Smooth Google migration

Migrate from Google Drive to M365 the right way

Learn more
Search
Follow us
9
 min read
Migration

Two identity migration mistakes that derail M365 tenant-to-tenant cutovers

By 
ShareGate Team
Published on 
June 16, 2026
No items found.

Master Hacks: Migrate like a pro

Check out our video series to help you turn migration projects into masterpieces!

Watch now

Table of contents

Text Link

TL;DR: Two identity mistakes that derail M365 tenant-to-tenant cutovers: running a pilot without a real domain cutover and provisioning users and handing out credentials in the same weekend. Fix: throwaway domain with real devices, provision weeks early, hand out keys late.

Picture it: a 400-user accounting firm just acquired by a company with 3,000 users already in the destination tenant. 12-week project. Big-bang weekend cutover. Standard M365 workloads—OneDrive, Exchange, Teams, around 80 SharePoint sites, 15 Microsoft 365 Groups, 12 shared mailboxes.

Two identity-related mistakes show up in this kind of migration. Both are avoidable.

The first: running a pilot without a real domain cutover. The second: provisioning users and handing out credentials in the same weekend.

Fortunately, both are fixable before they happen.

Mistake 1: Running a pilot that never tests real identity cutover

IT teams responsible for tenant-to-tenant migrations often don't perform a full domain cutover test with physical laptops and mobile devices.

The typical approach uses staging UPNs and sample content. The domain never moves. MFA enrollment never fires. Devices never re-register. What gets tested is whether content copies, not whether users can sign in and work normally after a real cutover.

The failure mode this creates is named directly: identity provisioned the morning of cutover, MFA enrollment hits Monday at 9 AM.

What a real pilot looks like:

For a good test, buy a throwaway domain. Take up to ten pilot users on real devices. Do a full DNS swap on the test domain. Validate on laptops, iPhones, and Androids—OneDrive, Teams, and Outlook.

The learnings from this test go into the communications, FAQs, and documentation for the real cutover.

Mistake 2: Provisioning users and handing out credentials in the same weekend

Provision identities early. Hand out the keys later. These are two separate events that can be weeks apart.

Provisioning is creating users and groups in the target tenant weeks before cutover. Users should not have credentials for the target tenant at that point—that comes at cutover or after.

When both happen in the same weekend, every user hits the new tenant for the first time simultaneously. The help desk categories that flood the queue in the first week are predictable: passwords, MFA, new devices, and users who can't find their data.

When provisioning happens weeks before cutover — with users unable to sign in yet — content migration runs against those accounts in the background. Mailbox content, OneDrive, SharePoint, and Teams migrate into provisioned identities before the domain moves. Cutover day is when sign-in is enabled, credentials are distributed, and the domain is flipped.

One exception: early access for a defined pilot or test group is deliberate and acceptable — for example, if they need to test Power Platform artifacts. Early access for everyone is the mistake.

What this looks like on a project timeline

  • Weeks before cutover: provision users and groups in the target tenant, stage content into destination identities
  • Run a real pilot with a throwaway domain during this window—validate on real devices, document findings for cutover communications and FAQs
  • Cutover day: enable sign-in, distribute credentials, flip the domain
  • Run a delta migration after the domain moves—OneDrive URLs change when UPNs change, so the mapping used during staging stops working and needs to be refreshed

The help desk reality

For the first week or two, the help desk will run very hot. The four categories are predictable: passwords, MFA, new devices, finding data.

Plan 50% to 100% extra help desk capacity for one week, sometimes longer. Create internal documentation, FAQs, and screen recordings before cutover. Train the help desk on the plan of action for each category. Communicate honestly — tell users to expect some friction in week one and tell them exactly how to get help fast.

Want to see the full migration sequence from identity to cutover? Watch the on-demand recording: How to sequence M365 tenant-to-tenant migrations from identity to cutover.

If your project is a cloud-to-cloud tenant-to-tenant migration, ShareGate Migrate handles identity staging, content migration, and delta passes in one workflow—with safe re-runs so you can migrate content into provisioned accounts across multiple waves before cutover day arrives.

Migration
Articles

Comparing Entra ID migration tools for your tenant-to-tenant project

By 
ShareGate Team
Published 
June 16, 2026
Watch now
Migration
Articles

Why permissions break after tenant-to-tenant Entra ID migration

By 
ShareGate Team
Published 
June 16, 2026
Watch now
Migration
Articles

Which Entra ID migration do you actually need?

By 
ShareGate Team
Published 
June 16, 2026
Watch now

Frequently asked questions

Should identity migration happen before or after mailbox migration?
Identity migration must happen before mailbox migration. When Entra ID users and groups aren't correctly provisioned in the target tenant, mailbox moves fail, permissions break, and duplicate accounts get created. The correct sequence for Microsoft 365 tenant-to-tenant projects is: identity first, then mailboxes, then workloads.
What does migrating Entra ID users and groups involve?
Entra ID migration involves moving users, security groups, Microsoft 365 groups, group memberships, and license assignments from a source tenant to a target tenant. Each object type must be mapped, validated for conflicts, and provisioned in the correct order before mailbox or workload migration begins.
What is the difference between Entra ID migration and device migration?
Entra ID migration covers cloud identity objects (users, groups, and memberships) between Microsoft 365 tenants. Device migration covers workstation state, Intune enrollment, and endpoint configurations. They're separate workstreams with different tools and different timelines.
What should I do with Entra ID before migrating Exchange Online mailboxes?
Before migrating mailboxes, provision all required users and groups in the target Entra ID tenant, map UPNs and domains correctly, assign licenses, and validate that identity objects match between source and target. Identity readiness is the prerequisite that gates successful cross-tenant mailbox migration.
What is the right sequence for migrating identity, mailboxes, and workloads?
The recommended sequence is: (1) migrate Entra ID identity objects (users, groups, memberships), (2) migrate Exchange Online mailboxes, (3) migrate workloads like SharePoint, Teams, and OneDrive. This order ensures each downstream workload has the correct identity foundation.
Migration
Articles
Comparing Entra ID migration tools for your tenant-to-tenant project
Read article
Migration
Articles
Entra ID migration: The right order of steps for your Microsoft 365 move
Read article
Migration
Articles
Which Entra ID migration do you actually need?
Read article