Menu

Quest ODM

Create Quest on Demand Migration Lab – Part1

Create Quest on Demand Migration Lab – Part1

,,,

Create Quest on Demand Migration Lab – Part1 Build a Zero-Trust, Two-Tenant Playground

Time to build: ~ 8 Hours
Prerequisites: 

  • Hyper-V host
    64 – 128 GB RAM
    ~ 1 TB SSD
  • ISO’s
    Windows Server 2022 or later
    Windows 11
  • Two Microsoft 365 tenants

If you’ve ever stared at a blank lab and thought, “where do I even start for a real tenant-to-tenant migration?”, this series is for you. I’m building a lab that behaves like the messy, high-stakes world we actually work in, two tenants, hybrid identity, strict security, and the freedom to break things safely. Then we’ll stand up Quest On Demand Migration (ODM), design jobs, and rehearse the move like pros.

The busines story (why this lab exists)

ContosoLab sells a business unit to an investment firm. The unit becomes FabrikamLab, an independent company on a fresh tenant. We need to move identities, mail, OneDrive, SharePoint, Teams, and all the little gremlins in between, while keeping coexistence (chat, meetings, mail flow, calendars) until cutover. And because the world is what it is, we’ll do it on a zero-trust foundation

What you’ll have by the end of Part 1

  • A Hyper-V host with three virtual switches feeding a firewall hub (pfSense) (WAN + two isolated LAN’s)
  • Two miniature Enterprises: ContosoLab and FabrikamLAb
  • Two Microsoft 365 tenant, each wired to its domain via Entra Connect, ready for Quest ODM
Quest on Demand Lab

Quest on Demand Lab

Prerequisites (host, ISO’s, tenants)

  • Hardware:
    CPUs with at least 4 cores (8 threads) are recommended.
    RAM : 64 – 128 GB
    DISKS: 1 TB SSD recommended (more is nicer)
  • Host OS:
    Windows 11 pro/Enterprise or Windows Server with the Hyper-V Role. 
    These can be downloaded from the Microsoft Evaluation Center or if you have a Partner agreement with Microsoft with one of the Partner Core benefits, or a Visual Studio license.
  • Firewall: pfSense community edition is a instance ISO that can be downloaded from here
  • Tenant: as two tenants are requires, create these for the Microsoft demo – and developer portal

Why two isolated tenants?

Because Quest ODM scenarios live or die on identity, permisions and throthling that single-tenant demos never surface

Step 1 – Create the network Spine (Hyper-V + pfSense)

We’ll use three switches: one External (bound to the host NIC), and two Internal Networks, one per lab domain. pfSense sits in the middle as a routed hub.

Create the vSwitches

The switch can be create from the GUI or with PowerShell as shown here

    # External WAN (NAT via your physical network)
New-VMSwitch -Name "vWAN-External" -NetAdapterName "Ethernet" -AllowManagementOS $true

# Internal LANs (isolated)
New-VMSwitch -Name "vLAN-ContosoLab"  -SwitchType Internal
New-VMSwitch -Name "vLAN-FabrikamLab" -SwitchType Internal

pfSense VM (Small but mighty)

Settings:

  • vCPU: 1
  • RAM: 1-2 GB
  • Disk: 20 GB
  • NICs: 3 (WAN = vWAN-External, LAN1 = vLAN-ContosoLab, LAN2 = vLAN-FabrikamLab)
After install:
  • Set LAN1 to 192.168.10.1/24 and LAN2 to 192.168.20.1/24
  • Enable NAT outbound so both LANs reach the internet
  • Create Aliasses for common host/ports; write explicit permit rules (keep defaults deny).
  • Add a one-liner NAT to reach lab PCs from your laptop if your managing remotely.

The table shows the NAT configuration and Firewall rules applied.

Firewall Rules

Source IP Port Destination IP Port Traffic type Allow/Block Traffic type
ContosoLab
192.168.10.0/24 any any 3478:3481
50000:50059		 UDP Allow Teams
any any any 80
443		 TCP Allow HTTP/HTTPS
192.168.10.0/24 any any 123 UDP Allow NTP
192.168.10.0/24 any 192.168.10.1 53 UDP Allow DNS
192.168.10.0/24 any 10.0.0.0/8
172.16.0.0/12
192.168.0.0/16		 any Block RFC1918
192.168.10.0/24 any any any any Block Block all
FabrikamLab
192.168.20.0/24 any any 3478:3481
50000:50059		 UDP Allow Teams
any any any 80
443		 TCP Allow HTTP/HTTPS
192.168.20.0/24 any any 123 UDP Allow NTP
192.168.20.0/24 any 192.168.20.1 53 UDP Allow DNS
192.168.20.0/24 any 10.0.0.0/8
172.16.0.0/12
192.168.0.0/16		 any Block RFC1918
192.168.20.0/24 any any any any Block Block all

Zero-Trust tip:

Start opinionated: deny by defaults. Then open only what your build needs.
(AD, DNS, NTP, HTTP/HTTPS, RDP/WINRM for admin).

Step 2 – Built the domains

Stand up each environment in this order: DC → App Server → Workstations. Keep specs lean, so your optimized for repeatable tests, not benchmark, unless it’s your requirement.

VM Name vCPU RAM (GB) Disk (GB) Secure Boot TPM vSwitch IP
CONTOSO-DC01 1 2 60 On No vLAN-Contoso 192.168.10.100
CONTOSO-APP01 1 2 60 On No vLAN-Contoso 192.168.10.110
CONTOSO-PC01 2 4 60 On Yes vLAN-Contoso 192.168.10.123
CONTOSO-PC02 2 4 60 On Yes vLAN-Contoso 192.168.10.124
FABRIKAM-DC01 1 2 60 On No vLAN-Fabrikam 192.168.20.100
FABRIKAM-APP01 1 2 60 On No vLAN-Fabrikam 192.168.20.110
FABRIKAM-PC01 2 4 60 On Yes vLAN-Fabrikam 192.168.20.123


These VMs can be created via the GUI or the following PowerShell Script

    function New-LabVM {
    <#
    .SYNOPSIS
      Creates a Generation 2 Hyper-V VM with sane defaults (VHDX, memory, CPU, firmware, ISO, TPM).
    .EXAMPLE
      New-LabVM -Name CONTOSO-DC01 -SwitchName vLAN-Contoso -ISOPath D:\ISOs\WS2022.iso -MemoryStartupGB 2 -VHDSizeGB 60 -VCPU 1
    #>

    [CmdletBinding()]
    param(
        [Parameter(Mandatory)][string]$Name,
        [Parameter(Mandatory)][string]$SwitchName,

        [string]$VMRoot = "C:\Hyper-V\VMs",
        [string]$VHDRoot = "C:\Hyper-V\VHDs",

        [int]$Generation = 2,
        [int]$VCPU = 2,

        [int]$MemoryStartupGB = 2,
        [switch]$UseDynamicMemory,
        [int]$MemoryMinGB = 2,
        [int]$MemoryMaxGB = 8,

        [int]$VHDSizeGB = 60,

        [string]$ISOPath,                               # optional
        [ValidateSet("MicrosoftWindows","MicrosoftUEFICertificateAuthority")]
        [string]$SecureBootTemplate = "MicrosoftWindows",
        [switch]$DisableSecureBoot,

        [switch]$EnableTPM,
        [switch]$StartVM
    )

    # --- Pre-flight ---
    if (-not (Get-Module -ListAvailable -Name Hyper-V)) {
        throw "Hyper-V module not found. Install the Hyper-V role & tools."
    }
    if (-not (Get-VMSwitch -Name $SwitchName -ErrorAction SilentlyContinue)) {
        throw "VMSwitch '$SwitchName' not found."
    }
    if ($ISOPath -and -not (Test-Path $ISOPath)) {
        throw "ISO not found at $ISOPath"
    }

    $vmPath  = Join-Path $VMRoot $Name
    $vhdPath = Join-Path $VHDRoot "$Name.vhdx"

    New-Item -ItemType Directory -Path $vmPath  -Force | Out-Null
    New-Item -ItemType Directory -Path $VHDRoot -Force | Out-Null

    # --- Create VM + VHDX ---
    $vm = New-VM -Name $Name -Generation $Generation `
                 -MemoryStartupBytes ($MemoryStartupGB * 1GB) `
                 -SwitchName $SwitchName `
                 -Path $vmPath `
                 -NewVHDPath $vhdPath -NewVHDSizeBytes ($VHDSizeGB * 1GB)

    # CPU
    Set-VM -Name $Name -ProcessorCount $VCPU

    # Memory
    if ($UseDynamicMemory) {
        Set-VMMemory -VMName $Name -DynamicMemoryEnabled $true `
                     -MinimumBytes ($MemoryMinGB * 1GB) `
                     -StartupBytes ($MemoryStartupGB * 1GB) `
                     -MaximumBytes ($MemoryMaxGB * 1GB)
    }

    # Firmware / Secure Boot
    if ($DisableSecureBoot) {
        Set-VMFirmware -VMName $Name -EnableSecureBoot Off
    } else {
        Set-VMFirmware -VMName $Name -EnableSecureBoot On -SecureBootTemplate $SecureBootTemplate
    }

    # Optional TPM (for Win11 etc.)
    if ($EnableTPM) {
        Set-VMKeyProtector -VMName $Name -NewLocalKeyProtector
        Enable-VMTPM -VMName $Name
    }

    # Optional ISO + boot order (DVD first)
    if ($ISOPath) {
        $dvd = Get-VMDvdDrive -VMName $Name -ErrorAction SilentlyContinue
        if (-not $dvd) { $dvd = Add-VMDvdDrive -VMName $Name -Path $ISOPath }
        else           { Set-VMDvdDrive -VMName $Name -Path $ISOPath | Out-Null }
        $hdd = Get-VMHardDiskDrive -VMName $Name | Where-Object { $_.Path -like "*.vhd*" }
        Set-VMFirmware -VMName $Name -BootOrder $dvd,$hdd
    }

    if ($StartVM) { Start-VM -Name $Name }

    # Return a quick summary
    [PSCustomObject]@{
        Name   = $Name
        Switch = $SwitchName
        VCPU   = $VCPU
        Memory = "{0} GB{1}" -f $MemoryStartupGB, ($(if($UseDynamicMemory){" (dyn ${MemoryMinGB}-${MemoryMaxGB} GB)"}))
        VHD    = $vhdPath
        ISO    = $ISOPath
        TPM    = [bool]$EnableTPM
        SecureBoot = $(if($DisableSecureBoot){"Off"} else {$SecureBootTemplate})
    }
}

Heads-up
Windows 11: Enable Secure boot and vTPM, or setup will fail. For servers TPM isn’t required here, but is no issue when enabling 

Keep your tiering model in mind as you build OU’s and admin accounts, even in a lab, muscle memory matters. Apply Windows Security Baseline or even the CIS aligned benchmark or your environments security requirements, so you catch migration snags that only appear under tightened policies. 

Step 3 – Tenants that resemble reality

For the source tenant I have used the demo version provided by Microsoft, as it has user, groups, SharePoint and Teams already provisioned.
Also here depending on your requirements additional setting like security labels or PowerBi dashboard can be created, which I will elaborate more in Part 2 – Setting up your Source Tenant.

As of the business case the target has been created from Microsofts Developer site, with no users and data, but also a trail tenant will suffice.
For each tenant I registers the DNS domain (purchased) and confirmed these can be used later for the routing and coexistence.

These tenants will be available for 90 days be aware to remove the domains from the tenants, beforehand. 

 

Step 4 – Wire identity with Entra Connect

Install Entra Connect on the CONTOSO-APP01 and the FABRIKAM-APP01. Configure the OU’s that you want to have synced.
Also here opening up ports was required for the sync to work accordingly.

After the source domain was created I created some user and groups in AD as these would be synced onto the tenant. As some user also exist on the source tenant you can do some matching, or you can make change regarding the licenses for the synced users.
with this action I also confirmed :

  • UPN suffix matches the tenant’s primary or verified domain.
  • Password hash sync (or pass-through) enabled.

This is the moment the lab starts feeling like the real world: two directories, two tenants, controlled network path, and identities flowing on your terms.

Step 5 – Workstation logon

As a last step I finished setting up one of the workstations by logging on as an user and adding the work and school account and installing the Microsoft 365 apps. With the last check on checking if Outlook is opening and mail can be send and received, as this workstation will be part of the migration process at the end.

What’s next (Part2)

We’ll seed realistic data (mail, OneDrive, SharePoint, Teams, even a bit of PowerBi and some security labels) so Quest ODM has something meaningful to chew on. Then we’ll light up Quest On Demand, grant consent and start designing migration jobs.

Protecting Active Directory: The Crown Jewel You Can’t Afford to Lose

Protecting Active Directory: The Crown Jewel You Can’t Afford to Lose

,,

Protecting Active Directory is the urgent priority in 2025. Another week, another alarming headline about stolen data. Citizens are shaken, regulators are watching, boards are demanding answers. In 2025, one brutal truth keeps surfacing, identity is your perimeter, and Active Directory (AD) is still the crown jewel. If Attackers can turn AD into their control plane. They own your blast radius.

This isn’t fear-mongering, It’s a sober, no-nonsense assessment. We’ve modernized stacks, added shiny tools, and embraced the cloud, yet attackers keep winning with boring, battle-tested moves: phising a helper account, abusing a service identity, riding legacy protocols, and quietly moving laterally until they hold the keys to your kingdom.

Table of Content

The Brutal Truth: Identity is Your Perimeter

Firewalls don’t block stolen admin tokens. EDR struggles on unmanaged edges. Once a foothold is established, lateral movement, not the initial phish, turns a nuisance into a nightmare. Attackers don’t “hack everything” They borrow your trust:

  • Trust that NTML/SMB/unsigned LDAP will “just work.”
  • Trust the helpdesks must move fast, even for privileged accounts.
  • Trust that old service accounts are still needed
  • Trust that backups will save the day, despite never rehearsing a full restore.

Supply-chain stories make this starker: third-party access, labs, agencies, or vendors, each a potential bridge into your identity backbone if governance is weak.

Why AD Still Magnifies Damage (The Hidden Multiplier)

Even in hybrid estates, AD and cloud directories remain intertwined. Directory tiers decide who can administer endpoints, push software, manage servers, and influence authentication paths.
Compromise AD once, and an attacker can orchestrate your environment inside.

Boards should view AD Weaknesses as blast-radius multipliers. They don’t just increase the chance of a breach; they make the breach worse. Add regulatory pressure, GDPR and NIS2, and neglect turns into a costly compounding risk.

The Boring Attack That Breaks You

  1. Initial foothold via phishing, vulnerable edge device, exposed admin interface, or a compromised partner.
  2. Priviledge evaluation by abusing misconfigurations and overly broad groups.
  3. Lateral movement across legacy protocols to reach DCs or identity infrastructure.
  4. Business impact, data exfiltration, extortion, and outages, magnified by weak back/restore discipline

Familiar? Good. Familiar is fixable.

A Bulletproof, No-Nonsense Blueprint

This is a sharp, minimal blueprint that turns AD from “single point of catastrophic failure” into a well-governed, hard target. Opinionated by design, ready for board scrutiny.

  1. Tiered Admin Model, with Real PAWs (Non-Negotiable)
    • Adopt three-tier admin separation (workstations, servers, DCs) and enforce logon restrictions so admins don’t cross tiers casually
    • Provision Privileged Access Workstations (PAW’s). Internet browsing laptops are not admin consoles.
    • Audit privileged groups monthly; tie every role to a named owner and a business justification.
    • Board ask: Show the tier chart, user per tier, and every exception, witn an expiry date.
  2. Just-In-Time Privilege, Kill “Forever-Admins
    • Eliminate standing membership in Domain/Enterprise/Schema Admins and powerful server groups.
    • Use JIT/PIM for time-bound elevation with approval, MFA, and recorded purpose.
    • Board ask: What % of privileged actions were time-bound last quarter.
    • Ops move: Start with the top 50 accounts that can touch DCs or push GPOs.
  3. Kill legacy Protocols and Weak Auth Paths
    • Disable NTLM where feasible; ban NTLMv1 outright.
    • Require SMB signing and LDAP signing; Block unsigned/Unencrypted binds.
    • Inventory service accounts; move to gMSA or equivalent and rotate secrets you can prove.
    • Board ask: Which legacy protocols remain and why? What’s the retirement date?
  4. Backups That Actually Save you
    • Treat DC backups like crown jewels. Keep offline/immutable copies and document authoritive restore.
    • Rehearse full-fidelity restores at least twice a year with stopwatches and observers. Measure time-to-restore business services.
    • Board ask: When did we last fail a restore rehearsel, and what changed?
  5. Continuous Identity Threat Monitoring (High-Signal, Actionable)
    • Instrument AD for abuse patterns: suspicious DC replication, mass groups changes, token forging, odd LDAP enumeration bursts.
    • Integrate identity detections into SOC runbooks so analyst can block, isolate, or rotate quickly, especially service accounts.
    • Board ask: What’s our mean-time-to detect and mean-time-to-respond for identity abuse?
  6. Supply-Chain Identity Governance, Stict and Auditable
    • No generic vendor admin accounts. Every external identity maps to a real person with JIT elevation and MFA
    • Use jump host + session recording for third-party admin work: no direct DC access from partner networks.
    • Bake identity controls into contracts: log retention, identity proofs, and incident reporting timelines.
    • Board ask: Which vendors can touch our identity systems today, and on what terms?
What the Board Must Demand Now
  1. One-page AD risk brief: top five identity failure modes, top five mitigations, named owners with dates.
  2. Proof of privilege reduction: before/after graph for standing admins; JIT adoption numbers.
  3. Restore rehearsal report: time-to-restore DCs and Critical apps from offline/immutable backups; gaps closed.
  4. Vendor access registry: who/where/why/when/controls (MFA, JIT, logging, termination)
  5. Metrics that matter: % time-bound admin actions, identity MTTR, count of legacy protocol exceptions, days since last restore test.
What IT Leaders Can ship in 60 Days
  • Identity blast-radius workshop: if admin gets phished, what can they touch in 60 minutes? Close the biggest gaps first.
  • Turn off one loud legacy path: pick NTLMv1, unsigned LDAP, or SMB signing, ship one decisive hardening win now.
  • Cut Standing Domain Admins by 50% via JIT. Painful once; normal forever.
  • Run a DC restore drill with observers, publish the metric; fix gaps; repeat.
  • Pilot PAWs for the top five admins; measure incident reduction and change-success rate.
The Boardroom Cyber Reality Check

Across sectors worldwide, breach frequency and impact are accelerating while regulatory regimes tighten (GDPR, NIS2, HIPAA, PCI DSS). Pushing identity fixes to “next quarter” is a compounding risk. Elevate AD hardening to a board-level KPI and require quarterly proof:

  • % of privileged actions that are time-bound (JIT adoption)
  • Count of legacy-protocol exceptions with retirement dates
  • Reduction in standing Domain Admins
  • Time-to-Restore from offline/immutable backups; days since last successful DC restore
  • Vendor access registry with MFA/JIT/session-recording attestation

Final Word: Make Your Defenses Boring

The attacker playbook is predictable; your defenses should be too. Tiering with teeth, JIT everywhere, legacy shutdowns, immutable backups, and relentless identity monitoring. Do this, and the next damaging headline is someone else’s problem.
If you want a pragmatic, no-jargon walkthrough of what this looks like in your environment, get in touch.

FAQ

Powerful Lessons in IT Ringfencing

Powerful Lessons in IT Ringfencing

,

If you’d told me 25 years ago, when I was on the helpdesk resetting passwords, that I’d one day be responsible for protecting a financial company’s most sensitive data from a direct competitor, I might have laughed. Back then, security was antivirus, a firewall, and some polite reminders about not sharing passwords. Today? It’s a chess game, and ringfencing is one of the powerful moves in the real-world landscape of data protection. In this ever-evolving landscape, understanding the powerful implications of data security is crucial

In one of my last projects, we were faced with a sale of a division in another country. On paper, it sounded straightforward, the division was moving to a competitor. In reality, it was a data security nightmare waiting to happen.

Setting the Scene

The source infrastructure was an Active Directory Forest with three subdomains, and a hybrid Microsoft 365 environment. This meant the scope went far beyond just on-premises servers, we also had to consider SaaS applications, cloud resources, and a mix of on-prem line-of-business systems. Each of these had its own access model, its own quirks, and in some cases, its own integration points into AD.
 
We not only had to remove permissions from resources the sold division shouldn’t access, but also ringfence network access that the business-critical services were still reachable. VPN access was a particular challenge, remote users needed to connect without tripping over new restrictions, and we had to make sure those connections requested the updated security boundaries.
 
Our mandate was clear:
  1.  Remove all permissions to resources they shouldn’t see
  2. Keep access to what they needed, whether in M365, SaaS, or on-premises systems
  3. Maintain network connectivity only where appropriate
  4. Make sure the business didn’t grind to a halt while we did it
Oh, and do all that knowing the people on the other side now technically work for the competitor.
 

Ringfencing in Action

Create a security boundary around the crown jewels, Ringfencing as it’s called. Keep the right people inside, keep everyone else out, and make sure legitimate workflows still functioned.

Now you’ll find a lot of theoretical advice online about how to handle this. Some will point to frameworks, others to features like Microsoft Information Barriers. And yes, Information Barriers are powerful. But in this case, they weren’t an option. The company hadn’t implemented them and rolling them out in the middle of high stakes divesture would have been likely rebuilding a bridge while the traffic was still driving over it.
So, we went with what I like to call the “Current State Reality Check” method:

  •  First, map out exactly what the environment looked like, accounts, groups, permissions, VPN access rules, M365 share settings, SaaS integrations, and on-premises resources
  • Next, sit down with all parties concerned to agree who needs what, where and why
  • Finally, enforce those decisions, using in this case PowerShell and a healthy dose of common sense

Balancing security & Business Needs

One thing I’ve learned is that you can’t treat security in isolation, especially in hybrid environments where Microsoft 365, SaaS, and on-prem resources are all tightly interwoven. on this project, the mandate from the board was clear, security was critical, but disruption to the business had to be minimal.

That’s easier said than done, in a divestiture, timelines are short, and the stakes are high. Lock things down to aggressively, and you risk breaking workflows, blocking VPN access, or preventing employees from using the tools they need to serve customers. Move to slowly or loosely, and sensitive data could leak to a competitor. Ringfencing had to walk that fine line between speed and permission.

We approached it in phases. Instead of pulling the plug or entire sections of access all at once, we tested changes in smaller, controlled steps. VPN rules, SaaS integrations, and Microsoft 365 sharing settings were validated before rolling them out broadly. Each phase came with fallback options so if something went wrong, we could quickly restore service.

Just as important was communication. Users needed to understand why access was changing, and leadership needed confidence that the project wouldn’t derail operations. We avoided drowning executives in technical detail and instead used simple analogies, every restriction was explained as “closing a door in the office building, only the right people keep their keys.” That language helped stakeholders understand why controls were necessary without feeling like IT was putting up walls just for the sake of it.

In the end, this balance came down to collaboration. Security, operations, business owners, and even representatives from the divested division had to be aligned. Each group had different priorities, but the shared goal was clear, protect the business, keep it running, and hand over a cleanly separate environment. 

Lessons Learned

If you search for IT infrastructure Ringfencing, you’ll mostly find broad zero-trust articles or generic policy write-ups. The reality is that every environment is unique, every business situation has its quirks, and no amount of textbook theory replaces knowing your infrastructure inside out.

In our case it wasn’t about picking the perfect tool or following textbook framework step by step. It was about clarity, clarity on what we were protecting, clarity on who needed access, and clarity on how each change would ripple across the business.

What stood out the most was the balancing act. if you lock things down to tightly, you risk disrupting operations. If you leave things to open, you risk data leakage. The sweet spot lies in precision, making targeted, well-tested changes that protect critical assets while allowing the business to keep moving forward.

For  me, that’s the real lesson of ringfencing, it’s not compromise, it’s control with intent. Every control has to be sharp enough to protect, but flexible enough to let the business breathe. Get that balance right, and you’ve not only secured the environment, you’ve also build trust with the people who rely on it.

Looking Ahead

I think ringfencing will only become more critical in the near future, especially with hybrid and AI-driven infrastructures. But the core principle will remain the same, secure what matters, allow what’s needed, and don’t let complexity become the enemy of security.

The future of ringfencing isn’t about adding more barriers for the sake of it, it’s about applying controls with precision. The environments we protect are only getting more complex, but the lesson holds true, the sharpest security isn’t the one that blocks the most, it’s the one that protects exactly what’s at risk while keeping the business running smoothly.

After all the simplest lock can be the hardest to pick, if it’s on the right door.

Looking for practical ways to balance security and business continuity? Contact us today

Best Microsoft 365 Migration Tools for Enterprise Divestitures.

Best Microsoft 365 Migration Tools for Enterprise Divestitures.

,,

There is a moment in life for almost every enterprise when the conversation shifts. Not to cloud adoption, not to cost saving, but to separation.
A business unit, a division, sometimes an entire region, breaking away to stand on its own. It could be driven by a strategic sale, a merger, a realignment. Or simply a board deciding it’s time for a part of the business to operate independently.
In those moments, technology leaders face a reality that is both deeply strategic and brutally practical: you’re not just moving workloads, your untangling lives, digital lives, at enterprise scale.

Today we’re talking about that.
And not in the abstract, we’re focusing on the complex, high stakes case of separating a division from a hybrid Microsoft 365 tenant.

We’ll explore what makes it hard, what the market offers, and how the right choice in migration tooling can mean the difference between a controlled handover and a six-month nightmare. 

Picture this:

you’ve got one active directory forest, synced into a single Microsoft 365 tenant. That tenant runs your Exchange Online, your SharePoint, your Teams. You’ve also got Power Platform apps, integrated SaaS tool, and a very healthy list of security and compliance controls that can’t just be dropped mid-migration.

Now the spin-off company wants, no, needs, three things:

  1. All their users, data, and applications moved
  2. A clean coexistence period where calendars, Teams chats, even shared files keep working between the two organizations.
  3. A new identity, a new domain, visible to customers and partners before the migration is even finished

If you’re an IT leader, you know what that means:
This isn’t a long weekend job, this is a multi-phased, multi-tool, multi-team orchestration with every hour of downtime costing goodwill, money or both.

When you start evaluating how to do it, you quickly find there are plenty of migration tools on the market, but most of them were designed for something much simpler, clean cloud-to-cloud moves, or small-scale tenant consolidations.

That’s why the names that keep coming up for enterprise-scale divestitures are different. Today we’ll talk about four: Quest on Demand Migration, BitTitan MigrationWiz, AvePoint Fly and ShareGate.

And before you ask, no, this is not a sponsored segment. These are simply the tools we see over and over in serious RFP’s, project decks. And successful case studies.

Let’s start with Quest On Demand Migration.

Quest has been in the migration business for decades, and it shows. Their platform doesn’t just copy mailboxes and files, it was built for hybrid environments, where you have to split on-premises AD-objects, sync them to a new Entra ID, and keep everything in sync during coexistence period.

And coexistence here isn’t just ‘we can still send emails’ It’s GAL sync, so the address book stays complete in both organizations. It’s free/busy visibility so executives can still schedule meetings across the separation line. It’s keeping Teams collaboration alive while parts of your workforce are officially moving to another company.

Add to that something Quest calls domain rewrite, powered by its Binary Tree technology. That’s the ability to change everyone’s email address and UPN mid-Flight, so the new company can launch under its new brand before all the data has been moved. If you’ve ever had marketing breathing down your neck about timelines, you know how valuable that is.

Quest wraps all of this in subscriptions tiers (T3, T5, and T7) so you’re not cobbling together licenses for each workload. One subscription, one per user cost and no data caps. Every workload, Exchange, SharePoint, OneDrive, PowerBi, Teams, even Teams private Chats, is included. And that matters when you realize just how much data a 3,000-person division can generate.

Now contrast that with BitTitan MigrationWiz

For Years MigrationWiz was the default answer for fast, Saas-based Microsoft 365 migrations. It’s still great at that, fast setup, cloud-hosted management, and straight forward pricing for per-user bundles.

What’s changed, and why it now deserves a closer look for divestiture, is that BitTitan now has Active Directory migration capabilities.
You can migrate users, groups, and OU’s into a new AD forest, sync changes with delta runs, and even rewrite UPN suffixes. That closes a big gap it used to have in hybrid scenarios.

But and this is a real consideration, MigrationWiz still has data size limits in its pricing. Large OneDrive accounts or big SharePoint libraries can hit tier thresholds, which means more licenses or higher costs. And while it can handle UPN rewrite, it doesn’t have a built-in, end-to-end domain branding solution. Full coexistence, GAL sync, free/busy, would still require pairing it with another product.

In other words, if you want quick familiar, cloud-first tooling, MigrationWiz is attractive, especially for the M365 workloads. But if your divestiture hinges on complex identity and coexistence, it’s probably part of a stack, not the whole stack.

Then there’s AvePoint Fly

AvePoint positions itself as a content migration and transformation powerhouse. And in SharePoint and Teams, that’s exactly what it is. Fly can pre-scan your content, identity permissions issues or unsupported customizations, and restructure things before you cut over. That alone can save days of troubleshooting after migration.

Pricing here is usually per-user subscription, also with no data caps. That means you can move massive document libraries without worrying about hitting a size ceiling. For divestitures where teams and SharePoint are the heaviest lifts. AvePoint can be a lifesaver.

Where it’s weaker is in the hybrid identity story. It doesn’t migrate AD, doesn’t handle coexistence, and doesn’t offer domain rewrite. So, in our scenario, AvePoint is best as a specialist tool alongside something else, you’d use it when the business says, “Our SharePoint and Teams have to be spotless on Day One.”

Finally, ShareGate

This one comes up all the time, usually in the same breath as SharePoint migrations. ShareGate’s strength is content governance and migration. It gives you deep reporting, cleanup tools, and an interface so straightforward you can hand it to a junior admin and they’ll be productive in a day.

Licensing is per machine, per year, with unlimited users and unlimited data. That’s attractive if you have a lot of content to move and multiple admins working in parallel.

But and this is why it’s not the first name in divestiture playbooks; it’s content-only. No AD-migration, no coexistence, no domain rewrite. It’s the scalpel in the migration surgeon’s toolkit, not the operating table.

Conclusion 

So what does all this mean when you’re standing up in front of your steering committee, trying to justify your tool of choice?
It means that Quest On Demand Migration is the only one of these four that can truly cover every aspect of our divestiture scenario in a single platform.
Hybrid AD separation, coexistence, domain rebranding, all major workloads, unlimited data and a subscription model that scales cleanly.

BitTitan MigrationWiz comes close if you combine it with other tools, especially now that it supports AD migration, but you’ll need to account for coexistence gaps and data-size-based cost.

AvePoint Fly and ShareGate remain extremely valuable, but in focused roles, AvePoint for transforming and cleaning Teams and SharePoint at scale, ShareGate for deep content cleanup and governance.

And here’s the thing most people don’t realize until they’re halfway into divestiture, sometimes you need more than one tool.

If you have Quest ODM handling the heavy lift of identity and coexistence, but your SharePoint environment is a tangle of broken permissions, you might still bring in AvePoint or ShareGate for a targeted cleanup phase

What matters is not brand loyalty, it’s fit for purpose, and in divestitures, the purpose is bigger than “get the data over here” It’s get the right data, to the right place, at the right time, without braking business continuity or delaying the new company’s market launch.

So, if you take nothing else from this, take this;
In a divestiture, your migration tool is not just a utility. It’s a strategic asset. Choose it, or them, with the same rigor you’d apply to any critical business system.
Map your identity, your coexistence, your workloads. Match them to what each tool actually does, not just what’s in the brochure. And make sure the licensing model aligns with the scale and shape of your data.

Because once you start that separation clock, the last thing you want is to realize your chosen tool can’t keep up.

That’s it, we covered the landscape, the strengths and weaknesses, and the reality of matching tools to the one of the migration scenarios out there.
Whether you go all-in on Quest, mix and match, or bring in specialist like AvePoint or ShareGate, remember, the right choice isn’t about today’s migration. It’s about letting companies continue to do business with minimal disruptions.