Migrate iCloud Mail to Office 365: IMAP Cutover Guide

Moving iCloud Mail into Office 365 is a common but underdocumented migration. iCloud sits in the consumer category for Apple, which means the platform offers no admin console, no migration toolkit, and no batch export beyond IMAP itself. Office 365 sits firmly in the enterprise category and assumes you've come from Exchange. The seam between them is where most migration runs go sideways. This guide walks the working path: provisioning the destination, generating the right credentials on both sides, and running the IMAP transfer with the throttling both providers apply.

Why this migration shape works#

Microsoft's IMAP migration endpoint inside Exchange Online does technically accept iCloud as a source, but in practice the admin experience is built for migrations from one IMAP server with shared credentials — Cyrus, Dovecot, a hosting provider's IMAP. iCloud requires a per-user Apple ID app-specific password, and Microsoft's batch endpoint doesn't have a clean way to inject one per user without scripting it.

Running this transfer from a desktop tool against IMAP on both sides solves three problems at once. You authenticate per-user with the credential type each side requires. You see per-message and per-folder progress with real error messages. And you can pause, resume, and re-run failed batches without contacting Microsoft support.

The trade-off is that you do the cutover separately — pointing MX records or setting up forwarding from iCloud — rather than letting Microsoft's tooling handle it. For one or two mailboxes that's a non-issue. For 200 mailboxes, you'll want to script it.

Pre-flight: what you need ready#

Before launching anything:

• Office 365 tenant with admin credentials
• Assigned Exchange Online license on the target user (Business Basic, Business Standard, Enterprise E1, E3, or E5 all work)
• Apple ID with iCloud Mail enabled and 2FA on
• Estimate of mailbox size — check iCloud.com, Account Settings, Mail
• A maintenance window if this is a production user (the inbox shouldn't churn during the migration)

Step 1: Provision the Office 365 mailbox#

In Microsoft 365 admin center:

1. Open Users, Active users, and click Add a user
2. Fill in the display name, username, and assign a license that includes Exchange Online
3. Confirm the user can sign in to outlook.office.com once provisioning completes
4. Set a temporary mailbox password the migration tool will use — you can rotate it after the run

If your tenant has security defaults turned on, you'll need to allow Authenticated SMTP and IMAP for this user. Open the user's mail settings, click Manage email apps, and check the boxes for IMAP and Authenticated SMTP. Some Conditional Access policies block IMAP entirely — if so, add a temporary exception for this user during the migration.

Step 2: Generate an Apple ID app-specific password#

iCloud Mail's IMAP listener (imap.mail.me.com port 993) only accepts app-specific passwords, never the Apple ID password directly.

1. Sign in at appleid.apple.com
2. Open Sign-In and Security
3. Click App-Specific Passwords (this menu appears only if 2FA is enabled)
4. Click the plus button, name it Mailbox Taxi migration
5. Re-enter your Apple ID password when prompted
6. Copy the generated 16-character password — it looks like abcd-efgh-ijkl-mnop

You can have 25 active app-specific passwords on an Apple ID. If you're already at the ceiling, revoke an unused one first. For more on how providers handle these credentials, see our app-specific password reference.

Step 3: Test IMAP on both endpoints#

Before connecting anything to Mailbox Taxi, validate IMAP works on each side independently. A simple Mac Mail or Thunderbird session against each account will tell you in 30 seconds whether the credentials are accepted.

For iCloud: imap.mail.me.com, port 993, SSL, your full Apple ID email and the app-specific password.

For Office 365: outlook.office365.com, port 993, SSL, your full O365 email and the temporary password. If you get AUTHENTICATIONFAILED on the O365 side, the most common cause is IMAP being disabled at the user level — go back to Manage email apps in the admin center.

Step 4: Map folders explicitly#

iCloud and Office 365 name their system folders differently. Without explicit mapping, your sent items will land in a folder called Sent Messages next to Office 365's Sent Items, and your deleted items will end up split between Deleted Messages and Deleted Items.

In Mailbox Taxi's folder mapping screen, set:

• iCloud INBOX → O365 Inbox
• iCloud Sent Messages → O365 Sent Items
• iCloud Drafts → O365 Drafts
• iCloud Deleted Messages → O365 Deleted Items
• iCloud Junk → O365 Junk Email
• iCloud Archive → O365 Archive

Any user folders carry their names as-is. If you've named a folder with characters Office 365 doesn't allow (the IMAP spec is more permissive than Exchange's underlying store), the tool will warn you and let you remap before transfer starts.

Step 5: Pilot one folder#

Pick a folder with 200 to 500 messages that doesn't change during the run. Sent Messages is usually a good pilot — historic, stable, and tests the most common metadata fields.

On the pilot, verify:

• Final message count matches between sides
• Dates are preserved (sort by received date in Outlook and confirm chronological order matches iCloud)
• Read/unread flags carried over
• Attachments open from outlook.office.com, not just the desktop Outlook client (the desktop client caches and can mask issues)
• No Folder UTF-7 conversion error in the log

The pilot is the moment to catch problems cheap. If the count is off by more than a few, dig in before queueing the rest.

Step 6: Run the full transfer#

Realistic throughput on this pair runs 200 to 500MB per hour. A 10GB mailbox is a 2 to 5 hour run; 30GB is overnight. The iCloud side is the bottleneck.

Connection limits worth setting:

• Source (iCloud) concurrency: 1 or 2 maximum
• Destination (Office 365) concurrency: 4 — Office 365 tolerates more parallel writes than iCloud tolerates parallel reads

Office 365 will return Too many simultaneous connections if you exceed roughly 16 IMAP connections per user, but the throttle for migration appends kicks in earlier at the message-rate level. Mailbox Taxi watches for backoff signals and adjusts automatically; you don't need to babysit.

Step 7: Verify and reconcile#

When the run finishes:

1. Check folder counts on each side. They should match within a small margin.
2. Spot-check old messages — pick three from each year of your archive, open them, confirm content and attachments.
3. Test sending and receiving on the Office 365 mailbox.
4. Test that calendar invites display correctly in the migrated Sent Items (iCloud sometimes packages ICS attachments in a way that's slightly different to what Outlook expects).

If a folder count is off by more than a few, run a delta sync — Mailbox Taxi will only re-transfer messages with Message-ID headers absent from the destination.

Step 8: Cut over#

The mailbox is now on Office 365 but new mail is still arriving at iCloud. Two options:

Option A: Keep the iCloud address active. Set up forwarding from iCloud Mail (iCloud Mail web, Settings, Forwarding) to your Office 365 address. Senders keep using your @icloud.com address; mail arrives in O365.

Option B: Cut over to a custom domain. If you own a domain, you can verify it in the Microsoft 365 admin center, add it to the user as a primary SMTP address, point MX records at Microsoft, and announce the new address. This is the cleaner long-term answer.

You can't move the @icloud.com address itself — Apple owns the domain and won't release it.

Common failure modes#

AUTHENTICATIONFAILED on iCloud usually means the Apple ID password was used instead of the app-specific password. Generate a fresh app-specific password and retry.

AUTHENTICATIONFAILED on Office 365 usually means IMAP is disabled at the user level. Re-enable it from the admin center.

Message too large for destination happens occasionally on Office 365 — Exchange Online has a 150MB per-message default limit but tenant policies sometimes reduce it. Check the Exchange admin center for the actual limit and raise it temporarily.

Too many simultaneous connections on the iCloud source means you have concurrency too high. Drop iCloud-side concurrency to 1 and the rest of the queue continues.

For a wider operational view on cutover sequencing and DNS, see the Office 365 migration guide. If iCloud isn't where the user wants to land, our walkthroughs for iCloud to Gmail, iCloud to Outlook.com, and iCloud to Yahoo follow the same template.

After the migration#

• Revoke the Apple ID app-specific password from appleid.apple.com once you've confirmed everything's clean
• Set the Office 365 user's password back to something strong they'll actually use
• If you used a custom domain and cut over MX, set up SPF, DKIM, and DMARC records for the domain — these don't move with the mailbox
• Educate the user on the move date and any address change; bookmark the new webmail URL