Start with discovery, not licenses
Before you provision a single tenant, inventory every mailbox, shared folder, distribution group, public folder, and third-party app touching email or files.
This is where 90% of post-migration tickets are prevented.
Pick the right migration model
Cutover: under 150 mailboxes, simple Exchange or POP/IMAP source. Fast but disruptive.
Staged / Hybrid: 150-2000 mailboxes or co-existence required. More complex but transparent to users.
Tenant-to-tenant: M&A or rebrand scenarios. Requires dedicated tooling (BitTitan, Quest, ShareGate).
Migrate SharePoint and OneDrive correctly
Map file shares to SharePoint sites, not to a giant OneDrive. Respect permission boundaries and use a tool that preserves metadata, timestamps and version history.
Set a content freeze window for the final delta and communicate it aggressively.
Enrol devices in Intune from day one
A Microsoft 365 migration is the perfect moment to introduce device compliance and conditional access. Push baseline policies for BitLocker, Defender, Autopilot and app protection.
This converts the migration from an email project into a security uplift.
Harden the tenant before users arrive
Enable Security Defaults or a custom Conditional Access stack, disable legacy authentication, configure DKIM/DMARC/SPF, and turn on Microsoft Defender for Office 365.
A clean tenant on day one prevents the most common BEC and phishing incidents.
Post-migration: train, measure, optimise
Run short Teams and SharePoint training sessions in the first 30 days. Monitor adoption with the Microsoft 365 usage reports and address low-adopting teams individually.
Decommission the legacy environment only after 60 days of stable operation.
Conclusion
A Microsoft 365 migration done right gives you modern collaboration, stronger security and predictable per-user costs. Done wrong, it generates a year of helpdesk pain. Plan accordingly.
