Frequently Asked Questions
General
What is TenantLift?
TenantLift is a SaaS platform that automates cross-tenant Microsoft 365 migrations — identity mapping, mailbox content migration, SMTP cutover, calendar rewrite, permissions reconstruction, and more.
Does TenantLift require on-premises infrastructure?
No. TenantLift is fully cloud-hosted. All communication happens over HTTPS to Microsoft Graph and Exchange Online endpoints.
Which Microsoft 365 plans are supported?
Any plan that includes Exchange Online (Business Basic, Business Standard, Business Premium, E1, E3, E5, etc.).
Security & Permissions
Why does TenantLift need so many permissions?
Each permission is scoped to a specific migration capability. For example,
Mail.Read is needed to read source mailbox contents, while Mail.ReadWrite
is needed to write them to the target. See the
full permissions reference.
Is my data secure?
- All API communication uses TLS 1.2+
- OAuth tokens are encrypted at rest (AES-256)
- TenantLift never stores mailbox content — data flows directly between Microsoft tenants via Graph API
- Admin consent can be revoked at any time from the Entra ID portal
Can I revoke access after the migration?
Yes. Navigate to Entra ID → Enterprise Applications → find TenantLift → Properties → Delete. This removes the service principal and all granted permissions immediately.
Migration
How long does a migration take?
It depends on the volume of data. A typical 100-user migration with average mailbox sizes completes within 24–48 hours.
Can I migrate in batches?
Yes. You control batch size and scheduling. Migrate VIPs first, then the rest of the organisation.
What happens if a migration fails?
TenantLift tracks individual item migration status. Failed items can be retried without re-migrating already-completed items.
Is there any downtime?
The coexistence phase ensures mail continues to flow during migration. The only brief interruption is during DNS cutover (typically a few minutes for MX record propagation).