Every organization has a different policy on how they handle Terminated Users. In an Office 365 Tenant-To-Tenant Migration, terminated users cause challenges.
Terminated user policies are usually directly tied to the industry the organization is in, and the position the former employee occupied. In this article, we explore how to scope the issues and migrate these accounts effectively in a Tenant-To-Tenant Migration.
Scope Legal Requirements
Many organizations have turned on retention policies to not delete terminated user data. As of this writing, terminated accounts do not cost a company anything, so many leave this on. (Whether this follows their retention policy is another topic.)
When scoping these accounts for migration, it is a good idea to determine why these accounts were retained to begin with and if they will be retained in the new organization. This normally requires consulting with Legal to understand any pending litigation. You may find that none of these accounts need to be terminated, or only those accounts less than 90 days old.
Scope Business Requirements
When a key person leaves a company, their old account may get special handling. For example, colleagues may get access to the account, their SMTP address may get assigned to a manager, and so on. Many companies with mature policies have a primary policy and an exception policy for key staff. You should find these accounts and determine any that are in use. (audit logs are a big help here) Depending on the situation, you may be able to easily find these accounts based on their license or other indicator.
When you find these accounts, you need to interview the people who have access to them to determine if there is a critical business case for these accounts to remain.
The Technical Piece
If the account is not active and does not have a license, most migration tools will need it to become active again. The target is going to need a license as well. If the account is email only, some companies choose to make this account a shared mailbox, but you should review your Microsoft TOS to ensure this practice doesn’t violate these terms.
At the end of the day, you need to ensure two things are covered: License and Holds
License
You need to license the object on the source and the target. In most cases, the account will need a similar license in the target as the account had on the source. You may choose to remove this license post move to make the account inactive again.
As a good practice, you should ensure these accounts have a password change and are disabled.
Legal Holds
Whatever legal holds are on the source account, you need to match this in the target. Legal holds can get complicated and migrating them are an entirely different topic. Legal holds can be full litigation holds or scoped in place holds. In short, you need to ensure you do not migrate this data, just to have it removed latter by a clean-up process. (resulting in loss of this critical data)
Deletion Policy
Just like legal holds, you likely want to make these inactive accounts in the source, will remain inactive again in the target. You need to ensure the policies are set to retain this data.
Timing
Inactive accounts should be separated from the migration weekend or production migration schedule. I always prefer to migrate them first to test procedures, get metrics and find any problems that may come up latter.
Just like anything in an Office 365 Tenant-To-Tenant Migration, Migrating Terminated User Accounts takes proper planning and execution.