Before you can migrate mailboxes between Microsoft 365 tenants, users need to exist in the destination tenant.
Copy identities copies users and groups from Entra ID to complete identity preparation as part of your migration projects.
Note: Copy identities is a public beta.
Some identity types and properties are not supported. For details, see Copy identities limitations.
Prerequisites
You have a ShareGate Migrate Pro or ShareGate Migrate Enterprise subscription.
You have global admin permissions in your Microsoft 365 source and destination.
Required Microsoft 365 permissions
You must once consent to a set of Microsoft 365 permissions on your tenants before using Copy identities.
You'll be prompted to consent to these permissions the first time you sign in with your Global admin account.
To learn about the required permissions for identity migrations, see Microsoft 365 permission scopes required for ShareGate.
How to copy identities
Select Copy from the sidebar menu.
Select the Copy identities tab.
Click Copy identities.
Click the tenant selection box. It will display No connections if no tenants are connected via Copy identities.
Select a source tenant or click +Add connection to connect to a new tenant.
If this is the first time connecting to the tenant with a mailbox migration feature, you will get prompted to consent to a Microsoft 365 permission scope as described in the Permissions consent section above.
You can click the refresh icon to update your users.
Place a check mark next to each source identity you want to migrate.
You can use the search bar to find specific identities.
You can click on a column header to sort your identities based on that column.
You can select all your listed mailboxes with the check box in the Mailbox column header.
Click Continue to select destination.
What gets copied
Copy identities relies on available Microsoft 365 and Entra ID APIs. Not all identity types and properties are supported.
Users
ShareGate Migrate copies the following user types:
Member Users
Guest Users
Shared Mailboxes
Room Mailboxes
Equipment Mailboxes
Note: Guest users are migrated using Microsoft's invitation flow. A valid email address is required for each guest user.
The following properties are copied per user:
Category | Properties copied |
Core | Display Name, User Principal Name (UPN), Mail Nickname, Account Enabled, User Type, Mail address |
Profile | First Name, Last Name, Job Title, Department, Company, Office Location, Mobile Phone, Business Phone, Fax, Street, City, State, Postal Code, Country |
Account | Usage Location, Employee ID, Employee Type, Employee Hire Date, Employee Leave Date, Password Policies, Show In Address List, Is Resource Account |
Privacy | Age Group, Consent Provided for Minor |
Other | Preferred Language, Other Mails (alternate email addresses) |
Note: Only one business phone number can be set per user. If a source user has multiple business phone numbers, only the first one is copied.
For Shared, Room, and Equipment mailboxes, ShareGate Migrate also copies the following permissions:
Full Access
Send As
Send On Behalf
These permissions are copied for both individual users and groups as members.
Licenses are mapped from source SKU IDs to destination SKU IDs using License Mappings that you can configure.
Groups
Group type | Supported | Notes |
Security Groups | Yes | Static or dynamic membership; can have a Teams association |
Unified Groups (Microsoft 365) | Yes | Static or dynamic membership; can have a Teams association |
Distribution Lists | Not supported | |
Mail-enabled Security Groups | Not supported | Flagged in the interface |
For supported group types, the following core properties are copied: Display Name, Mail Nickname, Group Type, Visibility, Description, Security Enabled, and Mail Enabled flags.
Additional properties by type:
Security Groups: Hide From Address Lists, Hide From Outlook Clients
Unified Groups (M365): Theme, Mail address, Allow External Senders, Auto Subscribe New Members, Hide From Address Lists, Hide From Outlook Clients
For membership:
Assigned groups: Owners and Members are copied.
Dynamic groups: Membership Rules are copied, with circular dependency detection and domain name mapping applied using your configured Domain Mappings.
Identity mappings
Copy identities handles mappings automatically between users and groups.
How users and groups are matched
ShareGate Migrate looks for exact matches on specific properties:
Users are matched with the User Principal Name (UPN).
Groups are matched with the Mail nickname.
When no match is found
The identity's status changes to Will be created on the mappings screen, and ShareGate will provision a new identity in the destination.
When multiple candidates are found
When two destination identities match the same source, it is treated as a conflict, and the identity receives a Needs review error status. ShareGate Migrate won't automatically pick one.
In these cases, you can resolve the conflict directly in Entra ID or remove the identity from the migration list.
Copy report
As the copy completes, ShareGate generates a copy report that summarizes the results of your identity migration.
If you leave the identity migration screen, you can always find the copy report in the Tasks screen.