Comparing Entra ID migration tools for your tenant-to-tenant project

TL;DR: Microsoft's Cross-Tenant Identity Mapping (CTIM) handles identity attribute stamping but doesn't provision users or cover content, so IT teams will need a third-party tool like ShareGate (cloud-to-cloud), BitTitan, or Quest (hybrid/on-prem) to cover the full migration scope.

‍

You're planning a tenant-to-tenant migration and you've hit the identity question: before any mailbox or SharePoint content moves, users and groups need to exist in the target tenant with the right attributes. Microsoft has a native tool for that, in preview.

The question is whether it's enough for your project or whether you need something that goes further. To help you figure that out, here's a look at Microsoft's native tooling and how third-party options compare.

Manual identity migration

Scripting your way through identity migration is doable. If you're going the PowerShell route, doing identity migration manually means running multiple scripts in sequence. That includes extracting UPNs, generating user mapping files before and after cutover, handling M365 Groups separately, injecting ImmutableIDs, converting guest accounts to members, and dealing with cloud-only accounts differently than hybrid ones.

Here's what linking source and target accounts looks like in a hybrid environment:

‍

$guidBytes = $guid.ToByteArray()

Set-ADUser -Identity $adUser.DistinguishedName -Replace @{ 'ms-DS-ConsistencyGuid' = $guidBytes }

$body = @{ onPremisesImmutableId = [System.Convert]::ToBase64String($guidBytes) }

Invoke-MgGraphRequest -Method PATCH -Uri "https://graph.microsoft.com/v1.0/users/$objectID" -Body $body

And then the guest-to-member conversion reads the CSV that script exported:

‍

$convertedUsers = Import-Csv -Path $convertedUsersPath

Each step depends on the one before it. In ShareGate Migrate, this all happens in the planning view. Conflicts are flagged before you execute, and override decisions are saved between sessions.

If you want to see what the full manual process looks like, this open-source T2T migration toolkit that Microsoft MVP built on on GitHub, is a good reference.

‍

Microsoft's Cross-Tenant Identity Mapping core use case: identity attribute preparation

CTIM is Microsoft's native tool for mapping user identities between tenants before mailbox migration runs.

CTIM lets you:

• Map source users one-to-one to target users
• Automate property updates so migrated users have the correct attributes for a successful transition
• Maintain a mapping file to track and verify user migrations

It's a prerequisite step, not a provisioning tool. Users and groups need to exist in the target tenant before CTIM runs. CTIM stamps the attributes Exchange Online needs on those objects: ExchangeGuid, ArchiveGuid, and X.500 proxy addresses. Without those attributes correctly set, mailbox migration fails.

CTIM runs through PowerShell across both tenants, source first then target. The process produces a mapping file you review and upload before mailbox migration starts.

• Pros: Native Microsoft tool. Feeds directly into Migration Orchestrator prerequisites.
• Cons: PowerShell only. Doesn't provision users or groups, meaning they need to already exist in the target tenant. Covers attribute stamping only; SharePoint, Teams, OneDrive, and group migrations are out of scope.

Good to know

• You need Global Administrator access in both tenants to grant CTIM application permissions. Exchange Administrator or Microsoft Graph permissions are needed for the remaining steps.
• CTIM covers identity attribute stamping only. It doesn't provision users, groups, or any content. SharePoint, Teams, OneDrive, and group migrations are out of scope.
• If you're using Microsoft's Migration Orchestrator for content, running CTIM is a required step. If you're using standalone cross-tenant mailbox migration, it's optional.

For more details, check out the official Microsoft identity mapping documentation to see what CTIM allows you to do.

‍

ShareGate Migrate core use case: cloud-to-cloud M&A, restructuring, and tenant consolidation between M365 tenants

ShareGate Migrate handles identity migration and content migration in the same tool. Copy identities is currently available as a public preview for Migrate Pro and Enterprise customers.

Unlike Microsoft's CTIM, ShareGate's Copy identities feature provisions users and groups directly—you don't need to create them in the target tenant first.

What gets copied

• Member and Guest users
• Shared, Room, and Equipment mailboxes (Full Access, Send As, and Send on Behalf)
• Security Groups (static and dynamic)
• Unified Groups / Microsoft 365 groups (static and dynamic)
• Core user properties (name, UPN, job, dept, usage location, employee ID)
• License assignments (via SKU column)

For the full list of supported properties, limitations, and how domain mapping works, see the Copy identities overview.

• Pros: Identity and content in one workflow. Conflict detection before execution. Safe re-runs at no extra cost. Flat annual pricing.
• Cons: Doesn't support on-premises AD and hybrid environments as well as Distribution Lists and Mail-enabled Security Groups.

‍

BitTitan MigrationWiz core use case: on-premises AD and hybrid identity migrations

BitTitan works well when your migration isn't purely cloud-to-cloud. If you're dealing with on-premises Active Directory or a hybrid environment, it covers ground that Microsoft's native tools don't. The Active Directory Migration project within MigrationWiz synchronizes users and security groups between Entra ID tenants, with matching criteria you can configure (UPN, email, SAM account name, or custom fields).

What to watch for: identity migration isn't part of the core MigrationWiz workflow. You'll need a separate Active Directory Migration license per user migrated. For Entra-to-Entra scenarios specifically, auto-sync and simulation mode aren't supported, and distribution lists aren't migrated.

• Pros: Cloud, hybrid, and on-premises AD covered. Flexible matching criteria. Agent-based architecture handles the sync between tenants.
• Cons: Identity is a separate license add-on outside the core workflow. Per-user licensing. Simulation and auto-sync not supported for Entra ID destinations.

‍

Quest On Demand Migration core use case: hybrid environments and on-premises AD modernization

Quest is the option to evaluate when your environment goes beyond cloud-to-cloud. It covers on-premises AD, hybrid setups, directory sync, password sync, domain move and rewrite, and Windows 10/11 device migration. Coexistence is supported, with cross-tenant calendar free/busy included.

Identity migration sits under a separate AD licensing tier. There's no trial for those modules and pricing is quote-based.

• Pros: Deep on-premises and hybrid AD coverage. Password sync, domain rewrite, and device migration included. Coexistence and cross-tenant calendar free/busy supported.
• Cons: Separate AD licensing required. No trial for AD modules. Pricing requires a sales conversation.

‍

Tool comparison side by side: CTIM vs. ShareGate vs. BitTitan vs. Quest

Here's how the four tools stack up for identity migration. ShareGate's capabilities are expanding regularly based on customer feedback, so check the Copy identities overview for the latest.