We are doing this same process, we cannot use monitor mode because we have to return multiple VLAN names in the RADIUS responses, not just a RADIUS accept.
We created two MAC auth services and two seperate Network Device Groups. The first service is our "Open" Policy, meaning the Role Mapping is exactly the same, but the enforcement has no Deny conditions. The second service is our "Strict" Policy, meaning we do start enforcing NAC more aggressively through the Enforcement policy. All I do is take a device out of the "Open" policy group and add it to the "Strict" policy group when I want to cut it over.
The only thing I can say is make sure if your doing 802.1X authentication too, that you make sure the end-user devices are setup properly. We ran into a bunch that did not validate the RADIUS server certificate properly, so even though my policy didn't reject them, the device failed authentication. To get around this, we started using the "auth-fail VLAN" condition on the switch ports to still allow it to bounce into production VLAN. When did the Strict enforcement, we would just change that from production to quarantine using the interface range command.