How to deal with hybrid identity in tenant-tenant migration?

Hey all, I'm a seasoned migration guy, but I'm pretty new to on-demand migration, and I've just been thrown in the deep end with very little time to get myself up to speed... Hoping the more experienced pros here could give me a few pointers to get me started... I'm doing a tenant-tenant migration in parent-subsidiary company scenario. The parent and the subsidiary have operated autonomously for many years, and each has their own hybrid AD-AAD implementation...

Each company has a separate AD forest on-prem with 2-way trust between. Each AD forest has an AADC sync into their respective tenants. The customer is proposing to migrate identity by excluding the on-prem user accounts from 1 AADC sync, and enabling it on the other (across the trust), and have tested that this works. However, I'm thinking that's not a good approach as we plan to use On-demand for their 365 workloads.. I'd like to understand conceptually how things will work in terms of hybrid identity... should I migrate everything via on-demand first, and then switch the AADC? - will I be able to make the other AADC match with the migrated user?

I would think that if they switch the Identity with their proposed approach. - the user objects will be DE-provisioned in the source tenant on the next sync... not a problem for Exchange as their mailboxes are all on-prem, but if a user is deprovisioned, won't their OneDrives also be deprovisioned, - and won't on-demand then not find them via discovery and so not be able to migrate any of their data?

My inclination is to leave AADC as-is (for now at least) - migrate the users to the new tenant with on-demand, migrate their Onedrives, Teams, etc.

But, should I >then< switch them to the alternate AADC? - the source AD accounts aren't migrating across AD domains, they're staying put. Via the trust relationship the other AADC can bring those users into scope (and obviously I'd remove them from scope of the initial AADC sync) - that would de-provision the user object in the source tenant - my concern is will I be able to force the new AADC sync to match up the AD user object with the newly-migrated Azure AD object? - if yes, that would seem to be the desired outcome? 

  • Disconnect the AADC in the forest basically will turn the Azure AD object into a cloud only object instead of hybrid objects, as long as they only disable the Azure AD Sync and not deleting the object.  To disable AADC Sync, use the sample command below.

    Set-MsolDirSyncEnabled -EnableDirSync $false 

    Once AADC Sync is disabled, all previously synced hybrid objects will become cloud only objects, so as long as we do not de-license them in the cloud, OneDrive data should remain.  However, they will lose other functionalities such as but not limited to Hybrid mail flow, SSO, and Unified GAL between their On-Prem Exchange and Cloud tenant. 

     On Demand Migration Directory Sync can perform object synchronization directly from On-Prem AD or its counterpart (the cloud object in Azure AD) into the target Azure AD in the cloud, and these objects can be used later for content migration and lastly they can be soft-matched to the child company’s on-prem object if they do not with to move them to the parent.   This is just one way to do it, and there are other methods and each with different outcome and user experience.  So it really depends on what the customer’s end goal and they requirement.  Example, will there be an device migration later?  Are they planning to move both company into a green field tenant or simply moving users from the child company to the parent?  These factors will decide the approach to take.   

     Hope this helps