Lotus Notes to Microsoft 365 Migration Guide


This is the complete onboarding task flow for migrating mailboxes from On-Premises Lotus Notes, or On-Premises Lotus Domino, to Microsoft 365. 

There are some tools and resources that will make the migration easier. We suggest reading through the following information and linked guides before beginning your migration. 

First migration?

We’ve created a guide to scoping, planning, and managing the migration process for your use. If this is your first migration, we recommend reading this guide carefully.


MigrationWiz is a migration tool, not a syncing tool. If changes are made at the source after migration, they will not sync to the destination, nor will changes made at the destination sync to the source. We do not have “live” monitoring of changes (as with a sync agent) and we cannot handle scenarios such as conflict resolution without user interaction.

MigrationWiz supports the capability to share migration projects across a Workgroup. When the Project Sharing feature is turned on, all Agents besides those who are Inactive can view all migrations projects. 

We are not able to support migrations with two-factor or multifactor authentication. 

App passwords are not supported for the Microsoft 365 endpoint. 

The maximum file size for migration through MigrationWiz varies by migration type and environment, but may never exceed 60GB.

Lotus Notes

Lotus Notes requires local software installation to use MigrationWiz, as there are no remote APIs for the messaging system. The Lotus Extractor is a small console application (a standalone .exe file) responsible for extracting data from the Domino server and securely streaming this data to the MigrationWiz platform. The steps and requirements to install this extractor are included in the Prepare the Source Environment section of this guide. After installing the Lotus Notes Extractor, you can then manage the migration from the MigrationWiz web portal (e.g., to stop/start migrations, view statistics, etc.).

Lotus Notes (Domino Server) 6.5+ - 9.0.1 

What items are and are not migrated?


  • Inbox
  • Folders
  • Email
  • Contacts
  • Calendars
  • Tasks

Not Migrated

  • Lotus Distribution Groups
  • All Documents view
  • Lotus Mail Groups
  • Journals
  • Items in the Trash folder
  • Resources field inside a Calendar event
  • Task alarms & reminders

Prepare the Source Environment

Set up administrator account

Set up an administrator account for migration on the Domino server. A single administrative account will be used to migrate all mailboxes. This means there is no need to specify a password for each user's mailbox.

  1. Open Notes/Domino Administrator.
  2. Select the server where the mailboxes are located.
  3. Go to the Files tab.
  4. Select the folder containing the mailboxes and right-click on it.
  5. Go to the menu to manage access control.
  6. Select the user to be used to perform the migration.
  7. Grant this account sufficient rights to access the mailboxes.

The administrator account will need to have the following included for permissions applied to each .nsf file being migrated as well as the Public address book (names.nsf):

  • Access: Manager
  • Delete Documents: Enabled (This is not a default permission, and must be manually selected, or your Domino server will run out of space very quickly.)

Perform mailbox cleanup

  • Mailboxes should be emptied of unneeded/unsupported data.
  • Old/unwanted email (this will reduce the time for migration.)
  • Large attachments (any attachment larger than 150MB will not be migrated.)
  • Unwanted mailboxes should be archived/deleted according to company compliance policies.

Synchronize address books

Synchronize users' personal address books on the Lotus Domino server. Lotus Notes contacts are stored locally on the users’ hard drives, in a local .nsf file. In order to migrate them, each user must synchronize their personal address book on the Lotus Domino server before the migration begins.

We recommend that you send an email to all users with instructions on how to synchronize their personal address books.

For Lotus Notes 8+ - 9.0.1

Lotus Notes versions after 9.0.1 are not supported.

Each user must proceed with the following on their own machine.

To synchronize contacts manually:

  1. Start the Lotus Notes client and open its session.
  2. From the File menu, select Preferences.
  3. Under the Contacts section, checkmark Enable "Synchronize Contacts" on the Replication and Sync tab.
  4. Click OK.
  5. From the Tools menu, select Replicate and Sync All.
  6. Click Open > Replicationor if Open List is docked, click the Replication icon.
  7. Make sure that there is a checkmark next to Synchronize Contacts in the Enabled column and click Start Now.

To synchronize contacts automatically:

  1. Open the Schedule.
  2. Set your Replication Schedule options and define when the replication should occur, when the client starts or is shut down, and click OK.

Then, under Schedule, select Enable Scheduled Replication for it to take effect.

For Lotus Notes 6 and 7:

Each user must proceed with the following on their own machine:

  1. Start the Lotus Notes client and open its session.
  2. From the Actions menu, select Synchronize Address Book.​​

Set up the Lotus Notes Extractor

The Lotus Extractor requires that you have the .NET Framework version 4.6.1 or later installed on the computer on which you install and run the Extractor. To determine the .NET Framework version currently installed, follow instructions provided by Microsoft: How to: Determine Which .NET Framework Versions Are Installed. The Lotus Extractor will require ports 80 and 443 to be open.

Do not deploy Lotus Extractor on a machine on which the Domino Server is deployed. Do not deploy more than one instance of Lotus Extractor on the same machine.

Running the Extractor now will result in a message that the Extractor is unable to find a mailbox connector. This is an expected message and is not a problem for this step.

Follow these steps on each machine that will run a Lotus Extractor:

  1. Install the Lotus Notes client on the machine (or virtual machine).
  2. Open the Lotus Notes client and log in with the same administrative account that was set up for migration.
  3. Retrieve the ID file for the administrative account being used for migration and copy it to the machine (or virtual machine).
  4. Ensure that the Internet proxy settings are correct on the machine (or virtual machine). If you are unable to connect to the internet with this option disabled, contact the network administrator to allow the Lotus Extractor.
  5. Close the Lotus Notes client. This will release the lock taken by the Lotus Notes client on the notes.ini file.
  6. Install the Lotus Extractor. It is available for download here.
  7. Once installed, start the Lotus Extractor.
  8. Each Lotus Extractor displays a unique identifier called Lotus Extractor Identifier, which is located near the top of the .exe window. See the screenshot below. Copy this identifier, because it will be needed later, during the migration configuration.


  9. Enter your BitTitan account username and password.
  10. Enter the password of the Lotus Notes administrative account that was created for migration.

Each Lotus Extractor can simultaneously migrate up to 15 mailboxes. Therefore, once you have set up your MigrationWiz mailbox migration projects, you should go into Advanced Options and set the number of concurrent migrations to 15. 

Deploy each Lotus Extractor within the same Local Area Network where its target Lotus Domino server is located. Do not deploy a Lotus Extractor on a machine on which the Lotus Domino server is deployed. In the case of clustered Domino servers set up with replication enabled, a single Domino server has to be selected as a source of data for all migration activities using MigrationWiz.

Do not deploy more than one Lotus Extractor on the same machine. Do not stop a running Lotus Extractor. Leave the console window open; the migration will start automatically after the last step of the configuration. After authenticating, the Lotus Extractor will generate a CSV file named "LotusExtractor.csv". This can be used to bulk add users within your MigrationWiz project. 

The Lotus Extractor works with the Lotus Client to create a list of all users.  On initial startup, the Lotus Extractor will generate a CSV file named "LotusExtractor.csv" that can be used to bulk import mailboxes for migration into MigrationWiz. This file is automatically generated in the same directory as the Lotus Extractor executable. If the file already exists, it will not be regenerated when opened. If you need to generate a new CSV file, delete the existing one, and restart the Lotus Extractor.

Prepare the Destination Environment

Create Administrator Account

Create a Global Administrator or a delegated admin with full access rights or permissions account in Microsoft 365 to be used for migration or use the Global Administrator or delegated admin with full access rights or permissions account for the tenant. In order to have administrative permissions to migrate mailbox data, grant the account permissions on each mailbox.

  • Having administrative access to the Microsoft 365 control panel to manage users does not mean the same account has permissions to access all mailboxes for migration.
  • Having delegated admin access to accounts does not provide enough access.

Enabling an administrative account the ability to access Microsoft 365 user mailboxes can be performed by adding the Impersonation role or Full Access mailbox permissions.  The below steps will explain how to configure the permissions access for both options. Microsoft 365 does NOT allow Impersonation for Small Business plans.

Note: The remote PowerShell commands below can take several minutes to complete.

  1. Make sure you are using a global admin account to perform these steps
  2. Click the Windows Start button.
  3. Search for Windows PowerShell (PowerShell should already be installed).
  4. Start PowerShell under an administrator context (right-click -> run as administrator).
  5. Run the following PowerShell commands one at a time:
    Set-ExecutionPolicy Unrestricted$LiveCred = Get-Credential

    Install-Module -Name ExchangeOnlineManagement
    Import-Module -Name ExchangeOnlineManagement
    Connect-ExchangeOnline -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred


    The Enable command may take a long time to run and may error out. If so, wait a few minutes and run it again.
    New-ManagementRoleAssignment -Role "ApplicationImpersonation" -User admin@domain.com
  • Make sure to replace "admin@domain.com" in the PowerShell command above with the admin account being used for migration.
  • Ignore any errors such as "This operation is not available in current service offer."
  • Ignore any errors such as "The assignment of the management role 'ApplicationImpersonation' [...] won't take effect until user is migrated."


Using impersonation, it is possible to stop sharing the throttling quota and connection limits associated with a single administrative account. ​Instead, the throttling quota of each user is used to log in to each user mailbox.

Using impersonation means:

  • Eliminating most "Connection did not succeed" errors
  • Allowing migration of more mailboxes concurrently
  • Reducing the impact of throttling and connection limits
  • Using an admin account without assigning a license to it

Full Access

To manually grant administrative access for migration, execute the following remote PowerShell commands: 

Note: The remote PowerShell commands below can take several minutes to complete.

  1. Make sure you are using a global admin account to perform these steps
  2. Click the Windows Start button.
  3. Search for Windows PowerShell (PowerShell should already be installed).
  4. Start PowerShell under an administrator context (right-click -> run as administrator).
  5. Run the following PowerShell commands one at a time:
  6. Run the following PowerShell commands one at a time:
    Set-ExecutionPolicy Unrestricted$LiveCred = Get-Credential

    Install-Module -Name ExchangeOnlineManagement
    Import-Module -Name ExchangeOnlineManagement
    Connect-ExchangeOnline -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred

    Get-Mailbox -ResultSize Unlimited | Add-MailboxPermission -AccessRights FullAccess -Automapping $false
  • The command to grant Full Access rights needs to be applied each time a new mailbox is created since permissions are set directly on each mailbox. The administrative account will not have access until the permissions are applied.
  • In the script above, the username "MigrationWiz" should be replaced with the name of the administrative account that was set up, by following the instructions in this Knowledge Base article.
  • This username is the Administrative Username that needs to be entered under the project's Source or Destination settings, within MigrationWiz, when checking the box labeled Use Administrative Login.

 Create and License User Accounts

 Set up accounts on Microsoft 365 and assign licenses. These can be created in several ways:

Modern Authentication Requirements

Exchange Online EWS Modern Authentication Requirements (click on this box to expand required steps)

The steps listed below apply to both the source and/or destination tenant when they are Exchange Online, in regards to Exchange Web Services (EWS) in mailbox, archive mailbox, and public folder projects. Use a Global Administrator for the configuration steps.


For setup steps that include images, see under Enabling Modern Authentication for EWS between MigrationWiz and your Exchange Online Tenant in the following KB: Authentication Methods for Microsoft 365 (All Products) Migrations

Important: Failure to perform the steps for your Microsoft 365 endpoints, can result in failed jobs with 401 errors like the following in your project: Http POST request to 'autodiscover-s.outlook.com' failed - 401 Unauthorized

The administrator account being used for the project needs to be excluded from any MFA/2FA policies or Conditional Access policies that can block access for the administrator account. This requirement does not apply to the items or users being migrated in the project.

Configuring Modern Authentication to work with MigrationWiz for mailbox, archive mailbox, and public folder projects in Exchange Online is now the default method after Microsoft discontinued support for Basic Authentication in Exchange Online after December 2022. The following Microsoft documentation outlines this change in more detail. Should you have additional questions on how this change may impact your tenant, please contact Microsoft to assist with providing that information: Deprecation of Basic authentication in Exchange Online

The Azure Security Defaults must also be disabled in the tenant. (This is often enabled by default for all new Exchange Online tenants and there is no workaround for this requirement). For steps on where to enable/disable the Azure Security Defaults, see Enabling security defaults in the following Microsoft documentation. To disable, set Enable Security defaults to No: Security defaults in Azure AD

Modern Authentication Steps
  • Log in to the Azure AD admin console with a Global Administrator login.
  • Select Azure Active Directory in the Azure Active Directory Admin Center.
  • Select App Registrations, which is found under Manage.
  • Select New Registration at the top of the screen.
  • Give the app a distinct name. You can change this later if necessary.
  • Select the Accounts in any organizational directory button.
  • Under Redirect Uri, select Public Client (mobile & desktop) and set it to urn:ietf:wg:oauth:2.0:oob
  • Click Register.
  • Go back to App registrations.
  • Select the App you just created.
  • In the Overview, you will find a ClientId (aka Application) and Directory (Tenant) ID.
  • Copy both of these to another application, such as Notepad, for use later in this process.
  • Under the Manage menu, select Authentication.
  • Set the option Allow public client flows to Yes
  • Click Save.
  • From the Manage menu, select API permissions.
  • If API permission named User.Read under Microsoft Graph is already present, this can be removed. The Microsoft Graph API is not applicable to this project type and is not used.
  • Select Add a Permission.
  • Select APIs my organization uses

  • Scroll down and select Office 365 Exchange Online

  • Then select Delegated Permissions

  • Select EWS

  • Check the box under EWS for EWS.AccessAsUser.All.
  • Click Add permissions. This permission only allows the OAuth application (MigrationWiz) to be associated with EWS.
      • Important: This does not grant access to all mailbox data.
  • Click Grant admin consent.
  • Click Yes to confirm the settings.
  • In MigrationWiz, select the project that needs to be configured for Modern Authentication.
  • Click the Edit Project menu.
  • Select Advanced Options.
  • Under Support Options enter the ClientID and TenantID information you saved earlier in the following format:
    • If enabling Modern Authentication for the Source:
      • ModernAuthClientIdExport=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
      • ModernAuthTenantIdExport=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
    • If enabling Modern Authentication for the Destination:
      • ModernAuthClientIdImport=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
      • ModernAuthTenantIdImport=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 
        • Enter the specific ClientID and TenantID for your tenant in place of the xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.
        • These options can be entered for either the Source or the Destination, or both, depending on the settings on the tenants.
        • These options need to be configured for each MigrationWiz project that needs to have Modern Authentication enabled.

  • Run a Verify Credentials to confirm that MigrationWiz can connect using Modern Authentication. 
  • Click on the item that was verified. There will be a message in the MigrationWiz Migration Information page that Modern Authentication is being used. This message will show in the “Migration Errors” box; however, it is not an error. This is just a message confirming that Modern Authentication is now active and being used for the connection.

Prepare the tenant to send & receive large items

We do not impose any limit on item/attachment sizes. However, it is possible for large items/attachments to fail to migrate because of external factors.  There are two considerations:​

  1. What is the maximum attachment size allowed by the Destination system? 
    • Most email systems impose size limits. For example, if the Destination system has a 30MB limit, any item/attachment larger than 30MB will fail to migrate.
  2. What is the connection timeout for the Source and Destination system? 
    • ​​For security reasons, most email systems close opened connections after a predetermined amount of time. For example, if the Destination system only has 512Kbps of network bandwidth and closes connections after 30 seconds, we may be unable to transfer large items/attachments before the connection is closed.

MigrationWiz will automatically make multiple attempts to migrate large items. Upon completion of a migration, you may resubmit it in error retry mode to try to migrate failed items. This is always free of charge.:

When migrating from or to Office 365 use the steps provided here to increase the Max Send and Max Recieve quotas, Change message size limits in Office 365.

MigrationWiz Steps

Create a Mailbox Migration project

You will need to create one project per Lotus Notes Extractor. The server for each Source Server Name will be the Lotus Notes Identifier from the Lotus Extractor.

  1. Click the Go to My Projects button.
  2. Click the Create Project button.
  3. Click on the type of project that you wish to create. For this migration:
    • Mailbox: Mailbox projects are used to migrate the contents of the primary user mailbox from the previous environment to the new environment. Most mailbox migrations can migrate email, calendars, and contacts.

For mailbox migrations, use administrative credentials to access mailboxes​. In most migration scenarios, the admin account needs to have full access rights to the Source mailboxes. 

  1. Click Next Step.
  2. Enter a Project name and select a Customer.
  3. Click Next Step.

Create Endpoints

During the migration setup, create the Source and Destination endpoints.

Endpoints are now created through MigrationWiz, rather than through MSPComplete. The steps for this section outline how to create the endpoints in MigrationWiz.

If you are selecting an existing endpoint, keep in mind that only ten endpoints will show in the drop-down. If you have more than ten, you may need to search. Endpoint search is case and character specific. For example, Cust0mer will not show up if the search is customer. We recommend keeping a list of endpoints you have created, along with any unique spellings or capitalization you may have used.

    • For the Source endpoint:
      1. Click New.
      2. Enter the endpoint name.
      3. Endpoint type: Lotus Notes 6.5+.
      4. In the Server Name field, enter the Lotus Extractor Identifier.
        • Create separate Source endpoints for each Extractor that you set up. These will be used when setting up your MigrationWiz projects. You will be setting up one MigrationWiz project per Extractor.
        • The Lotus Extractor Identifier was generated when setting up your Lotus Extractor(s) and is at the top of the Lotus Extractor window.
    • For the Destination endpoint:
      1. Click New.
      2. Endpoint type: Microsoft Office 365.
      3. Click the Provide Credentials radio button and enter the administrator account credentials for the account that was set up under the "Prepare the Destination Environment" section of this guide.

Add Accounts

Add the accounts (also referred to as "items") to be migrated to the project. You can use the LotusExtractor.csv that was generated when setting up the Lotus Extractor to bulk add the users. You can edit the .csv before using it to bulk import. 

This generated file contains all identified user email addresses from the Domino Directory. Our Lotus Notes migration solution requires administrative credentials, so the “Source Username” and “Source Password” fields will not be used in either the LotusExtractor.csv or the Bulk Upload option within MigrationWiz.


  1. Open the folder where the Lotus Extractor has been installed.
  2. Locate the LotusExtractor.csv file.
  3. Copy the LotusExtractor.csv file to the desktop or another location.
  4. Open the copy of the LotusExtractor.csv file from the save location.
  5. Find the column titled Source Email.
  6. Delete all columns except the Source Email column.
  7. Make sure that all the email addresses in the Source Email column are the ones to be included in the migration.
    Note: Email addresses can be added or removed from this column without affecting the Lotus Extractor.
  8. Save the file.

This can then be copied into the Bulk Add form.

Purchase licenses

We recommend that you purchase the User Migration Bundle license for this migration scenario. User Migration Bundle licenses allow multiple types of migrations to be performed with a single license. They also allow DeploymentPro to be used to configure Outlook email profiles. For questions on licensing, visit MigrationWiz Licenses

To purchase licenses:

  1. Sign in to your BitTitan account. 
  2. In the top navigation bar, click Purchase.
  3. Click the Select button and choose User Migration Bundle licenses.
  4. Enter the number of licenses you want to purchase. Click Buy Now.
  5. Enter a Billing address if applicable.
  6. Click Next.
  7. Review the Order Summary and enter a payment method.
  8. Click Place Your Order.

To apply licenses

  1. Select the correct workgroup on the top of the left navigation pane.
    Note: This is the workgroup that the customer and migration project were created under. Your account must be part of the workgroup and project sharing must be enabled, if the project was not created under your account. For more information see Add and Edit Workgroups and Project Sharing in MigrationWiz.
  2. Click the project that requires licenses to be applied.
  3. Check the box to the left of the email for the user(s) to whom you want to apply a User Migration Bundle license.
  4. Click the More menu (3 stacked lines) at the top of the project page.
  5. Click Apply User Migration Bundle License.

Set the Project Advanced Options

    • The following options are most valuable for this migration scenario:
      • Set Maximum concurrent migrations. This should be set to 15. Each Lotus Extractor can simultaneously migrate up to 15 mailboxes only.
      • Set the project to use impersonation at Destination by checking the Use impersonation to authenticate box.
      • Add the following Support Options:
        Note: This is used if Lotus Notes is configured to use rich text formatting (RTF) by default. This ensures proper MIME conversion of the formatted text.
      • If RecipientMapping is being used, we strongly recommend defining fewer than 200 RecipientMapping items, otherwise migration may fail.

Run Verify Credentials

  1. Open the Project containing items you wish to validate​.
  2. Select the items you wish to validate.
  3. Click the Start button in your dashboard.
  4. Select Verify Credentials from the drop-down list.

Once complete, the results of the verification will be shown in the Status section.​ 

Begin migration

Notify users

Send email to end users to let them know what to expect for their Outlook profile reconfiguration. 

Pre-Stage pass

  1. Select the users you wish to migrate.
  2. Click the Start button from the top.
  3. Select Pre-Stage Migration.
  4. Under the Migration Scheduling section, from the drop-down list, select 90 days ago.
  5. Click Start Migration.

MX Record Cutover

Change over MX records on the DNS provider's portal.

Also, include the AutoDiscover (CName) setting.

Full (Delta) pass

  1. Select the users.
  2. Click the Start button from the top.
  3. Select Full Migration.
  4. Click Start Migration.

Run Retry Errors

Look through the user list and click any red "failed migration" errors. Review the information and act accordingly.

If problems persist, contact Support. In order to determine the issues that were encountered while migrating your mailboxes from Lotus Notes, you will need to provide us with certain information that was collected during the migration process. For all Lotus Notes migration issues, provide the log files with your Support request. The required log files are LotusExtractor.log, Coordinator.log, and Heartbeat.log. The log files are located in C:\Users\UserName\AppData\Local\BitTitan.

Nnavigate to %LOCALAPPDATA%\BitTitan​ on the Extractor machine processing the migration, and locate all files starting with the following:

  • Coordinator
  • ​LotusExtractor
  • Migrator​​​​​

Add the log files to a zip file, and attach them to the support request.​ Archive and send that to Support.

Cannot Resolve Email Addresses

Sometimes we cannot resolve the email addresses provided by Lotus Notes. It happens when a user no longer exists in the Domino Directory (for instance, he/she may have left the company) or when the Domino Directory cannot convert the address.

In that case, we use the values returned by the Notes API to try to provide the most relevant information. The results may look like:

  • CN=John/O=Company@Domain
  • John Doe/Company@Domain
  • John Doe
  • John Doe <johndoe@company.com>
  • johndoe@company.com

Request Statistics

Click the pie chart icon in the MigrationWiz dashboard to receive an email containing all the project migration statistics.

Was this article helpful?
5 out of 5 found this helpful