Client Impacts
When migrating users from one tenant to another, the end user’s Office install will need to be reconfigured. This is regardless of whether you are moving the user’s domain or not. At Quadrotech, during my day job, we have a reconfiguration agent that performs these actions as recommended by Microsoft. It is the only way to get full control over the user’s computer and reconfigure the end point at the right time, and reduce help desk volumes. (This solution is found here: https://www.quadrotech-it.com/office-365-tenant-to-tenant-migration/ )
In conjunction with this process, I also advocate for revoking login tokens prior to doing the reconfiguration and identifying the ejection / switchover. This procedure will help automate the steps needed on Office Mobile and the computers for which you do not have a reconfiguration agent installed on. This does not replace the need for a desktop agent, but it certainly can prevent the user from having a valid session token and being in the old tenant all alone.
This action is accomplished by using the “Initiate Sign-Out” link in the user account information in the Office 365 Admin Centre, or in PowerShell.
Designed Use
The designed use is to “immediately” revoke a user’s access when they are terminated. If you don’t do this, and the user is logged in on a device somewhere, they will not get kicked out of Office 365 right away, including the OneDrive For Business Sync Client and Microsoft Teams. This sign-out process takes up to an hour according to the documentation, but I can attest it usually takes less than 15 minutes. (In fact it only took 3 minutes when I tested it while writing this article.)
Microsoft covers how to properly terminate a user in Office 365 here:
Although this function isn’t designed for Tenant-To-Tenant migrations, I suggest using this function in all Tenant-To-Tenant migration projects. This will prevent users from having a cached session to the old tenant, which can survive the UPN getting renamed/domain ejected and so on. If the session isn’t expired, the user can still connect in a lot of cases. This would also mean the user could be attempting to work in the source tenant and you would need to re-migrate the user (and handle the confusion on where they are).
This is also why I recommend looking at security and audit logs on “Monday” as users come online to see if you notice users in the wrong place. I also look at any activity log to review for signs of use, so problems can be caught early.
How to use Initiate Sign Out in Office 365
UI
This is very simple. The initiate sign-out function is on the manage user screen.
- Login to the Office 365 Admin Portal
- Go to Active Users and Choose the user you want to initiate login on
- You will see the Initiate sign-out option on the right hand side
PowerShell
For more than 3 users you will want to do this in PowerShell. This is part of the AzureAD Module. If you do not have this installed, you can use the following command in PowerShell:
Install-Module AzureADTo run initiate sign-out in PowerShell run this command:
Connect-AzureAD
Get-AzureADUser -SearchString ExampleUPN@madmike.net | revoke-azureaduserallrefreshtoken
#Tested Oct 9 2020
Multiple Users
If you want to do this for multiple users, I suggest you check out a helpful guide that Alex Rodrick wrote on Practical365 called “PowerShell for Beginners”. It is a great guide to help you learn, and practice, your PowerShell scripting skills. You can see his free eBook here: https://practical365.com/ebooks/
Closing
Although a reconfiguration agent is the best way to handle the Tenant-To-Tenant migration experience, initiating sign-out and expiring all sessions for a user in the source tenant can be very helpful. This procedure can also help handle mobile devices and computers that you do not manage.
