#Create a Migration Policy

A Microsoft Entra ID migration policy allows you to define how to map the source and destination users and groups in Microsoft Entra ID, configure the conflict resolutions, migration options, and other settings.

Refer to the following steps to configure a migration policy for Microsoft Entra ID migrations:

1. Click Policies under Settings in the left pane.

2. Click Migration policies to access the Migration policies page.

3. Click the Microsoft Entra ID tab.

4. Click Create migration policy. The Create migration policy panel appears.

5. Enter a name and an optional description for the policy, and then click Next.

6. In the What do you want to migrate? section, select the attributes you want to map for the source and destination objects from the corresponding drop-down list.

   You can click the Add button to add more mappings, or click the Remove button to remove an added mapping.

   Fly will use the first attribute mapping to map an object. If the object cannot be mapped, Fly will try to map it using the second attribute mapping, and so on.

   NOTE

   If the source object can be mapped to multiple destination objects based on the attribute mappings configured in the migration policy, the migration of the source object will fail.

   NOTE

   If explicit user mappings were configured in User mapping section, they would take precedence over the attribute mappings.

7. In the User mapping section, you can map a source user to a destination one. You can also map a domain in the source to a destination domain. Users, securities, and user-related metadata can be migrated based on user mappings. Click Add button to the right of the field to create a new one. Refer to the Create User Mappings section to view how to create a user mapping.

   You can also select a previously created user mapping from the drop-down list and click View details to view the detailed information of the selected user mapping. You can enter the keyword of a user mapping in the Search user mapping text box and press Enter on the keyboard to search the user mapping.

8. In the Conflict resolution section, configure the conflict resolution when the source object conflicts with an existing object in the destination. Refer to the following detailed information on each conflict resolution.

   Resolution	Conflict	No Conflict
   Skip	Ignore the conflicting object and do nothing in the destination.	A new object will be created.
   Overwrite	Overwrite the conflicting object attributes in the destination based on the source object attributes.	A new object will be created.

9. Click Next after you finish configuring the conflict resolutions.

10. In the Additional options & mappings step, you can configure the following settings for migrations.

    • Sync settings – Select the user attributes and permissions to migrate, then configure the conflict resolution to handle matching data in the destination.

      • Role assignments – Select this checkbox to assign destination users' and groups' roles based on the source roles. This action will not remove any roles already assigned to the destination user.

      • Microsoft licenses – Select this checkbox to assign Microsoft licenses to destination users based on the source user's license assignments.

      • Custom security attributes – Select this checkbox to assign custom security attributes to destination users based on the source user's attribute assignments.

    • Account & access controls – Select the checkboxes to configure account and access settings for destination users and groups.

      • Add membership to the destination Microsoft Entra ID groups – If all users associated with the groups to be migrated already exist in the destination, you can select this checkbox to migrate group membership. Otherwise, we recommend running a Post-migration > Migrate group membership job to migrate the group membership.

      • Add enterprise application (SSO) assignments – Select this checkbox to grant destination users and groups permission to access the same enterprise applications they had in the source tenant. Existing application access in the destination is preserved.

      • Block sign-in for destination users – Select this checkbox to block sign-in for the destination users created by Fly. These users cannot sign in to Microsoft until they are unblocked. You can unblock user sign-in by running a Post-migration > Unblock user sign-in job.

    • Invite guest user – Select this checkbox to invite guest users to the destination. If you want to send a personalized invitation email to guest users, select the checkbox of Send invitation email and configure the email.

      NOTE

      If a guest user was already migrated in a prior job without an invitation, enabling this option in a later job will send the invitation to the existing destination account without duplicating the object.

      • Email content – Enter the content of the invitation email.

      • Cc – Enter the email address(es) to be copied on the invitation.

      • Invite redirect URL – Enter the specific landing page the user will be redirected to after accepting the invitation.

    • Password policy – Select the checkboxes to configure password settings for the destination.

      • Force password change on next sign-in – With this option selected, migrated users must update their passwords on their first login to the destination tenant.

      • Set destination passwords to never expire – With this option selected, the DisablePasswordExpiration policy will be applied to all migrated users. This prevents their passwords from expiring automatically under the destination tenant's default password expiration configuration.

      • Disable password complexity requirements – With this option selected, the DisableStrongPassword policy will be applied to all migrated users. This allows their passwords not to meet the password complexity requirements in the destination tenant.

    • Customized features – This function is unavailable for Microsoft Entra ID migration now.

11. Click Next to configure Notifications setting.

12. Select the Send project level notifications (all mappings within a project) checkbox and configure the settings to send migration email notifications to specific recipients after the migration. The migration email notifications are based on the project level, which summarizes the project name and the mapping count of each migration status.

    • Recurrence – Enter a positive integer to define the recurrence days for the notifications.

    • Start date and time – Select a start date and time to send the first notification. The later notifications will be sent at the selected time based on the recurrence.

      If you want to configure the end date and time of the notifications, you can select the Configure end date and time checkbox and select a date and time.

    • Send migration email notifications to – Define the recipients who will receive the notifications.

    • Email template – Create an email template for the notifications by clicking the Add button. Refer to Manage Email Settings for details on how to create an email template. You can also select an existing email template from the drop-down list.

13. Click Save to save the migration policy.

On the Migration policies page, you can manage existing policies.

• Set as default – Select a policy and click Set as default to set it as the default policy. The default policy will be automatically selected when you create projects.

• Edit – Click the policy name link to edit the policy.

• Delete – Select a policy and click Delete to delete it. You can also select multiple policies and click Delete to delete them.

• Copy – This allows you to quickly create a new policy with similar configurations by completing the following steps:

  1. Select your target policy, and click Make a copy.

     You can also open your target policy, and click Make a copy on the Edit migration policy page.

  2. Check the settings and make updates if necessary on the Copy migration policy page.

  3. Click Save.