102,000-User Zero-Downtime Microsoft 365 Migration — EPC Group Flagship Case Study
This is the largest single-engagement Microsoft 365 migration EPC Group has executed. It is also the reference architecture that seeded the firm's downstream M&A migration practice — 216+ tenant migrations and 1.83 million users moved across 2023-2025 with a 5-day average cutover.
The problem
A 102,000-user enterprise on a legacy Microsoft 365 tenant needed to consolidate onto a new tenant with a new Active Directory forest, new domain namespace, new security posture, and a new set of regulatory controls — without a business-hour outage. Traditional "big-bang" cutovers were off the table (the business could not absorb a 3-day silent-collaboration window). Traditional "long-tail multi-year" migrations were also off the table (regulatory deadline pressure required completion inside 22 weeks).
The architecture — 3-tier parallel-tenant coexistence
Tier 1 — Identity: dual-tenant provisioning
Azure AD Connect running on both source and target tenants, sourced from a temporary read-only Active Directory bridge. Every user was provisioned in both tenants simultaneously with matching UserPrincipalName and proxyAddresses — the precondition for cross-tenant mail flow and free/busy federation.
Tier 2 — Collaboration: Exchange Online rich coexistence
GALSync populated the target tenant's Global Address List with source contacts (and vice-versa) so every user could find every other user regardless of which tenant they were currently in. Cross-tenant free/busy federation kept calendar visibility live. Mail routing via smart hosts ensured mail sent to a user's old address flowed to their current tenant automatically.
Tier 3 — Content: in-flight SharePoint + OneDrive migration
SharePoint site collections and OneDrive personal libraries migrated continuously in the background during coexistence, not as a big-bang cutover. The tenant currently holding a user's mailbox was the tenant serving their SharePoint. Users saw one consistent experience — Migration was invisible.
The cutover pattern — 22 weekend waves
Users were migrated in waves of approximately 5,000 per weekend over 22 weeks. Every wave ran Friday 10 PM to Sunday 6 AM, so business hours were never inside a cutover window.
Wave scoping rules
- Business unit integrity — users in the same team, department, or active project migrated in the same wave. Preserved collaboration during coexistence.
- Complexity floor — the first 3 waves were low-complexity (single-mailbox users, no shared calendars, no delegates) to prove the runbook. Complexity climbed wave-over-wave: shared mailboxes wave 8+, delegate-heavy admin/executive users wave 15+, resource mailboxes and room calendars wave 18+, service accounts wave 22 (last).
- VIP protection — the CEO, CFO, GC, and their delegates migrated in a dedicated white-glove wave with a 4-person EPC Group standby team on premises.
What went wrong (and how it was resolved)
Three notable incidents across 22 waves:
Wave 4 — Backup vendor Graph rate-limit
A downstream backup vendor's API rate-limited the target-tenant Graph endpoint during initial mail-migration, delaying the wave by 18 hours. Resolved by throttle-coordinating with the vendor and staggering their scan. Zero business-hour impact.
Wave 11 — 340 executive-assistant delegate configurations
A block of 340 executive assistants had delegate configurations the standard EWS migration tool didn't preserve. Resolved by hand-remediating each delegate configuration Sunday afternoon before Monday cutover. Zero business-hour impact.
Wave 17 — Litigation hold expiry
A litigation hold on the source tenant expired during coexistence and had to be re-applied cross-tenant. Resolved by opening a Purview eDiscovery Premium case on the target tenant same day. Zero business-hour impact and zero regulatory exposure.
What enterprises this size do differently from mid-market
- Dedicated network engineering — source and target tenants must be reachable simultaneously from every user location without saturating the WAN. Multiple 10 Gb ExpressRoute circuits and Front Door acceleration were required.
- Tenant-Migration Governance Board — weekly cross-functional (Legal, Security, HR, Finance, IT, business-unit sponsors) reviewing wave results, exception approvals, and remediation.
- Regulatory notification management — for the regulated business units (healthcare, financial services), the migration wave itself triggered notification obligations that had to be pre-drafted.
- Parallel training + change-management program — a migration this size is not solved by a 30-minute Teams video; it required 3 months of business-unit-specific onboarding rehearsals.
Frequently Asked Questions
What made the 102,000-user migration "zero downtime"?
Zero downtime here means zero business-hour service interruption for users. It does NOT mean no cutover windows — every migration has cutover windows, but on this engagement they were scheduled outside business hours (Fri 10 PM to Sun 6 AM per wave), users kept working from their previous mailbox during coexistence, and directory sync + mail flow + calendar free/busy stayed live across the source and target tenants the entire time. Users experienced 'my Outlook signed itself out at 8 PM Friday and I signed back in Monday morning to a new tenant' — no lost mail, no lost meetings, no lost delegates.
What was the architecture of the parallel-tenant coexistence?
Three-tier coexistence stack: (1) Azure AD Connect running on both source and target tenants sourced from a temporary read-only Active Directory bridge — every user was provisioned in both tenants simultaneously with matching UPN/proxyAddresses. (2) Cross-tenant Exchange Online rich coexistence — GALSync via targetAddress attributes, free/busy federation, mail routing via smart hosts. (3) SharePoint + OneDrive migration executed in-flight during coexistence, not as a big-bang cutover — the tenant with the user's current mailbox was the tenant serving their SharePoint. Users were migrated in waves of ~5,000 per weekend over 22 weeks.
How were the waves scoped?
Wave scoping followed three rules: (1) Business unit integrity — users in the same team, department, or project migrated in the same wave to preserve collaboration during coexistence. (2) Mailbox complexity floor — the first 3 waves were low-complexity (single-mailbox users, no shared calendars, no delegate access) to prove the runbook. Complexity increased wave-over-wave: shared mailboxes wave 8+, delegate-heavy admin/executive users wave 15+, resource mailboxes and room calendars wave 18+, service accounts wave 22 (last). (3) VIP protection — the CEO, CFO, GC, and their delegates were migrated in a dedicated white-glove wave with a 4-person EPC Group standby team.
What went wrong?
Three notable incidents: (1) Wave 4: A downstream backup vendor's API rate-limited the target-tenant Graph endpoint during initial mail-migration, delaying the wave by 18 hours. Resolved by throttle-coordinating with the vendor and staggering their scan. (2) Wave 11: A block of 340 executive assistants had delegate configurations that were not migrated by the standard EWS migration tool. Resolved by hand-remediating each delegate configuration Sunday afternoon before Monday cutover. (3) Wave 17: A litigation hold on the source tenant expired during coexistence and had to be re-applied cross-tenant. Resolved by opening a Purview eDiscovery Premium case on the target tenant same day. In all three cases, users experienced zero downtime — the incident was resolved before the business-hour window opened.
What does an enterprise this size need to do differently from a mid-market migration?
Four things enterprise migrations require that mid-market does not: (1) Dedicated network engineering — the source and target tenants must be reachable simultaneously from every user location without saturating the WAN; multiple 10Gb ExpressRoute circuits and Front Door acceleration were required for this engagement. (2) A dedicated tenant-migration Governance Board — weekly cross-functional (Legal, Security, HR, Finance, IT, Business Unit sponsors) reviewing wave results, exception approvals, and remediation. (3) Regulatory notification management — for the regulated business units (healthcare, financial services), the migration wave itself triggered notification obligations that had to be pre-drafted. (4) A parallel training + change-management program — a migration this size is not solved by a 30-minute Teams video; it required 3 months of business-unit-specific onboarding rehearsals.
Talk to the team that built this
If you are staring at a large-scale Microsoft 365 migration — divestiture spin-out, M&A tenant consolidation, holding-company break-up, or greenfield tenant re-platform — EPC Group has done this at the largest scales in North America.
Email contact@epcgroup.net or call 888-381-9725.
North America's oldest continuous Microsoft Gold Partner (2000 until Microsoft retired the program in 2022) — today holding all six Microsoft Solutions Partner Designations.
