09 May 2022

Top 10 Pitfalls of an Microsoft Office 365 Migration


Photo by JESHOOTS.COM on Unsplash

Email is one of the resources in IT that people take most for granted. There are so many expectations attached to the email resource. It is expected to work… no … matter … what. More and more companies are finding that it is most cost-effective to migrate from on-prem self-hosted email solutions to cloud solutions. Unfortunately, once the decision is made to migrate, there is an unrealistic expectation that a systems administrator will wave a magic wand and 25 years of email boxes will suddenly be in the cloud, and end-users, least of all the C-Level, will be not be impacted.

There are lots of pros and cons to hosting email in the cloud versus self-hosting on-premises, but that is outside the scope of this post. I will say, my favorite email system I have gotten to use is still SquirrelMail while I was in college. It was certainly not very feature-packed, but it did give me an ssh login to the mail server. That server was one of the few things that was not rate-limited on the network… and ssh proxying was not blocked. Oh, the good-ole days! This also shows how much we have grown as a community. In researching this post, I saw old forums where people needed help migrating, and they were resorting to using each employee's outlook, essentially, to pull then push the mailbox from old to new.

Bil Keane 2016

Since then, I have been responsible for countless migrations: SquirrelMail to MS Exchange 2003, Exchange 2003 to Exchange 2007, Exchange to Gmail, Gmail to Office 365, Exchange to O365, Exchange 2016 to Hybrid O365, and plenty of derivatives in between. Pull up a chair, grab a cup of coffee, and take a deep breath. You can do this migration and you can avoid these top 10 pitfalls of migrating to Office 365!

10. Buy-Off Your Users (with Training)

If this was a “Top Two Pitfalls” post… they would both be End-Users. I have been asked several times prior to a migration “This will be seamless, right? No interruptions? Users won’t need to do anything?” The simple answer is NO. Sure, in the perfect world users are using a modern version of Outlook autodiscovery will switch them over, however, this is the time to have proper training rolled out for the new technologies, web portals, and policies that O365 will afford your company. Don’t take the easy out, don’t make promises you know you might not be able to keep. Yes, users will be impacted, but it is a good thing.

9. Poor Planning Produces Poor Results

There are many steps that go into a proper migration. A Minimal Hybrid Migration where you have coexistence between your on-premise and cloud tendencies is still an involved process:

Step 1: Verify you own the domain.
Step 2: Start express migration.
Step 3: Run directory synchronization to create users in Microsoft 365 or Office 365.
Step 4: Give Microsoft 365 or Office 365 licenses to your users.
Step 5: Start migrating user mailbox data.
Step 6: Update DNS records.

It is not as simple as changing an MX record and hitting a button. Take the time to do the research and then convey those expectations. Microsoft has a lot of resources to help you estimate the time it will take… double it.

Public Folders, Shared Mailboxes, and custom groups will all take extra time. If you can skip migrating Public Folders… do so. It is much preferred to start using modern solutions such as shared resources. Some people do not want to spend the time doing the migration and training involved in a new resource, but if you stick with Public Folders, remember that your only viable option for managing them is going to be PowerShell.

8. “Let it Go, Let it GO”

“Can’t we just apply the retention policies AFTER we migrate?”

I once worked with a large international media company. There were video editing departments, still graphics, animations, radio, etc. Many of these departments did not want to develop a standardized workflow and so used the email system for copy-approval. We are not talking proxy copies either… original full-resolution media. Needless to say, the company did not want to pay for more than the basic 50GB mailbox for most employees, and most of those mailboxes were much bigger than 50GB. You can get an idea of your larger mailboxes with the following PowerShell command:

[PS] C:\>Get-Mailbox -ResultSize Unlimited | Get-MailboxStatistics | Sort-Object TotalItemSize -Descending | Select-Object DisplayName,TotalItemSize -First 100 | Export-CSV top100mailboxes.csv

Even older versions of most email servers have a way to apply retention policies and most companies have a records management policy on how long things must be kept… and how long they should not be kept. This is a great time to make sure those are being implemented. Retention Policies are very straightforward but should be tested first following Microsoft Documentation

7. Be Exceptional! (But Don’t _Have_ Exceptions)

There is a place for granular policies and permission, and while I think those should always be applied to groups and then groups be applied to users, either way, that place is really not in the basic setup of a user mailbox. The more mailboxes are standardized, the easier it will be to diagnose problems.

I had a migration in the last few years for a company and a higher ranking manager was having terrible problems with his emails not being able to be opened by some board members. Turns out there were lots of exceptions made on his account, among which was allowing him to continue using Rich Text Format for everything. RTF is only readable by a few email clients. The excuse was that no one wanted to make him switch or modernize, etc. The result was that he was one of only a few people that actually had problems during the migration.

6. If you always do what you have always done… you might not get the same results…

This goes along with proper planning, but there are a particular number of unnecessary headaches caused by changing email systems and thereby changing spam rules. Spam rules are a necessary evil, but technology has gotten a lot better. Too often, companies just want to migrate their old rules into their new system. I would caution against this, in large part because newer systems, like the Baracuda and Proofpoint’s cloud offerings, or even Microsoft’s built-in rules rely more on artificial intelligence to filter out spam and bad actors, whereas old systems are generally more explicate.

5. Garbage In — Garbage Out

A migration to a new system will not wipe out a decade of bad practices. You can’t blame Twitter for not blocking you from posting that embarrassing tweet, it is no more magic than the import tools Microsoft offers. Moreover, if you are moving from an on-premise system to the cloud, you a going to have to pay for each of those mailboxes from past employees that were never cleaned out. The same goes for retention policies, litigation holds, weird routes, old groups, ancient contacts, and the disclaimer/company footers. Clean it up ahead of time, and use the momentum to push best practices going forward.

Fortunately for all of us, Microsoft includes some best practices scanners, there are also many great resources out there devoted to the topic.

4. Old dogs CAN learn new tricks (As long as they don’t require TLS)

Photo by Richard Bell on Unsplash

Often overlooked, but never forgotten by the people who use them, legacy clients, like copy machines, will need an SMTP connection. It is also necessary to evaluate any DMZ, CHD, or other isolated networks you may have that don’t have clear access to the Office 365 servers. If you use a TAP/SPAN port on your network, these are pretty easy to find using your network monitoring solution, otherwise, you can use Wireshark to monitor and log internal SMTP connections

The easiest solution is to make sure that your firewall and routers have access control lists and routes to the O365 servers, but it may also be necessary to run a small SMTP proxy server. I like running a small containerized appliance, but you can also use a simple Linux server.

3. Only YOU can stop security breaches

1989; Smokey Bear poster showing a half body image of Smokey pointing at the audience with one hand while holding a shovel in the other hand. Poster reads “Only You”. This work is maintained in the National Agricultural Library, in Beltsville, MD.

Too often, in the middle of a migration, I have heard the phrase “we will only open it up till we get this migration done.” This could be the firewall, the SSL requirements, or giving more permissions to a service account than necessary. Just say NO. Always get things working the right way and don’t cut corners. Exchange servers are in no way immune to malicious attacks and when your focus is on the migration, it is easy to let your guard down keeping the on-premise system safe. Make sure you are keeping up on your daily/weekly/monthly security tasks:

  1. Keep Exchange servers up to date
  2. Maintain Firewalls
  3. Keep security appliances and software up to date and keep checking logs(Symantec, Barracuda, Proofpoint, etc)
  4. Secure network hosting Exchange
  5. Monitor server logs
  6. Use certificates for ALL external services
  7. Limit administrative access and elevated accounts (including service accounts)
  8. Enable role-based access control and require strong passwords
  9. Audit admin and other mailbox activities
  10. Use Microsoft’s security Utilities (Safety Scanner, Defender, Security Configuration Wizard, Security Compliance Toolkit, Exchange Analyzer)

2. But it was going so well… (Plan B)

As we go back to number 9, I have to reiterate that having a good plan is necessary. There is nothing worse than doing an overnight migration and finding out at 7 am that the system is hosed and you have to figure out how to get the email back up and running. Each step needs to be thought out. One thing we did at a previous place was to set up a temporary email portal for checking incoming emails by using the portal feature on our enterprise spam filter.

So often the problem is just an internet interruption in the middle of the migration, sometimes a firewall rule was changed, or your on-premise public IP may have changed. In these cases, you can just restart the batch that failed. Very rarely have I had to resort to pulling a PST (or a backup) of that user's mailbox and pushing it to the new system.

1. Buy-Off Users… again

https://poweroutage.report/california

Finally, as I said before, email is one of the technologies that is most taken advantage of; people just expect it to work. The electric grid, gas companies, and telco do not have 100% uptime, email doesn’t either. While I pushed end-user training in number 10, this is also a great time to get better buy-in and understanding from management. There are so many options and solutions in modern email services. Make sure you are using those things that are best for your company. This migration can be as much about moving to better practices and better technologies as it is moving to a cheaper platform in the cloud.

Good Luck! If this is your first time doing an email migration or your fiftieth time, let me know how it went. Reach out on Twitter and let me know if you learned anything new this time around.