In part one of the series we outlined the purpose of the SMTP address rewrite technique and some typical use cases for it. In this article let us explore a real project which helped one of our customers to perform M365 cross tenant migration with zero downtime of the email service in the most cost-effective way.
Objectives
The main business requirement was to migrate out M365 workloads to a new tenant due to a split between two healthcare providers. Because of the business specifics and its 24/7 operation, several vanity domains had to be moved across M365 tenants with zero downtime for the M365 service.
Solution
After analysing the objectives and the existing environment we proposed several options including the usage of well-known migration tools which provide email address rewrite capability. Unfortunately, the migration tools cannot guarantee uninterrupted email traffic during the cutover of vanity domains, i.e. when domains are being removed from source tenant and registered to the target tenant. Due to some limitations such as lack of control at every stage, the migration could turn into a lengthy process during which there would be unavoidable downtime. For example:
Cleanup activities in source domain for objects and applications associated with vanity domains could take hours.
Sometimes it takes an hour or more for the Microsoft cloud services to replicate and adjust the configuration changes triggered by the deregistration and registration of vanity domains.
Update of objects in target domain after successful vanity domain registration could take hours to ensure all properties are restored back including transferring legacy Exchange DN attribute as X500 address on all mail objects.
All of the above examples lead directly to service downtime which was unacceptable to our healthcare client. To avoid it we leverage the capabilities of Microsoft Exchange Edge servers to deliver continuous email address rewriting functionality during the domain cutover process. The solution operates in three distinct phases as visualised below:
Some of the most important prerequisites when planning the implementation of Edge servers are:
If you decide to deploy Microsoft Edge servers in Azure, consider that outbound email messages that are sent directly to external domains (on TCP port 25) from a virtual machine (VM) are allowed only from certain subscription types in Microsoft Azure. For VMs deployed in standard Enterprise Agreement or Microsoft Customer Agreement for enterprise (MCA-E) subscriptions, the outbound SMTP connections on TCP port 25 are blocked by default but can be allowed if needed. In all other cases such traffic is blocked. More details about this restriction can be found here.
Always plan for resilience and configure at least two load balanced Exchange Edge servers.
Make sure to check if any additional mail-related services are present. For example, if antispam or email hygiene solutions are used, you need to apply configuration changes to allow communication with the Edge servers.
Allocate public IP addresses and a certificate for the Edge servers.
Update the SPF records to include the rewrite solution as alternative sender.
DKIM signing is not supported for outbound email messages using rewritten addresses and this feature must be turned off during the migration.
Double-check the user email address mappings as address rewriting does not verify the uniqueness of a rewritten email address. If you need to perform rewriting for multiple domains you need to make sure that you use unique aliases.
Depending on the scenario you should consider whether you want to implement address rewrite for outbound emails, inbound emails, or both.
Do not forget to:
Conduct a thorough assessment of existing infrastructure, including on-premises and cloud email services.
Develop detailed migration plan which includes the coexistence requirements and associated risks.
Conduct extensive testing to verify the SMTP address rewrite solution. This includes testing scenarios involving coexistence, email routing, and cross-tenant migration. Adjustments must be made iteratively to fine-tune the system for optimal performance.
Provide comprehensive training of IT and end users to ensure smooth transition. Communicate the changes, benefits, and potential impact, fostering a transparent and collaborative approach.
Conclusion
By leveraging the capabilities of Microsoft Exchange Edge servers and implementing a robust and cost-effective SMTP address rewrite solution, we managed to successfully navigate the complexities of coexistence and cross-tenant migration for our customer. This case study highlights the importance of a well-planned and executed strategy in ensuring a smooth transition when adopting M365 services in a hybrid environment.