OAuth 2.0 Setup With BitTitan Service Account

For MigrationWiz to access Google G Suite accounts for migration, authorization is needed to enable access to mailboxes on the source system.

OAuth is an authorization framework that enables applications to obtain limited access to user accounts, such as those on G Suite. OAuth delegates user authentication to the service that hosts the user account. OAuth version 2.0 enables authorization for web and desktop applications.

BitTitan migrations using the G Suite (IMAP) and G Suite (Gmail API) endpoints must enable OAuth 2.0 access to Google APIs in order to access G Suite accounts that are targeted for migration.

BitTitan products use OAuth 2.0 to authenticate to G Suite and utilize the G Suite (IMAP) endpoint in MigrationWiz. This is applicable to both mailbox and document migration projects. In order to obtain access to your G Suite data, it is necessary to add specifically allowed API scopes to the MigrationWiz project.

  • These steps must be followed whenever there is a migration project either to or from G Suite that will utilize the G Suite (IMAP) endpoint. For instructions on using the Gmail API endpoint, see  Set up Google API for migrating mailboxes.
  • Enabling access is required for both G Suite mailbox and Google Drive document migration projects.
  • Mailbox migration projects require that a G Suite administrator grant access to the BitTitan client ID and scopes listed in this article.
  • Document migration projects require that a G Suite Super administrator grant access to the BitTitan client ID and scopes listed in this article and enable the API access. The steps to do this are included at the bottom of this article.

Steps in the G Suite Admin Console

Complete these steps to grant BitTitan client ID access to the appropriate scopes:

  1. Go to https://admin.google.com and authenticate as a Super Administrator.
  2. Click Security. If you do not see the security icon on your admin console home page, you do not have the necessary rights on your account to make these changes. Request Super Administrator access from the customer to implement these changes.
  3. Click Advanced settings. Google limits accessing and changing this setting to only G Suite Super Administrator accounts.
  4. You will now have one of two options, depending on whether your tenant has been updated to the new Google API or not. 
  5. Old Google Tenant:

    • Go to the G Suite admin page at google.com
    • Click on Security
    • Click on Advanced Settings
    • Click Manage API Client Access.

    OR If your account shows the latest UI updates from Google, as shown below:New_Google_Admin_APP_Access_Control.JPG

    • Go to the G Suite admin page at google.com
    • Click on Security
    • Click Advanced Settings
    • Under ‘Domain-wide delegation’, click Manage domain-wide delegation
    • On the Manage domain-wide delegation page, click Add new
  6. Click MANAGE DOMAIN WIDE DELEGATION.
  7. Click Add New.
  8. Enter 113321175602709078332 into the Client ID field. 
  9. Enter one of the following groups of scopes into the OAuth Scopes (comma-delimited) field, depending on whether G Suite is the Source or Destination.

    • G Suite as the Source (read-only scopes):
      https://mail.google.com/, https://www.google.com/m8/feeds, https://www.googleapis.com/auth/contacts.readonly, https://www.googleapis.com/auth/calendar.readonly, https://www.googleapis.com/auth/calendar, https://www.googleapis.com/auth/admin.directory.group.readonly, https://www.googleapis.com/auth/admin.directory.user.readonly, https://www.googleapis.com/auth/drive, https://sites.google.com/feeds/, https://www.googleapis.com/auth/gmail.settings.sharing, https://www.googleapis.com/auth/gmail.settings.basic
    • G Suite as the Destination (full scopes):
      https://mail.google.com/, https://www.google.com/m8/feeds, https://www.googleapis.com/auth/contacts.readonly, https://www.googleapis.com/auth/calendar, https://www.googleapis.com/auth/admin.directory.group, https://www.googleapis.com/auth/admin.directory.user, https://www.googleapis.com/auth/drive, https://sites.google.com/feeds/, https://www.googleapis.com/auth/gmail.settings.sharing, https://www.googleapis.com/auth/gmail.settings.basic
  10. Click Authorize.
  11. The client name is 113321175602709078332 (make sure there are no leading or trailing spaces, as this may cause the error "URL ends with an invalid top-level domain name."). This will grant BitTitan products access to the appropriate scopes.
Was this article helpful?
32 out of 43 found this helpful