What carve-out Microsoft 365 migration is
A carve-out Microsoft 365 tenant migration is a divestiture from a parent tenant into a new standalone destination tenant. It is fundamentally different from a consolidation migration. In consolidation, the buyer's tenant already exists and the source tenant is migrated into it. In a carve-out, the destination tenant does not exist on Day 1 of the engagement — it has to be built from scratch while the source tenant remains operational under TSA.
The carve-out scenario applies when a business unit is spun off, sold to a third party, taken private from a public parent, or separated as part of an antitrust remedy. The divested entity needs its own complete Microsoft 365 environment — its own Entra ID tenant, its own Exchange Online organization, its own SharePoint sites, its own Microsoft Teams structure, its own Microsoft Purview governance posture, its own Microsoft Defender configuration. Building all of that in 60-120 days is the engagement.
TSA expiration drivers
Transition Services Agreements typically grant the divested entity 60-180 days of continued access to the parent tenant after deal close. TSA expiration is a contractual deadline negotiated in the purchase agreement. There is no automatic extension. When the standalone tenant is not ready on TSA exit day, the divested entity loses access to its own users, email, files, and collaboration tools.
The TSA Exit Plan is one of the three named artifacts produced in Phase 1 (Separate). It documents the exit date, the workload-by-workload exit milestones, the contingency plan if any workload slips, and the legal hold considerations for content that must remain accessible post-exit. The Plan is signed by the buyer's legal team and the parent's IT leadership.
The 4-phase carve-out playbook
Phase 1: Separate (Weeks 1-2). Source-tenant inventory of carve-out scope. Identity isolation plan. Content extraction plan. TSA scope and exit milestones documented.
Phase 2: Isolate (Weeks 3-6). New destination tenant standup. Identity de-provisioning from parent. Content extraction. Regulatory baseline re-established. Microsoft Purview labels, Conditional Access, and DLP policies rebuilt.
Phase 3: Cutover (5-day average execution window). Identity transition. Email and collaboration cutover. SharePoint, OneDrive, and Microsoft Teams content live. End-user enablement. Hypercare begins.
Phase 4: Stabilize (Weeks 7-12). Hypercare with daily reporting for 14 days. TSA exit confirmation. Defect closure. Optional Managed Microsoft Cloud and Analytics retainer.
Identity de-provisioning approaches
Identity isolation runs across four layers. Active Directory accounts are exported and stood up in the new destination Entra ID tenant. Group memberships are scoped to carve-out users only — groups that span parent and carve-out are split or duplicated based on the Identity Isolation Plan. License SKUs are reclaimed from the parent tenant and assigned in the new tenant. Conditional Access policies are rebuilt with carve-out-specific named locations and device trust criteria.
Cross-tenant access during the TSA window is enabled via Microsoft Entra B2B and Cross-Tenant Access Settings. This permits carve-out users to access specific parent-tenant resources — typically legal hold content, HR records, and joint-venture data — during the transition. Final de-provisioning from the parent happens at TSA exit, validated by the TSA Exit Confirmation artifact.
Content separation methodology
Content is categorized in Phase 1 into three buckets: content that moves with the carve-out, content that stays with the parent, and dual-residency content. The categorization is documented in the Content Extraction Report and signed by both parties.
The Tooling Decision Record names the extraction engine. AvePoint Fly leads for regulated content where sensitivity labels must transfer intact. ShareGate leads when content cleanup and governance reset are part of scope. Quest leads when identity-heavy content scenarios dominate. The choice is scenario-driven, not vendor-driven.
Compliance posture in the destination tenant
The Diligence phase establishes the regulatory baseline appropriate to the divested entity. If the divested entity inherits HIPAA, FedRAMP, SOC 2, FINRA, CMMC, or GxP obligations, the baseline transfers to the destination tenant. Microsoft Purview sensitivity labels, retention policies, eDiscovery configuration, and Microsoft Defender alerting are rebuilt in the destination tenant before content lands.
Compliance is re-validated at cutover. The Compliance Baseline artifact documents the configuration applied. Named artifacts produced during the migration form the audit trail used by the divested entity's compliance team post-carve-out.
End-user enablement during carve-out
End users on the divested side often have no operational context for the new tenant. The end-user enablement workstream covers welcome communications, support escalation paths, training resources, and help desk briefing on common Day-1 issues. The workstream is owned by a named change-management lead who attends every steering committee meeting alongside the senior architect.
Common carve-out failure modes
The four most common failure modes are: (1) TSA Exit Plan signed late, leaving insufficient runway for Build phase execution; (2) identity isolation under-scoped, leading to group memberships that don't separate cleanly; (3) compliance baseline not re-established before content migration, creating audit gaps; (4) end-user enablement skipped, leading to hypercare ticket storms on Day-1 +1.
The 4-phase carve-out playbook prevents all four through staged Phase 1 and Phase 2 deliverables that are gated before the cutover window starts. The Go-Live Readiness Assessment, produced 5 business days before cutover, is the final gate.
Pricing for carve-out engagements
Fixed-fee Statements of Work scoped during the Diligence phase. Mid-market carve-outs (1,000-5,000 users) typically range from $50,000 to $250,000. Enterprise carve-outs (5,000-25,000+ users) typically range from $250,000 to $1,500,000+. Post-carve-out Managed Microsoft Cloud and Analytics retainers range from $6,500 to $35,000 per month for the new standalone entity.
How to engage EPC Group on a carve-out
Schedule a discovery call at epcgroup.net/schedule, email contact@epcgroup.net, or call (888) 381-9725. Pre-close engagements are supported — EPC Group can be brought in during diligence to support the deal team. After the discovery call, a scoped Statement of Work is delivered naming the senior architect, the playbook phases, the tooling decision, and the fixed-fee anchor.