Viral tenants
This page describes how to proceed when migrating viral tenants.
1. Save and check tenant after takeover
After the tenant has been taken over by the internal admin takeover, the next step should be to deactivate the user registration. This ensures that no other users can create their own Microsoft account using the institution's e-mail address.
Deactivation can only be set via the use of Microsoft Graph. To set up Microsoft Graph, continue reading in the next section.
Register GraphAPI app via app context
Three steps must be carried out to complete registration:
To do this, follow these steps:
First you need to create the GraphAPI app.
Step 1
Log in to Microsoft Azure. You can find detailed instructions here.
Step 2
Enter App registrations in the search bar and select this option.
Step 3
Click on + New registration in the App registrations window.
Step 4
Fill in the required data in the Register application window as required.
- Name: Name of your choice
- Supported account types
- Who can use this application or access the API: Only accounts from the directory of this organization (Selected organization - single tenant)
- URL redirection (optional): Self-selected URL
Select the first item under Who can use this application or access the API!
Finally, click on Register at the bottom of the screen.
Step 5
After you have created a new app, a client secret must also be created.
To do this, select the newly created app (in this case Azuretest-GraphAPI) and click on Certificates and secrets in the navigation bar on the left-hand side.
Step 6
In the Certificates and secrets window, click on + new client secret.
Step 7
In the Add a client secret window, you can specify a name and an expiration date.
Once the data has been entered, click on Add at the bottom right-hand edge.
Step 8
The client secret is now displayed. Please save both the value and the secret ID directly separately.
Step 9
Finally, the necessary authorizations must be assigned to the application.
Specifically the Policy.ReadWrite.Authorization, i.e. the authorization to evaluate and change policies.
To do this, click on API permissions in the navigation bar on the left.
Step 10
Click on + Add permission in the API permissions window.
Step 11
In the Request API permissions window, select Microsoft Graph.
Step 12
Then select Application permissions.
Step 13
You now have the option of specifying the type of authorization and can select Policy.ReadWrite.Authorization here.
If not preselected, check the box in front of the authorization.
Finally, click on Add permissions.
Deactivating the user registration
Once Microsoft Graph has been set up in the Azure Portal, the next step is to run the script provided by the IT Center.
- Script as text file (.txt)
- Script as Powershell script (.ps1)
Save the script and store it with the config file (.json) under:
C:\Temp\Viral\[…]
Then open the config.json file, fill in the corresponding information from the MS Graph app and save the file.
- TenantID: Tenant-ID (can be viewed in the app overview of MS Graph)
- ClientID: App-ID (can be viewed in the MS Graph app overview)
- ClientPassword: Secret-Passwort (Please enter the previously generated value of the client secret here)
Then execute the script. You may have to agree to the execution of the script. The output after running the script should look like this:
You can then close the PowerShell. If you no longer plan to use the MS Graph, we recommend removing the application from the Azure Portal.
2. Preparing the tenant for migration
As soon as the tenant has been successfully transferred and the registration has been deactivated, the tenant should now be prepared for migration.
It is advisable to reduce the accounts in the tenant to a minimum, but also to communicate this and provide the option of backing up data in advance.
The IT Center recommends the following procedure in the order listed:
Removal of inactive accounts and groups
Check memory usage
Log in with your created account at https://admin.microsoft.com/.
Under the OneDrive and SharePoint tabs, you can see the general storage usage in OneDrive and SharePoint as well as the specific usage per user and per site.
These lists are well suited as a reference for the use of OneDrive and SharePoint in the tenant. Here you can clearly see how much data is stored in the tenant and by which accounts or groups the data is stored.
Check users and licenses used
The existing users in the tenant can be checked under users. We recommend reducing the users as much as possible to get a better overview.
Please follow the next steps:
Step 1
Delete all guest users in the tenant via the Guest users tab.
Schritt 2
Delete all accounts of former employees via users.
These accounts can most likely simply be deleted as the employment relationship with the institution has ended and any stored data is (theoretically) no longer required.
Alternatively, you can check how much storage space the respective account occupies under Storage management.
If in doubt, speak to your employees.
Step 3
Delete all accounts of users without active licenses via users.
Users without licenses probably no longer have an active use for the account, as no Microsoft services can be used without a corresponding license.
These accounts can probably also be deleted (possibly only after a brief check in the storage management).
If in doubt, speak to your employees.
With the removal of the above-mentioned user groups, the accounts in the tenant have usually been reduced to a minimum.
Please note
Deleted accounts are stored in the recycle bin for 30 days and can be restored during this time. Accounts deleted from the recycle bin cannot be restored.
Alternatively, accounts can also be blocked first. This is a less invasive way of checking whether users notice a restriction in their daily work.
Blocked accounts and their data are not automatically deleted and continue to exist in the tenant. The account must then be deleted manually in a second step.
At this point, it is advisable to check the group memberships and the memory usage of the remaining accounts, as there may have been active use via these accounts and contact must be sought with the employees.
To check the group membership, please navigate to groups.
Check groups
You can use groups to view the group memberships and draw possible conclusions about usage in the tenant.
If there are no group memberships for a user, it is very likely that no SharePoint was used and no work was carried out in Teams groups within the tenant.
As with accounts, it is generally advisable to reduce the number of groups in the first step.
Please follow the next steps:
Step 1
Delete all groups for which no members or owners are stored.
To do this, click on the groups individually and check the affiliations under Membership.
Due to the previous deletion of the accounts, there may be empty groups which can then be removed.
Alternatively, the groups and their properties can also be queried and analyzed via Microsoft Graph.
Schritt 2
Delete active groups if they are no longer required.
If a group is a Teams group or contains a SharePoint site, a Teams icon or a SharePoint icon is displayed next to the group.
A direct link to the Teams group or the SharePoint site is available via the properties.
The occupied memory of a group can be found in the memory overview (see above)
Please note
Check Sharepoint-Sites
SharePoint sites are created indirectly by a Microsoft group. The site activities can be used to draw conclusions about the use or relevance of the stored data.
Sites gives you an overview of the SharePoint sites and you can then check them. If the page cannot be called up (the website is not accessible), no SharePoint was used via the tenant.
If you can access the page, please follow the next steps:
Step 1
Check the site activities (red must be replaced as the link is tenant-specific)
Step 2
Delete all sites without activities after checking their relevance.
Here it makes sense to primarily delete the group, as this will also delete the SharePoint site in the long term.
Please note
SharePoint-Sites können 93 Tage lang wiederhergestellt werden. Aus dem Papierkorb gelöschte Websites können nicht wiederhergestellt werden.
Communication within the institution about the deactivation of active accounts and groups
Communication within the institution is carried out independently by the institution's internal IT department.
Depending on the number or complexity of the accounts, it makes sense to send an (internal) circular to the users informing them of the Tenant migration.
In more complex contexts, such as high storage loads for individual accounts or groups, it is recommended to seek direct communication with those affected.
Data backup by the users
You can forward the following IT Center Help page and the articles that fall under it to users as a general guide to data backup for Microsoft cloud services.
There you will find the most important points and locations where usage usually takes place and how the person concerned can check for themselves whether data has been used or stored.
It also shows how to migrate or save the data from the account.
Deactivation of all remaining accounts and groups
As soon as all steps up to this point have been completed, the data has been backed up by the users and there is no longer any recognizable usage in the tenant, the remaining accounts and groups in the tenant can be deleted.
3. Final measures
As no accounts or groups are migrated during the migration of the domain in the managed tenants of the IT Center and existing accounts receive an alternative login domain, access to the old accounts may be lost.
The data in the accounts is not migrated, as it is “only” a matter of migrating the domain. For this reason, the data is theoretically still available in the tenants, but it is still not recommended to use it.
As soon as everything has been prepared for the migration of the domain, please contact the IT Service Desk at servicedesk@itc.rwth-aachen.de using the keywords migration of the viral tenant [insert your tenant here].
The IT Center's specialist department will then contact you to take further steps for the migration.
