Skip to content
exune

Nexune Migrate

Zero-touch device migration for Microsoft 365 tenant-to-tenant moves

Why Nexune Migrate?

Nexune Migrate moves every Windows device from one Microsoft 365 tenant to another — identity, profile, Intune enrollment, BitLocker — without a technician touching the machine. Operators run discovery, identity mapping, readiness gates, and two-person approvals from one console; a native agent executes the move on each device through the same 11 phases — crash-safe and resumable; and every action lands in a hash-chained, WORM-notarized audit trail your CISO can sign.

Use cases

Tenant-to-tenant Windows device migration

Move entire Windows fleets between Microsoft 365 tenants — identity, profile, Intune enrollment, Autopilot, BitLocker — zero touch, with a signed audit trail underneath.

See how a migration runs

Mac devicesComing soon

macOS support is on the roadmap — the same console, approvals, and audit chain, applied to Apple fleets. Tell us about your Mac estate and help shape it.

Talk to us about Mac fleets

On-prem domain-joined to cloud IntuneComing soon

Lift devices from on-premises Active Directory into Entra join and Intune management — without reimaging. In development.

Register your interest

Migrations from other MDM tools to IntuneComing soon

Planned: move your fleet to Microsoft Intune from ManageEngine, Workspace ONE, Jamf, JumpCloud, or NinjaOne — devices re-enrolled without reimaging, users untouched.

Tell us which tool you’re on

One console for the whole migration

Operators work a single pane from discovery to sign-off. This is the actual product, not a mock-up.

The devices are the hard part of a tenant migration

Most M365 migration tools move mail, files, and SharePoint — they don’t touch the devices. Domain join, Intune re-enrollment, BitLocker escrow, profile swap, app reinstall: today that’s weeks of fragile manual work.

Weeks

of manual work per migration, done by hand.

Scripts

fragile, hand-rolled, unowned — holding the typical DIY migration together.

0

audit-grade evidence of who did what, when, where.

What Nexune Migrate does

One console that discovers both tenants, prepares every device, migrates in approved waves, and proves what happened.

Discovers

Every device, every user, every mapping conflict. Microsoft Graph scan, dedupe by serial, readiness scored 0–100 with blockers surfaced before you commit.

Prepares

BitLocker keys escrowed. Provisioning packages built per-customer. Per-device .intunewin agent Authenticode-signed.

Migrates

Every device moves through the same 11 phases. Resumable, observable, safe to retry. One consent click from the user; nothing else. Per-device session queues with retry + quarantine.

Proves

Hash-chained audit log. HSM-signed by approvers. Notarized into immutable storage. Every action, every device, retained immutably for seven years.

Live status, by design

Every wave streams live. No refresh. No spreadsheet.

The operator console streams live status from the control plane. Every state transition, every phase event, every quarantine — visible the instant it happens, with a graceful reconnect if you lose the network.

  • Per-wave + per-device live progress — live updates that pick up exactly where they left off after a dropped connection.
  • 11-phase timeline per device — with timestamps, elapsed seconds, retries.
  • Pause, abort, retry — without dropping the audit chain.

Two-approver production

Production change happens with two pairs of eyes — and an HSM.

Every wave is signed by an Azure Key Vault HSM key over the canonical wave manifest. Waves above 100 devices require a second approver. Separation-of-duties enforced: the operator who built the wave can’t be an approver. Approvals expire after 24h.

  • HSM-backed signatures — keys live in Azure Key Vault Premium — never in software.
  • SoD enforced — creator ≠ approver ≠ executor.
  • ≤ 24h freshness — stale approvals are rejected by the control plane.

What employees see

No tickets. No surprises. No “have you tried restarting?”

End users see a single calm status page. They know when their device will move, they can defer (up to two times), and they can start immediately if they want. Migration runs in the background. When they sign back in, everything is where it was.

  • Defer 4h or 24h — capped at 2 per device, audited.
  • Start now — surface the device to the front of the queue.
  • Customer branding — logo, support email, accent color per customer.

Built so your auditors don’t have to take our word for it.

Security, the whole way through.

HSM signing

Azure Key Vault Premium HSM signs every approval and every notarization receipt. Every signature is traceable to the exact key version that produced it.

Hash-chained audit

Every audit entry is cryptographically linked to the one before it — tampering is detectable. No log entry can be silently changed or removed.

WORM notarization

Every 60 seconds, a per-customer batch is uploaded to immutable blob storage with a 7-year locked policy.

Tenant isolation

Every customer’s data is isolated at the database layer — enforced on every query, not just in app code.

Two-approver gate

Large waves need a second signer — and the creator can never be one of them.

Safe to retry

A device can never run the same step twice — every retry picks up exactly where it left off, through all 11 phases.

Built on what your auditors already trust

  • Microsoft Graph
  • Azure Key Vault HSM
  • Immutable Blob storage
  • Microsoft Intune
  • Authenticode
  • AAD Multi-tenant

The device side of M365 migration is where every tool stops. We start there.

CapabilityNexune MigrateBitTitanShareGateQuestDIY scripts
Device-level migration (not just content)Manual
Identity + profile SID swapManual
BitLocker escrow + re-encryptionManualManual
Cryptographically signed audit

Nexune Migrate by the numbers

Customer case studies will be published as the first production migrations go live.

1

Click asked of the user

Consent — then software does the rest.

< 60s

Audit notarization cadence

Per customer, signed + WORM.

11

Migration phases

Visible end to end.

2

Approvers per wave

>100 devices triggers second signer.

Who runs Nexune Migrate

Two ways to buy, both self-directed — run it as your own IT team, or run every client on a partner plan.

For enterprise IT teams

Run the change yourselves, with the gates already built: your operators work the console, your approvers hold the keys, and the deadline stops being a weekend problem.

Get started

For managed service providers

Partner plans are built in, not negotiated: every client in an isolated workspace, your engineers granted per client, Entra SSO with automatic provisioning, and pooled usage on a single partner invoice.

Get started on a partner plan

Ready to migrate without touching a single device?

A 30-minute call to see the operator console, walk a live wave, and look at the audit chain. No deck, no script.