2026
Watch now

Frequently asked questions

Why do groups like Finance and HR cause problems when merging tenants?
Those groups likely already exist in the destination tenant. Without explicit mapping, migration tools can match the wrong source group to the wrong destination group and give the wrong people access to the wrong content.
Do mailbox permissions like Full Access and Send As transfer automatically?
No. Those permissions live on the mailbox object itself, not in the mail content. They won't come across during migration and need to be set up again in the destination tenant.
How long should we keep the old tenant running after cutover?
Between 30 days and six months, with a minimal license to keep it active. Use that time to check for anything left behind in Power Platform, Planner, Loop, or other services before you shut it down. Get more expert migration tips in our on-demand webinar: How to sequence M365 tenant-to-tenant migration from identity to cutover.
No items found.