The only thing it’s missing is an email password restore.
(Actually that’s the only thing needed so end users are not required to perform any action after migration.)
Password restores should be easy to implement, as hashes are kept in /etc/domain.tld/shadow. Or am I missing something?