Skip to content
exune
exuneMigrate

Nexune Migrate

Zero-touch M365 migrations, with receipts.

Move every Windows device from one Microsoft 365 tenant to another — identity, profile, mail, files, Intune, BitLocker — fully automated. Every action is cryptographically signed and WORM-notarized. Your auditors will love it.

Request a demo How it works
HSM-signed audit· Two-approver gate· 14-state machine· Per-device SSE
console.nexune.in / waves / w-9c2
Wave — Q2 Sales NA migration
Contoso → Northwind · 284 devices · created May 18
Running
Done
142
Running
31
Pending
109
Failed
2
Device feed SSE
  • WS-LON-2284SOURCE_CLEANED → DST_JOINEDRunning
  • WS-LON-2103INTUNE_ENROLLEDRunning
  • WS-NYC-0641PROFILE_REATTACHEDDone
  • WS-NYC-0782PREP_BL_ESCROWRunning
HSM-signed by 2 approvers · kid kv-9af3 · receipt notarized 14s ago

The problem

Mergers move money. Migrations move devices.

Most M365 migration tools move mail, files, and SharePoint. They don't touch the devices — and the devices are the hard part. Domain join, Intune re-enrollment, BitLocker escrow, profile swap, app reinstall. Today, that's weeks of fragile manual work per device.

Weeks

per device in manual M&A migrations.

5+

fragile PowerShell scripts holding the migration together.

0

audit-grade evidence of who did what, when, where.

What it does

Four verbs. One product.

Discovers

Every device, every user, every mapping conflict. Microsoft Graph scan, dedupe by serial, readiness scored 0–100 with blockers surfaced before you commit.

Prepares

BitLocker keys escrowed. Provisioning packages built per-customer. Per-device .intunewin agent Authenticode-signed. Two approvers gate production change.

Migrates

A 12-phase state machine drives every device. Idempotent, resumable, observable. Zero user interaction. Per-device session queues with retry + quarantine.

Proves

Hash-chained audit log. HSM-signed by approvers. WORM-notarized into immutable blob storage every 60 seconds. Every action, every device, forever.

Live status, by design

Every wave streams live. No refresh. No spreadsheet.

The operator console subscribes to a Server-Sent Events stream from the control plane. Every state transition, every phase event, every quarantine — visible the instant it happens, with a graceful reconnect if you lose the network.
  • Per-wave + per-device live progress— SSE; resume after disconnect via Last-Event-ID.
  • 12-phase timeline per device— with timestamps, elapsed seconds, retries.
  • Pause, abort, retry — without dropping the audit chain
console.nexune.in / waves / w-9c2
Wave — Q2 Sales NA migration
Contoso → Northwind · 284 devices · created May 18
Running
Done
142
Running
31
Pending
109
Failed
2
Device feed SSE
  • WS-LON-2284SOURCE_CLEANED → DST_JOINEDRunning
  • WS-LON-2103INTUNE_ENROLLEDRunning
  • WS-NYC-0641PROFILE_REATTACHEDDone
  • WS-NYC-0782PREP_BL_ESCROWRunning
HSM-signed by 2 approvers · kid kv-9af3 · receipt notarized 14s ago

Two-approver production

Production change happens with two pairs of eyes — and an HSM.

Every wave is signed by an Azure Key Vault HSM key over the canonical wave manifest. Waves above 100 devices require a second approver. Separation-of-duties enforced: the operator who built the wave can't be an approver. Approvals expire after 24h.
  • HSM-backed signatures— Azure Key Vault Premium, versioned kid stamped on every receipt.
  • SoD enforced— creator ≠ approver ≠ executor.
  • ≤ 24h freshness— stale approvals are rejected by the control plane.
console.nexune.in / approvals
Approval queue
Q2 Sales NA
284 devices · You signed 1st · awaiting another approver
Needs 2nd
EMEA — Pilot 4
42 devices · Below 100-device threshold · single approver
Needs 1st
India retail
612 devices · >500 devices · CISO approval required
Needs 2nd
Each approval is HSM-signed over the canonical wave manifest. ≤24h freshness.

What employees see

No tickets. No surprises. No 'have you tried restarting?'

End users see a single calm status page. They know when their device will move, they can defer (up to two times), and they can start immediately if they want. Migration runs in the background. When they sign back in, everything is where it was.
  • Defer 4h or 24h— capped at 2 per device, audited.
  • Start now— surface the wave to the front of the queue.
  • Customer branding— logo, support email, accent color per customer.
portal.nexune.in
Your device migration

j.kowalski@contoso.com · WS-NYC-0641

Scheduled — tonight at 8:30 PM

Your device will join the new Microsoft 365 tenant. You don't need to do anything. Save your work and leave it powered on.

Questions? it-help@nexune.in

Security, the whole way through

Built so your auditors don't have to take our word for it.

HSM signing

Azure Key Vault Premium HSM signs every approval and every notarization receipt. Versioned kid stamped on every record.

Hash-chained audit

Every audit row has prev_hash + this_hash. Tamper-evident. No log entry can be silently changed or removed.

WORM notarization

Every 60 seconds, a per-customer batch is uploaded to immutable blob storage with a 7-year locked policy.

SQL RLS tenancy

SQL Server Row-Level Security on every per-customer table. SESSION_CONTEXT enforces customer_id on every connection.

Two-approver gate

Waves above 100 devices require a second approver. SoD prevents the creator from signing.

Idempotent state

14-state device-run machine. Every transition keyed by (device_run_id, target_state). Replay-safe end to end.

Read the full security posture

Built on what your auditors already trust

  • Microsoft Graph
  • Azure Key Vault HSM
  • Azure SQL Ledger
  • Microsoft Intune
  • Authenticode
  • AAD Multi-tenant

Compare

The device side of M365 migration is where every tool stops. We start there.

CapabilityNexune MigrateBitTitanShareGateQuestDIY scripts
Device-level migration (not just content)Manual
Identity + profile SID swapManualManual
BitLocker escrow + re-encryptionManual
Cryptographically signed audit
See the full comparison

Outcomes

What 'zero-touch' looks like in numbers.

Numbers below are from a real-world pilot deployment between two Microsoft 365 tenants. We'll publish customer case studies as the first wave of paying customers go live.

0
User-side actions
No tickets, no waits.
< 0s
Audit notarization cadence
Per customer, signed + WORM.
0
Device-run states
Idempotent end to end.
0
Approvers per wave
>100 devices triggers second signer.
"We migrated 284 devices in a six-hour window. The help-desk inbox stayed empty. The audit log answered every question my CISO asked the next morning."
— Placeholder pilot quote. Real customer attribution lands after the first paying go-live.

Ready to migrate without touching a single device?

A 30-minute call to see the operator console, walk a live wave, and look at the audit chain. No deck, no script.

Request a demoSee pricing