All 12 phases. One screen. Zero user interaction.

Each side is authorized with a delegated sign-in flow that pins the expected tenant on return. Tenant credentials live in a per-customer key vault, isolated by side. Connections are health-checked against the destination tenant before any wave can be activated against the pair.

Devices are pulled from the source tenant's management endpoint and reconciled against what we've seen before. Each device gets a 0–100 readiness score with blockers surfaced explicitly: encryption state, last-sync staleness, compliance posture, and autopilot eligibility.

Mapping strategies cover the common cases: UPN prefix preserved, regex transformation, attribute-derived from the directory, or explicit CSV. Mappings into privileged destination roles take a separate approval path. Separation of duties is enforced — the operator who creates a mapping can't be the one who approves it.

The wave wizard walks pair → device selection (with readiness filtering) → name and schedule. Above 100 devices, a second approver is required. Above 500, the wave is split. Every state-changing call carries an idempotency key, so retries are safe.

Approvals are produced by an HSM-backed signing key and carry a freshness window. The signature is bound to the wave's canonical manifest; it cannot be re-used on another wave. Above the production threshold, two distinct approvers are required.

Each device has its own session-keyed queue. The on-device agent verifies the command's signature against pinned control-plane keys before acting on anything. Stale commands fall off the queue automatically.

The agent escrows the existing BitLocker recovery key, snapshots the user profile, and confirms the destination tenant is reachable. Migration doesn't move past this phase unless the rollback path is verified.

The agent uses a short-lived authorization token, bound to the device's hardware identity, to perform the tenant leave-and-join sequence. The token expires in seconds and is replay-defended at the control plane.

The destination identity is resolved by the control plane and stamped into the signed command. The agent compares and refuses to proceed if it doesn't match. The user profile is then rebound; Outlook, Teams, OneDrive, and other apps re-anchor to the new identity.

Files and mail are re-anchored to the new identity on first sign-in. For customers with very large mailboxes, content is pre-staged ahead of the wave so the post-migration experience is instant.

The agent reports verification status back to the control plane, which flips the device's state and notifies operators in real time. Anything that doesn't verify on time routes to a triage workflow rather than blocking the rest of the wave.

The audit log is hash-chained as it grows. A background process seals each per-customer batch with an HSM signature and ships it to write-once storage with a 7-year immutability lock. The resulting receipt is a portable artifact your auditors can verify independently.