Exchange 2007+ (Hosted and On-Premises) to Microsoft 365 Migration Guide

This article will guide you through the steps for migrating mailboxes from Hosted and On-Premises Exchange servers (versions 2007 and later) to Microsoft 365.

App passwords are not supported for the Microsoft 365 endpoint. 

We strongly recommend that you use HealthCheck for Microsoft 365 before beginning the migration to see if the end user hardware and software is compatible with Microsoft 365. HealthCheck for Microsoft 365 is a free utility. 

This migration guide contains the necessary steps to perform the actual migration, but there are many steps to preparing for migration. If this is your first time performing a migration, we have created a Migration Planning & Strategy Guide to walk you through planning, set-up, and general migration best practices.

What items are and are not migrated?

Migrated

  • Inbox
  • Folders
  • Email
  • Contacts
  • Calendars
  • Tasks
  • Journals
  • Notes
  • BCC Recipients
  • Post (when the destination is Exchange or Microsoft 365)

Not Migrated

  • Email templates
  • Email flags (if the destination is G Suite)
  • Safe Sender/Block Lists
  • Mail Settings
  • Standalone documents stored in Mailbox Folders or Public Folders (Example: IPM.Document item types)
  • System Public Folders
  • StickyNote folders
  • Public Folder Permissions

MigrationWiz is a migration tool, not a syncing tool. If changes are made at the source after migration, they will not sync to the destination, nor will changes made at the destination sync to the source. We do not have “live” monitoring of changes (as with a sync agent) and we cannot handle scenarios such as conflict resolution without user interaction.

We are not able to support migrations with two-factor or multifactor authentication. 

Maximum individual file size is 60GB.

Creating and Configuring Permissions

The below sections will explain how to create an admin account and configure access permissions for an administrative account to access the end user's mailboxes within the source environment. Please review the section that best represents your environment.

Exchange 2007+

If you are migrating from an Hosted Exchange provider, ask the provider to create an account for migration purposes (e.g., named MigrationWiz) and grant full access rights to each mailbox, by running this PowerShell script against the account called MigrationWiz:

Get-Mailbox -ResultSize Unlimited | Add-MailboxPermission -AccessRights FullAccess -User MigrationWiz

    • Some Hosted Exchange providers allow this access to be granted via their web portal. In this case, you could log in to each mailbox via their portal and then grant the migration account (e.g., MigrationWiz) to have read/write access to each mailbox. This is laborious and time-consuming, and so it is preferable that the Hosted Exchange provider run the PowerShell script above, particularly if you have a large number of users.
    • Some Hosted Exchange Providers will not grant this access. If that is the case, then you can request credentials from your end users during the migration. Exact steps for this are provided under Option 2 in article What credentials are needed to migrate from Hosted Exchange?

Exchange 2010+ (using Impersonation)

If this is a very large project, the best results will be achieved by setting the project to use impersonation at the Source.

MigrationWiz uses delegation by default to log in to individual user mailboxes using administrative credentials specified on the connector. However, MigrationWiz also supports another elevated access mode called impersonation.

Benefits:

Using impersonation, it is possible to stop sharing the throt​tling quota and connection limits associated with a single administrative account. Instead, the throttling quota of each user is used to log in to each user mailbox.

Using impersonation means:

  • Eliminating most "Connection did not succeed" errors
  • Allowing migration of more mailboxes concurrently
  • Reducing the impact of throttling and connection limit

To enable the admin account to impersonate users, run this PowerShell command:

New-ManagementRoleAssi​gnment -Role ApplicationImpersonation -User <admin_user_name>

More information about this PowerShell command can be found here.

Confirming Access

The below sections will explain how you can locate your OWA URL and test EWS access for your environment. This information will ensure that your migration project is configured properly and will help to prevent failures when performing the migration. Find your OWA URL

  1. When setting up Exchange as an endpoint, enter either the OWA URL or the EWS URL.
  2. There are some instances in which the login page for OWA is different than the actual OWA URL for the mailbox, as you may get redirected to a different server after logging in. To determine the true OWA URL, perform the following:
  3. Close all browser instances. This ensures that all session state browser cache is flushed.
  4. Open a new browser instance.
  5. Navigate to your OWA login page.
  6. Log in to OWA.
  7. Once you see the inbox, copy the URL from the navigation bar of the browser. This is the exact OWA URL that should be entered into MigrationWiz​.
  • Example URLs for OWA:
    • https://www.mining88.com
    • https://www.mining88.com/owa
    • https://www.mining88.com:443
    • https://50.249.230.12/owa

Another method for determining the OWA URL is to use the "whatismyipaddress" website to determine the company public IP address, and then add /owa to the end of it.

Now that your OWA URL has been determined, we need to ensure that the username and password combination work. The username and password that you use to log in to OWA is the exact same username and password that you should be entering into MigrationWiz. To determine if your username and password is working, perform the following:

  1. Close all browser instances. This ensures that all session state browser cache is flushed.
  2. Open a new browser instance.
  3. Navigate to the same OWA login page as determined by Step 5 above.
  4. Log in to OWA. Pay special attention to the login name, i.e.​,:
  5. Email address means "user@example.com" format.
  6. Domain\user name means "example\user" format.
  7. User name means "user" format.
  8. Once you see the inbox, you have successfully logged into OWA.  Enter the exact same username and password used into MigrationWiz.

Verify mailbox accessibility using EWS

It may be necessary to first grant permissions.

  1. Browse to https://testconnectivity.microsoft.com. This is a Microsoft-owned tool.
  2. If using Microsoft 365, click on the Office 365 tab.
  3. Select Service Account Access (Developers) and click Next.
  4. Specify the target mailbox email address.
  5. Specify the service account user name (if using admin credentials on the connector, enter the exact same user name).
  6. Specify the service account password (if using admin credentials on the connector, enter the exact same password).
  7. Check Specify Exchange Web Services URL and specify the URL (example: https://server/EWS/Exchange.asmx).
  8. If using Exchange Server, do not check Use Exchange Impersonation. If you are using Microsoft 365, and using impersonation, do check the box.
  9. Check Ignore Trust for SSL.
  10. Click Perform Test.
  11. Once results are displayed, check the overall result, and also click Expand All.

Throttling

The below section will explain how to remove the throttling policy within your Exchange environment. Removing the throttling policy will help with the performance of your migration.

  • Some Hosted Exchange providers will not allow you to alter the throttling policies with your instance.
  • Removing the throttling policy will allow for a higher through-put of migrated datat, however, this can impact server resources. Please pay close attention to the server resources when performing your migration and determine if your throttling policy needs to be change to maintain a healthy server resource level.

Disable throttling EWS Throttling policy

  1. To disable all throttling parameters for all mailboxes:
  2. Open the Exchange Management Shell.
  3. Type the following command and press Enter: New-ThrottlingPolicy MigrationWizPolicy
  4. Type the following command and press Enter: Set-ThrottlingPolicy MigrationWizPolicy -RCAMaxConcurrency $null -RCAPercentTimeInAD $null -RCAPercentTimeInCAS $null -RCAPercentTimeInMailboxRPC $null -EWSMaxConcurrency $null -EWSPercentTimeInAD $null -EWSPercentTimeInCAS $null -EWSPercentTimeInMailboxRPC $null -EWSMaxSubscriptions $null -EWSFastSearchTimeoutInSeconds $null -EWSFindCountLimit $null -CPAMaxConcurrency $null -CPAPercentTimeInCAS $null -CPAPercentTimeInMailboxRPC $null -CPUStartPercent $null
  5. Enter the following command and press Enter: Set-Mailbox "MigrationWiz" -ThrottlingPolicy MigrationWizPolicy
  6. The steps above will remove throttling policies against all user accounts at your Source. You still need to enable impersonation within your MigrationWiz project, so that the admin account can impersonate the user accounts during migrations, and so that the migratons use the bandwidth available to the individual user accounts, rather than just the bandwidth available to the admin account. Follow the directions in the Help Center article Impersonation and Delegation to enable this.

Preparing the Destination

Create Administrator Account

Create a Global Administrator or a delegated admin with full access rights or permissions account in Microsoft 365 to be used for migration or use the Global Administrator or delegated admin with full access rights or permissions account for the tenant. In order to have administrative permissions to migrate mailbox data, grant the account permissions on each mailbox.

  • Having administrative access to the Microsoft 365 control panel to manage users does not mean the same account has permissions to access all mailboxes for migration.
  • Having delegated admin access to accounts does not provide enough access.

Enabling an administrative account the ability to access Microsoft 365 user mailboxes can be performed by adding the Impersonation role or Full Access mailbox permissions.  The below steps will explain how to configure the permissions access for both options.

Impersonation

To enable the admin account to impersonate users, run the below PowerShell command:

$cred = Get-Credential

$session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $cred -Authentication Basic -AllowRedirection

Import-PSSession $session

Enable-OrganizationCustomization

New-ManagementRoleAssi​gnment -Role ApplicationImpersonation -User <admin_user_name>

Remove-PSSession $session

More information about this PowerShell command can be found here.

  • Microsoft 365 does NOT allow Impersonation for Small Business plans.
  • MigrationWiz uses delegation by default to log in to individual user mailboxes using administrative credentials specified on the connector. 

It is highly recommended to use impersonation when migrating from or to Microsoft 365.

Benefits

Using impersonation, it is possible to stop sharing the throttling quota and connection limits associated with a single administrative account. ​Instead, the throttling quota of each user is used to log in to each user mailbox.

Using impersonation means:

  • Eliminating most "Connection did not succeed" errors
  • Allowing migration of more mailboxes concurrently
  • Reducing the impact of throttling and connection limits
  • Using an admin account without assigning a license to it

Full Access

To manually grant administrative access for migration, execute the following remote PowerShell commands: 

$cred = Get-Credential

$session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $cred -Authentication Basic -AllowRedirection

Import-PSSession $session

Get-Mailbox -ResultSize Unlimited | Add-MailboxPermission -AccessRights FullAccess -Automapping $false -User MigrationWiz

Remove-PSSession $session

  • The command needs to be applied each time a new mailbox is created since permissions are set directly on each mailbox. The administrative account will not have access until the permissions are applied.
  • In the script above, the username "MigrationWiz" should be replaced with the name of the administrative account that was set up, by following the instructions in this Knowledge Base article.
  • This username is the Administrative Username that needs to be entered under the project's Source or Destination settings, within MigrationWiz, when checking the box labeled Use Administrative Login.

 Create and License User Accounts

 Set up accounts on Microsoft 365 and assign licenses. These can be created in several ways:

Licensing

We recommend that you purchase the User Migration Bundle license for this migration scenario. User Migration Bundle licenses allow multiple types of migrations to be performed with a single license. They also allow DeploymentPro to be used to configure Outlook email profiles.

    1. Sign in to your BitTitan account.
    2. In the top navigation bar, click Purchase.
    3. Click the Select button and choose the license type you need.
    4. Enter the number of licenses you want to purchase. Click Buy Now.
    5. Enter a Billing address if applicable.
    6. Click Next.
    7. Review the Order Summary and enter a payment method.
    8. Click Place Your Order.

Apply licenses

    1. Select the correct workgroup on the top of the left navigation pane. This is the workgroup that the customer and migration project were created under. Your account must be part of the workgroup if the project was not created under your account.
    2. On the left navigation pane, click Customers.
    3. Click the customer that employs the user to whom you want to apply a User Migration Bundle license.
    4. Click the Users tab at the top of the page.
    5. Check the box to the left of the email for the user(s) to whom you want to apply a license.
    6. Click the Apply User Migration Bundle License button at the top of the page. It is recommended that users be added to the Customer page with the vanity domain. Then have the User Migration Bundle Licenses applied, before editing to show the .onmicrosoft domain, if the .onmicrosoft domain will be used for the migration.
    7. If there is at least one unassigned User Migration Bundle license available for each selected user, click Confirm. Important: If there are no User Migration Bundle licenses currently available to be assigned and your role in the workgroup is Manager or higher, the form that appears provides all the necessary information and will walk you through the steps of purchasing User Migration Bundle licenses.

MigrationWiz Steps

Create a Mailbox Migration Project

  1. Click Go To My Projects.
  2. Click Create Project.
  3. Select a Mailbox migration type. Mailbox projects are used to migrate the contents of the primary user mailbox from the previous environment to the new environment. Most mailbox migrations can migrate email, calendars, and contacts.
  4. Click Next Step.
  5. Enter a Project name and select a Customer.
  6. Click Next Step.
  7. Select a Source Endpoint from the Endpoint drop-down menu. If an Endpoint has not been created, click New and provide the requested information in the Endpoint creation flyout window.
  8. Select a Destination Endpoint from the Endpoint drop-down menu. If an Endpoint has not been created, click New and provide the requested information in the Endpoint creation flyout window.
  9. Click Save and Go to Summary.

Add Accounts (Items)

Add the accounts that will be migrated, also referred to as items, to a project using one of the following options:

  • Quick Add: This option allows you to add items o​ne at a time. You have to enter an email address, login name, and password for each user if you didn't enter administrative credentials when setting up the project. You only have to provide an email address if you entered administrative credentials when setting up the project.
  • Autodiscover Items: MigrationWiz detects the mailboxes directly at the Source using Autodiscover. For more information, refer to Adding & Managing Items for Migration.
    • For mailbox migrations, this feature is only supported when the Source is Exchange 2007 or later.
    • This feature is not supported for in-place archive migration projects, even if the Source is Exchange 2007 or later.
  • Bulk Add: This option allows you to add multiple items at once by copying and pasting from a spreadsheet or by importing a CSV file. The domain names at the Source and at the Destination might be different. Make sure to provide the right information in the project. If they are different, it's best to modify these in your CSV file, and then use the Bulk Add feature to import the users into the dashboard.
    1. Select the Project for which you want to perform the bulk import.
    2. Click Add.
    3. Click Bulk Add.
    4. Follow the instructions on the page.

Set Advanced and Support Options

Advanced Options allow you to choose your notifications, filtering, maintenance, licensing, performance, and some configuration options.

Support Options are advanced configurations that make use of PowerShell or code blocks to provide extra options or resources for your migration.

The following options are the most valuable for this migration scenario:

Recommended Options

The following options are most valuable for Exchange to Microsoft 365 migration scenario:

  • Set to use impersonation at the Source. Checkmark the Use impersonation at Source box. 
  • Set to use impersonation at the Destination. Checkmark the Use impersonation at Destination box. 
  • Set Maximum concurrent migrations. To be very safe, we recommend initially setting this to 5. This means that when all mailboxes are selected and the migration begins, only the first five (5) mailboxes in the list will be migrated (using parallel processing), and then when the first of the five (5) completes, the next in the list will begin migrating, and so on down the list, through to completion of all mailboxes. If the Source server has enough server resources, set this parameter based on the bandwidth guideline of three (3) mailboxes per 1Mbps of bandwidth. Therefore, for example, if there is a 10Mbps connection, we recommend that the maximum concurrent migrations parameter be set to 30.

Run Migration

The following sections will guide you through setting up and launching your migration. Each header is one step, with its component steps below. Follow these steps in order, and read the notes for important information about dependencies or best practices.

Run Verify Credentials

  1. Open the Project containing items you wish to validate​.
  2. Select the items you wish to validate.
  3. Click the Start button in your dashboard.
  4. Select Verify Credentials from the drop-down list.
  5. Once complete, the results of the verification will be shown in the Status section.

Notify Users

Send out the final notification that the migration is beginning. Include when the migration will start, expected duration, any usage instructions during migration, and any expected steps or notifications for the post-migration timeline.

If using DeploymentPro, refer to the sample email for some sample text and screen shots that can be included in this email.

Pre-Stage Pass

  1. Select the users.
  2. Click the Start button from the top, and select Pre-Stage Migration.
  3. Under the Migration Scheduling section, from the drop-down list, select 90 days ago.
  4. Click Start Migration

MX Record Cutover

Change over MX records on the DNS provider's portal. Also, include the AutoDiscover (CName) setting. There are several options for this, based on the size of your project.

Small Projects

Manually set forwards during a migration on a per-user basis, from the individual users' portal. This is only a valid option for a small number of users. Forwards are useful if you are migrating users in batches, and switching some users over to the new Destination before others. Forwards allow for mail coexistence, but not for calendar free/busy coexistence.

  1. Sign in to your account.
  2. Click Settings.
  3. Locate the Forwarding and POP/IMAP tab.
  4. Click Add a forwarding address.
  5. Enter the email address to forward to.
  6. A confirmation email will be sent to the forward mailbox.
  7. Validate the confirmation by logging in to the forward mailbox.
  8. Go back to your account.
  9. Select the forward mode.

We recommend not saving a copy locally, because when you migrate the mailbox to the destination, you will end up with duplicates.

Small to Medium Projects:

Manually set forwards during a migration on a per-user basis, from the admin portal. Forwards are useful if you are migrating users in batches, and switching some users over to the new Destination before others. Forwards allow for mail coexistence, but not for calendar free/busy coexistence.

  1. Sign into your control panel.
  2. Click the Organization & users menu.
  3. Click on the user you wish to provide coexistence for.
  4. Scroll to the bottom of the User information section.
  5. Click on the link Add another destination. A new row should have been added.
  6. Enter the email address of the new mailbox to coexist with. This email address needs to be different than the email address in your source
  7. Make sure both checkboxes are selected (they already are, by default). There is one in front of the row and another under the column called Change SMTP envelope.
  8. Unselect the checkbox in front of the row.
  9. Click Save Changes.

Large Projects  

If you are migrating in batches and coexistence is required, you will not be cutting over the MX records until your final batch of users has been migrated, and you must perform two extra steps:

  1. Set up mail forwarding.
  2. Set up mail routing on Microsoft 365

Forwards for Coexistence

If you are not cutting over an entire domain/organization at once by changing the MX records, you can perform a phased migration and set up coexistence by setting up forwards on the mailboxes you wish to migrate.

This can be done via one of the following methods.

Note: We do not recommend setting up Exchange email contacts and a DNS Internal Relay for this, since this will not allow for any Delta Migration passes to be made afterwards because the mailbox no longer exists.

By PowerShell:

Here is how to do this via PowerShell:

Forward email to internal recipient and DON'T save local copy.

PowerShell command syntax:

Set-Mailbox -Identity <Identity> -ForwardingAddress <Office 365 User Email Address> -DeliverToMailboxAndForward $False

  • Example: Set-Mailbox -Identity John -ForwardingAddress Suzan@o365info.com -DeliverToMailboxAndForward $False
  • Because you set DeliverToMailboxAndForward to false, a copy of the email will NOT be kept in the on-premises mailbox. When setting up forwards, make sure that you do NOT save a local copy before the forward. If you do save a local copy, then when you perform Delta passes, MigrationWiz will migrate the items that it previously hasn’t migrated (and watermarked). This will cause duplicates at your Destination.
  • The email address specified on the 'ForwardingAddress' parameter should exist as a Mail Contact.

Through Exchange Management Console

The first step is to create the forwarding objects in your local Active Directory. These forwarding objects will be hidden from the address book, and will be used purely to forward mail for mailboxes that are migrated. Note that these objects are created but not used until you set the forwarding, so these steps can be done ahead of time.

  1. Download our script to create forwarding objects to a computer that is joined to the domain.
  2. Modify the script in a text editor (like Notepad) and change the forwarding domain in the top of the script to the temporary domain in the new environment, for example, company.onmicrosoft.com.
  3. Run the script. You will know the script is complete when you see a confirmation.

The next step is to set up forwarding for mailboxes prior to migration. Before submitting a mailbox for migration, set the forward by performing the following:

  1. Launch the Exchange Management Console from the Start Menu.
  2. Expand the Recipient Configuration note from the navigation tree.
  3. Click the Mailbox node from the navigation tree.
  4. Right-click on the mailbox to set the forward for and click Properties.
  5. Click the Mailbox Flow Settings tab.
  6. Select Delivery Options and click Properties. Do not select the option "Deliver message to both forwarding address and mailbox". This is important to ensure that Delta passes do not cause duplicates. If you do save a local copy, then when you perform Delta passes, MigrationWiz will migrate the items that it previously hasn't migrated (and watermarked). This will cause duplicates on your Destination.
  7. Click the checkbox Forward to, then click Browse.
  8. Select the name of the user that contains the prefix (External Forward) in the display name. This is the forwarding object created previously. 
  9. Click OK.
  10. Click OK.

Setting up Mail Routing on Microsoft 365

For the setup, use PowerShell, because it is faster and easier to set up than working through the Microsoft 365 admin portal. If you need information about how to do this through the Microsoft 365 admin portal, contact Microsoft Support.

  1. Connect to Exchange Online PowerShell.
  2. Create the Distribution List (DL):
    New-DistributionGroup -Name "BtNotMigratedUsers"
  3. Add All Users to this DL.
  4. Create the Connector:
    $result = New-OutboundConnector -Name "CBRConnector" -ConnectorType OnPremises -SmartHosts "<fill smart host to source environment>" -UseMXRecord $false -IsTransportRuleScoped $true
    • -SmartHosts entry needs to be set to the URL or IP Address of the Source environment server.
    • On Exchange 2003, 2007, and 2010, this will be the address of the Transport server.
    • On Exchange 2013 and 2016, this will be the address of the Mailbox server, not the Transport server.
    • If the Source environment is Hosted, you would need to obtain this address from the Hosted Provider.
    • If the Source environment is G Suite, you would need to change the -SmartHosts entry to be the following: -SmartHosts “aspmx.l.google.com”
  5. Create Rule:
    $result = New-TransportRule -Name "PilotInABoxRule" -SentToMemberOf "BtNotMigratedUsers" -RouteMessageOutboundConnector "CBRConnector"

When a user is fully migrated, remove the user from the DL, and they will receive their email in their own Microsoft 365 mailbox.

  • There must be a mail-enabled contact on-premises for each user that has been migrated.
  • Send email to end users to let them know what to expect for their Outlook profile reconfiguration. If using DeploymentPro, refer to the Sample email to send to users before their Outlook profile is reconfigured article for some sample text and screen shots that can be included in this email.

Run Full Pass Migration

  1. Select the users – you may either select individual users, or select all users in a project by clicking the checkbox to the left of Source Email.
  2. Click the Start button from the top.
  3. Select Full Migration. If you want to delay your migration, then select the checkbox marked "Automatically start the migration at", and enter the date and time to have the migration start. To start a migration immediately, you do not need to select the scheduling option.
  4. Click Start Migration

Run Retry Errors

Each error logged represents an item that was not migrated. MigrationWiz contains a mode in which you can resubmit the migration to retry failed items. This mode of operation is always free of charge. You may only submit mailboxes in this mode only if they satisfy all of the following conditions:

  1. The last migration completed successfully.
  2. The mailbox contains at least one error.

If your mailbox does not satisfy these conditions, you will receive a warning when submitting the migration in this mode and your request will not be fulfilled.

To submit one or more mailboxes in retry mode, perform the following steps:

  1. Click the Go To My Projects button.
  2. Select the project that contains the mailboxes that you want to retry.
  3. Select the mailboxes that have migration errors.
  4. Click the Start button.
  5. Select Retry Errors from the menu.
  6. Click the Retry Errors button.

When errors are repaired, they will disappear from the error log. Some errors may not disappear if the Source item was not reprocessed (due to filters, for example), has been deleted or moved, or if the item failed again.

Final Steps

If not using DeploymentPro, users must create new Outlook profiles, and set up their signatures again, and reattach any PST files that were attached to their previous profile.

Click the pie chart icon in the MigrationWiz dashboard to receive an email containing all the project migration statistics.

Was this article helpful?
4 out of 9 found this helpful