The state machine, phase by phase
Each phase gates the next. Failures isolate to single devices — never the wave.
Every device that goes through Nexune Migrate runs the same 11-phase state machine — users click Start once; everything after is software. It’s safe to retry — a re-run never repeats completed work — resumable, and signed end to end. Below: every phase, what happens, and why it’s built this way.
Each phase gates the next. Failures isolate to single devices — never the wave.
An admin connects source + destination Microsoft 365 tenants over a delegated Microsoft Entra sign-in.
Why it’s built this way
Delegated tokens (not consented client secrets) mean we never hold a long-lived admin credential.
What happens
Each side is authorized with a delegated sign-in flow that pins the expected tenant on return. Tenant credentials live in a per-customer key vault, isolated by side. Connections are health-checked against the destination tenant before any wave can be activated against the pair.
A managed-device scan enumerates every Windows endpoint in the source tenant.
Why it’s built this way
You can't migrate what you haven't seen. Re-runs are safe — they refresh state without double-counting devices.
What happens
Devices are pulled from the source tenant's management endpoint and reconciled against what we've seen before. Each device gets a 0–100 readiness score with blockers surfaced explicitly: encryption state, last-sync staleness, compliance posture, and autopilot eligibility.
Source UPN → destination UPN, with a strategy and an audit trail.
Why it’s built this way
Most M&A migrations have at least one identity-rename surprise — an employee whose login name has to change to fit the new domain. Pick a strategy or upload a CSV; we keep the receipts.
What happens
Mapping strategies cover the common cases: UPN prefix preserved, regex transformation, attribute-derived from the directory, or explicit CSV. Mappings into privileged destination roles take a separate approval path. Separation of duties is enforced — the operator who creates a mapping can't be the one who approves it.
Pick devices, schedule, and hand it off.
Why it’s built this way
A "wave" is the unit of audited change. Big waves take a second approver. Hard caps keep blast radius bounded.
What happens
The wave wizard walks pair → device selection (with readiness filtering) → name and schedule. Above 500, the wave is split. Retries are safe — a re-run never repeats completed work.
A hardware security module signs over the canonical wave manifest.
Why it’s built this way
A cryptographic signature, not a checkbox. The bytes signed at approval are the bytes the device agents execute against — no in-between mutation possible.
What happens
Approvals are produced by an HSM-backed signing key and carry a freshness window. The signature is bound to the wave's canonical manifest; it cannot be re-used on another wave. Above the production threshold, two distinct approvers are required.
Signed commands flow to per-device queues, in order.
Why it’s built this way
Commands arrive in order, repeats are harmless, and anything older than its approval window expires on its own.
What happens
Each device has its own session-keyed queue. The on-device agent verifies the command's signature against pinned control-plane keys before acting on anything. Stale commands fall off the queue automatically.
BitLocker keys escrowed, profile snapshot taken, agent ready.
Why it’s built this way
If anything goes wrong from here, we can roll back to a known-good state. The recoverable window closes only after the source side is cleaned — and only then.
What happens
The agent escrows the existing BitLocker recovery key, snapshots the user profile, and confirms the destination tenant is reachable. Migration doesn't move past this phase unless the rollback path is verified.
Leave the source tenant, join the destination, re-enroll in management.
Why it’s built this way
The surgery. Authorized by a short-lived, device-bound token that's good for this one device, this one operation.
What happens
The agent uses a short-lived authorization token, bound to the device's hardware identity, to perform the tenant leave-and-join sequence. The token expires in seconds and is replay-defended at the control plane.
The user profile re-binds to the destination identity, on the same machine.
Why it’s built this way
This is where profile-hijack attacks would happen if we let them. The agent will only accept a destination identity that matches what the control plane authorized — no others.
What happens
The destination identity is resolved by the control plane and stamped into the signed command. The agent compares and refuses to proceed if it doesn't match. The user profile is then rebound; installed apps like Outlook, Teams, and OneDrive simply sign in to the destination identity — Nexune moves the device and profile, not mailbox or file content.
The device confirms; the control plane confirms; the user portal updates.
Why it’s built this way
The wave isn't done until every device echoes "done." Stragglers surface immediately into Quarantine.
What happens
The agent reports verification status back to the control plane, which flips the device's state and notifies operators in real time. Anything that doesn't verify on time routes to a triage workflow rather than blocking the rest of the wave.
Every action sealed in a tamper-evident chain. Signed. Sealed in write-once storage for 7 years.
Why it’s built this way
You don't prove a migration happened by digging through logs after the fact. You prove it with a signed receipt you can hand to your auditor.
What happens
The audit log is hash-chained as it grows. A background process seals each per-customer batch with an HSM signature and ships it to write-once storage with a 7-year immutability lock. The resulting receipt is a portable artifact your auditors can verify independently.
After the wave
Every receipt is a portable artifact. Hand it to your auditor; they can verify it cryptographically, with no Nexune tooling required. The same primitives carry into reporting: signed wave summaries and monthly usage statements, generated from the same audit chain.
The fastest way to understand the 11 phases is to watch them happen.