Office 365 Tenant to Tenant Migration Entra ID - Guest User Part 7

In the first part of the blog series, we took a look at the topic of planning and selecting the migration scenario and developed a long-term strategy based on the business and technical requirements and defined how the tenant migration should be implemented schematically.

This is a multi part article with the following parts:

• Office 365 Tenant to Tenant Migration Fundamentals Part 1
• Office 365 Tenant to Tenant Migration Identity Planning Part 2

If we have clarified and defined the requirements and challenges as in the first three parts, and have defined the scope of the migration, we can start with the technical planning and preparation of the migration. This includes a lot of points and technical restrictions that should be considered during the migration and clarified in advance.

Identity

In the preparations, we are coming to the first big topic, or rather the essential topic of identity. Before we can migrate and provide data, an identity is necessary and in order for a smooth migration (usually cutover) to take place, some preparations are to be made.

Domain

In almost all tenant migrations, it is necessary for the company domain to be migrated from the existing tenant to the new target tenant so that users can be reached again at this address. However, to migrate this domain, no users may use it in the source tenant. We will discuss this topic in a later article. This section is about the dependency of domains and guest users.

A very common scenario for tenant migration and integration is that there has already been some form of collaboration in the form of joint projects, acquisitions or coordination. In many cases, this was then carried out in the target tenant using Microsoft 365 tools such as Teams, SharePoint, OneDrive, etc.

Close

This brings us straight to the problem. In some cases, guest users are invited to collaborate. These users are always invited via the email address of the corresponding user and then authorised on the team or SharePoint site. The guest user receives an #ext in the UPN, but the email attribute of the guest user always contains the invited address and this is stored as the SMTP address.

Close

If we now create the user within the migration or adjust the UPN to the old/migrated domain, this will not work because Entra ID Connect or Entra ID will tell us that the SMTP address is already in use.

Due to these restrictions, it is necessary to check the use of guest accounts in the target tenant as preparation and to take the following measures:

• Check guest users from the source tenant
• Create lists of guest users
• Export the authorisations (group/team memberships)
• Remove the guest users.

Example script: export list of guest users with the specific domain:

$domain = "*@domain.com"
$csvPath = "C:\Temp\GuestUsers.csv"

$guestUsers = Get-AzureADUser -All $true | Where-Object {
    $_.UserType -eq "Guest" -and $_.Mail -like $domain }

$guestUsers |
    Select-Object DisplayName, UserPrincipalName, Mail, MailNickName, UserType, UserStateChangedOn |
    Export-Csv -Path $csvPath  -Encoding UTF8 -Delimiter ";"

Example of how to export the guest user memberships

$domain = "*@domain.com"
$csvPathGuestUsers = "C:\Temp\GuestUsers.csv"
$csvPathGuestUsersGroups = "C:\Temp\GuestUsersGroups.csv"

$guestUsers = Get-AzureADUser -All $true | Where-Object {
    $_.UserType -eq "Guest" -and $_.Mail -like $domain }

$guestUsers |
    Select-Object DisplayName, UserPrincipalName, Mail, MailNickName, UserType, UserStateChangedOn |
    Export-Csv -Path $csvPath  -Encoding UTF8 -Delimiter ";"


$results = foreach ($user in $guestUsers) {
    $memberships = Get-AzureADUserMembership -ObjectId $user.ObjectId | Where-Object {
        $_.ObjectType -eq "Group"
    }


    $groupNames = $memberships | Select-Object -ExpandProperty DisplayName
    $groupIds   = $memberships | Select-Object -ExpandProperty ObjectId

    [PSCustomObject]@{
        DisplayName        = $user.DisplayName
        UserPrincipalName  = $user.UserPrincipalName
        Mail               = $user.Mail
        UserType           = $user.UserType
        Groups             = $groupNames -join ";"
        GroupIDs           = $groupIds   -join ";"
    }
}

$results | Export-Csv -Path $csvPathGuestUsersGroups -Encoding UTF8 -Delimiter ";"

Summary

To prevent the Guest User Duplicates error from occurring during the migration, it is necessary to remove the guest users in the target tenant. However, it is highly recommended to export the permissions (group memberships) of the guest users, since in most cases the future internal users will need access to teams and SharePoint again and to reduce the number of tickets and requests, this should be implemented with planning.