Hey all, I'm a seasoned migration guy, but I'm pretty new to on-demand migration, and I've just been thrown in the deep end with very little time to get myself up to speed... Hoping the more experienced pros here could give me a few pointers to get me started... I'm doing a tenant-tenant migration in parent-subsidiary company scenario. The parent and the subsidiary have operated autonomously for many years, and each has their own hybrid AD-AAD implementation...
Each company has a separate AD forest on-prem with 2-way trust between. Each AD forest has an AADC sync into their respective tenants. The customer is proposing to migrate identity by excluding the on-prem user accounts from 1 AADC sync, and enabling it on the other (across the trust), and have tested that this works. However, I'm thinking that's not a good approach as we plan to use On-demand for their 365 workloads.. I'd like to understand conceptually how things will work in terms of hybrid identity... should I migrate everything via on-demand first, and then switch the AADC? - will I be able to make the other AADC match with the migrated user?
I would think that if they switch the Identity with their proposed approach. - the user objects will be DE-provisioned in the source tenant on the next sync... not a problem for Exchange as their mailboxes are all on-prem, but if a user is deprovisioned, won't their OneDrives also be deprovisioned, - and won't on-demand then not find them via discovery and so not be able to migrate any of their data?
My inclination is to leave AADC as-is (for now at least) - migrate the users to the new tenant with on-demand, migrate their Onedrives, Teams, etc.
But, should I >then< switch them to the alternate AADC? - the source AD accounts aren't migrating across AD domains, they're staying put. Via the trust relationship the other AADC can bring those users into scope (and obviously I'd remove them from scope of the initial AADC sync) - that would de-provision the user object in the source tenant - my concern is will I be able to force the new AADC sync to match up the AD user object with the newly-migrated Azure AD object? - if yes, that would seem to be the desired outcome?