A multitenant solution provider facilitates service deployments in a new cloud for tenants. This provider creates tenant certificates and provides templates for services to create their service identities. These service identities include both the managed service identity as well as service accounts. The difference between the two is in the usage where the former is system defined and automatically maintained and the latter is an exclusive credential for the service. Also, Managed Service Identity is specific to Azure Active Directory while a service account can exist in any Active Directory domain, both on-premises and in Azure.

When we refer to a tenant, we refer to it by the tenant ID, but it is also possible to refer to them by the host names for the tenants in the deployment. A tenant specific sub-domain is set up in this case. The tenant host name, mytenant.myservice.com must be specified as an alternative in the tenant configuration.  The URL can specify the tenant ID and the tenant host name if we specify the host names as alternative IDs for tenants.

Migrating certificates is easy but migrating tenant identities is not. Even though the certificates change when they have different subject names that include different domains, it is easy to create those identities in either the source or the destination clouds because they request an external certificate authority to issue it. And once issued for a specific domain, they can be added to the concerned domain wherever it is.

New clouds provide a new challenge in that the migration is not between tenants in the same solution, but the tenant identities are migrated from one cloud instance to another. Therefore, there is a source and destination instance and artifacts for a tenant that existed in one instance must have a corresponding artifact in the destination.

As with any migration, there are four phases:

A.      These include phase 1 – discover and scope, phase 2 – classify and plan, phase 3 – plan migration and testing, and phase 4 – manage and gain insight.

B.      The first phase is the process of creating an inventory of all artifacts in the ecosystem. They fall into three categories those that can be migrated, not migrated, or marked for deprecation.

C.       The second phase involves detailing the artifacts within the categories with criticality, usage, and lifespan.  It prioritizes the artifacts for migration and plans a pilot.

D.      The third phase involves planning migration and testing by communicating changes and migrating artifacts and transitioning tenants.

E.       The fourth phase involves managing and gaining insight by managing end-user and admin experiences and gaining insight into artifacts and their usages.

These four phases transition the artifacts usages from old to new smoothly.