Identity first
Resolve UPN vs sAMAccountName mismatches, mail nickname collisions, and domain cutover sequences early. Decide on cloud‑only vs hybrid join, and map CA exemptions carefully.
Mail flow & coexistence
Plan SMTP domain migration, routing, and X500 address preservation to avoid NDRs. Validate GAL sync boundaries and guest access retargeting.
Risk controls
Stage Conditional Access changes in report‑only, introduce App Protection grant controls, and align to CPS‑234 / Essential Eight maturity targets.
Runbook
- Discovery & inventory
- Coexistence setup
- Pilot migrations
- Cutover & validation
- Post‑cutover hygiene