Google Vault to Microsoft 365 Migration Guide

This guide covers the steps necessary to migrate an instance of Google Vault to Microsoft 365. 

First migration?

This migration guide contains the necessary steps to perform the actual migration, but there are many steps to preparing for migration. If this is your first time performing a migration, we have created a Migration Planning & Strategy Guide to walk you through planning, set-up, and general migration best practices.

Prerequisites

Licensing

Purchase and apply User Migration Bundle licenses for all the users being migrated. For this migration type, we suggest the User Migration Bundle. For questions on licensing, visit MigrationWiz Licenses.

  • User Migration Bundle Licenses have unlimited data available per license.
  • User Migration Bundle Licenses are applied to the customer's users and expire 12 months after their purchase date. 
  • Document, Personal Archive, and DeploymentPro projects are all included when using User Migration Bundle Licenses.
  • This license type must be applied manually.

To use your license by following the next steps:

  1. Purchase Licenses.
  2. Create a Customer.
  3. Apply Licenses.
  4. Review Considerations.
Purchase Licenses Create a Customer Apply Licenses Considerations

Purchase licenses by following the steps below:

  1. Sign in to your BitTitan account. 
  2. In the top navigation bar, click Purchase.
  3. Click the Select button and choose User Migration Bundle licenses.
  4. Enter the number of licenses you want to purchase. Click Buy Now.
  5. Enter a Billing address if applicable.
  6. Click Next.
  7. Review the Order Summary and enter a payment method.
  8. Click Place Your Order.

Limitations

  • Archived Email Folders and emails can be migrated from Google Vault only.
  • MigrationWiz is a migration tool, not a syncing tool. If changes are made at the source after migration, they will not sync to the destination, nor will changes made at the destination sync to the source. We do not have “live” monitoring of changes (as with a sync agent) and we cannot handle scenarios such as conflict resolution without user interaction.
  • We are not able to support migrations with two-factor or multifactor authentication. 
  • The maximum file size for migration through MigrationWiz varies by migration type and environment, but may never exceed 60GB.
  • Items located in the root folder of the mailbox are not migrated. 

Azure Storage Account (BLOB) 

Buy an Azure subscription.

Create an Azure storage account. Note this information somewhere for use during the endpoint process.

  1. Visit ​https://portal.az​ure.com​
  2. Click New.​
  3. Select Storage > Storage account.
  4. Enter a name for your storage account.​
  5. Choose Resource Manager for the Deployment model.
  6. Choose Blob storage for the Account kind with Standard performance. If you are using the v2 endpoint for a document migration, do NOT select Blob Storage, you will instead need to select STORAGEV2 (general purpose v2) with Standard performance.
  7. In the Replication field, select Locally Redundant Storage (LRS).
  8. Select the subscription in which you want to create the new storage account.
  9. Specify a new resource group or select an existing resource group.
  10. Select the geographic location for your storage account.
  11. Do NOT select to enable Data Lake Storage Gen2.
  12. Click Create to create the storage account.
  13. Now the storage account appears in the storage list.​

To obtain your Access Key

  1. Log on to the Azure portal
  2. Click Dashboard.
  3. Click All Resources.
  4. Click All Subscriptions.
  5. Click Storage Account name .
  6. Click Settings.
  7. Click Access Key.
  8. Make a note of the Storage Account Name and the Primary Access Key. These will need to be entered when creating your MSPComplete Destination Endpoint. 

Create an Azure public blob container named migrationwiz. Confirm that the blob container is empty and accessible. MigrationWiz is the default container name that MigrationWiz looks for. This can be modified in the Advanced Options of the MigrationWiz project. 

Prepare the Source Environment 

Prerequisites for Google Vault Migrations 

Migrating from Google Vault is a three-step process: 

  1. ​​Identify the data to be exported from Google Vault.
    1. Complete export or targeted data. 
  2. Search, Export and Upload Files (to Azure) using BitTitan Google Vault Extractor.
    1. Search Google Vault. 

    2. Export and download the contents from Google Vault.

    3. Use UploaderWiz to upload the locally stored files to Azure Blob storage. 

  3. Migrate the data using MigrationWiz.
    1. It is suggested to migrate the results into the Recoverable Items Folder in the primary Microsoft 365 mailbox but can be migrated to any location (Primary mailbox or Archive mailbox).

Export Server: It is required that BitTitan Google Vault Extractor be run from a locally managed server. This export server is set up and maintained by the customer. The export server is a requirement and not provided by BitTitan. This server can be a local workstation, an on-premise server, or a virtual server. 

Set up and Configure the Google Vault Extractor 

Google Vault OAuth Client API Setup 

BitTitan’s Google Vault Extractor allows for the use of your own OAuth Client API, rather than the BitTitan shared API. This option has many benefits and allows for greater control over throttling and security. It’s not a requirement of the migration, but BitTitan recommends this option 

Google Vault OAuth Client API Setup 

List of Users to Export 

BitTitan’s Google Vault Extractor requires a .txt file with the email addresses of the users that need to be extracted. As part of migration planning, you will need to consider batching the users into multiple text files. The extractor will systematically work its way down the list and process each user in a serial means. It is recommended that each user list contains no more than fifty users to easily manage the batch. You will also need to plan out the storage requirements for the list of users. If the list contains fifty users and those fifty users add up to 100GB in exported data volume, the local export server needs to have the required free space.  

Sample input file:

blobid0.png

Microsoft 365 Mailboxes 

Important

If you are migrating into the Recoverable Items Folder of the user's mailbox, make sure the user is on Litigation Hold in Microsoft 365. If you do not, the data will be automatically deleted in Microsoft 365. Learn how to place the mailboxes on Litigation Hold from this TechNet article.

Identify the data to be exported from Google Vault 

The key to a successful Google Vault migration is to properly identify the data you want to extract from Google Vault. The key to getting data out of Google Vault is to search for it and then export the search results. The search is the key to successfully exporting the data required. To correctly search the data, use Google Search Terms to target the data required. BitTitan Google Vault Extractor will programmatically search, export, and download the results automatically and at scale. 

It is recommended that you review the Google Vault Best Practices Guide and Use the Google Vault Extractor for more information.  

Search, Export, and Upload Files (to Azure) using BitTitan Google Vault Extractor and UploaderWiz 

  1. From the Export Server, open an administrative command prompt. 
  2. Navigate to your working directory.
  3. Run the command to Search, Export, Download, and Upload (optional). Build your export command depending on the data export requirements.

    GoogleVaultExport.lnk -process-start-args "-command exportandupload -clientid GOOGLE CLIENT ID -clientSecret GOOGLE CLIENT SECRET -NewEmailsTimeout 86400000 -CompressionTimeout 86400000 -inputFile C:\GVault\input.txt -outputFolder c:\GVault\Export -uploadAccessKey AZURE CLIENT -uploadSecretKey AZURE SECRET KEY -uploadBucketName AZURE BUCKET -searchTerms ""label:^deleted AND -label:^Chats"""

    Example: Search, Export, Download, then Upload automatically not using your own Google Vault OAuth Client API Setup: 
    GoogleVaultExport.lnk -process-start-args "-command exportandupload -NewEmailsTimeout 86400000 -CompressionTimeout 86400000 -inputFile C:\GVault\input.txt -outputFolder c:\GVault\Export -uploadAccessKey AZURE CLIENT -uploadSecretKey AZURE SECRET KEY -uploadBucketName AZURE BUCKET -searchTerms ""label:^deleted AND -label:^Chats""" 

  4. This will automatically launch a browser window for authentication. Log in with the Google Administrator Account and select that account to authenticate for access to Google Vault data.

    Important

    To switch to a different Google Administrator account after logging in, you can use the reset option:
    GoogleVaultExport.exe "-comand reset"

    blobid1.png

  5. Once access is granted, the extractor will run in the command window.
  6. When completed: 

    1. Confirm that all expected Google Vault data is available in the Azure BLOB if you used the option to extract and upload or

    2. Manually upload the results to the Azure BLOB if you used the option to only extract.

  7. Troubleshooting:
    1. Run the extraction again. The extractor will skip any users with a .done file and only re-try the ones with a .fail.
    2. Refer to the Troubleshooting Google Vault Extractor KB article.

Important

Storage management is critical on the Export Server.

Prepare the Destination Environment 

Important 

If you are migrating into the Recoverable Items Folder of the mailbox, make sure the user is on Litigation Hold in Microsoft 365. If you do not, the data will be automatically deleted in Microsoft 365. 

Modern Authentication Requirements

The steps listed in the Required Permission for Performing M365 Mailbox and Archive Migrations article apply to both the source and destination tenant when they are Exchange Online, in regards to Exchange Web Services (EWS) in the mailbox, and archive mailbox. Use a Global Administrator for the configuration steps.

Please review the documentation before preparing the destination.

Create a Migration Service Account

Create a migration service account in Microsoft 365 for the tenant, this account does not require any admin role assigned. However, it must have full access to the user mailboxes or have the required API Permissions.

We recommend adding the necessary API permissions to the Modern Authentication app you are using for your O365 mailbox or archive mailbox endpoint. You can follow the steps outlined in this guide, as this is BitTitan's recommended approach.

However, you can still use the BitTitan impersonation approach if you already have a service account with the Application Impersonation role already assigned. Microsoft is phasing out RBAC Application Impersonation in Exchange Online and no longer allows the assignment of this role to new accounts.

Set Up User Accounts

Set up user accounts on the destination Office 365 tenant and assign licenses. These can be created in several ways. (The following links are to external articles.)

MigrationWiz Steps 

Create a Personal Archive Migration Project

Create a Personal Archive Migration project.

  1. Click the Go to My Projects button.
  2. Click the Create Project button.
  3. Select Personal Archive Migration.
  4. Click Next Step.
  5. Enter a Project name and select a Customer.
  6. Click Next Step.
  7. Select endpoints or follow the steps below to create new ones.
  8. Click Save Project.

Endpoints

Endpoints are created through MigrationWiz. If you select an existing endpoint from the dropdown, it will only show ten endpoints. If you have more than ten, you may need to search it.

Consider that endpoint search is case and character-specific. For example, Cust0mer will not show up if the search is customer. We recommend keeping a list of endpoints you have created, along with any unique spellings or capitalization you may have used.

Create your Endpoints

Please review the following tabs to create your destination and source endpoints.

Source Endpoint Destination Endpoint

Create your source endpoint by following the next steps:

  1. Click New.
  2. Name the endpoint.
  3. Select type Google Vault (Azure Storage).
  4. Enter the Storage Account Name and Access Key in the fields provided. 
  5. Click Add.
  6. Click Next Step.

Application (client) ID, Directory (tenant) ID, and Client Secret

For Microsoft 365 Mailbox and Archive migrations, MigrationWiz adds the Application (client) ID, Directory (tenant) ID, and Client Secret fields.

While the Application (client) ID and the Directory (tenant) ID are mandatory, the Client Secret field is not. It will depend on the permissions of the user account that performs the migration. Please review the following information before the creation of your M365 endpoints.

  • The client secret value is not mandatory if you use delegated permissions. Please leave the Client Secret field empty.

  • The client secret value is mandatory if you use the Application Impersonation using API Permissions approach.

  • If you already have a migration service account with the Impersonation role enabled (not using the Application Impersonation using API Permissions approach) the client secret value is not mandatory. Please leave the Client Secret field empty.

For more information about how to get the Application (client) ID and Directory (tenant) ID values from the Application Registration, please review step 3 of this article.

Region of Destination Tenant

The Region of Destination Tenant feature optimizes migration performance and speed by identifying the region closest to the destination tenant (continent-level). For Microsoft 365 endpoints, MigrationWiz detects and selects the appropriate region automatically once you create and save your project.

Please note that each time you edit your project endpoints, the following message will appear at the top of your project window (where XXXX is the detected region):

Automatically detected destination tenant's region and assigned to the 'BitTitan Datacenter' in XXXX.

For this migration type, you cannot manually change the region of the destination tenant. In case you need to modify it, contact our support team.

Endpoint Validation

Once the information has been provided for both, the source and destination endpoint, and the customer selects Save and Go to Summary, MigrationWiz performs an endpoint validation check.

This validation tests the migration service credentials entered into the project and the Modern Authentication setup only. If there is an issue, the screen redirects to the endpoint and provides an error message or flyout that can be selected for more information regarding the error.

Common Errors when Configuring Your Endpoint

For more information on the AADSTS700016, AADSTS90002, and ADDSTS50126 issues review the Common Errors Using Modern Authentication page.

Add Items

  1. Select Add > Autodiscover Items. 
  2. Edit Destination email addresses as needed to set the Destination mailbox to ingest each file into.  
  3. Click the Edit Item icon to the right of the row.  
  4. Under Destination Email Address, enter the mailbox this file will be ingested into.

Advanced Options

Support Tab

Add the following advanced options:

  • GoogleVaultCustomEndpointSuffix=Azure URI This allows you to choose your Azure location. 

Filtering Tab

When “Recoverable Items' is selected, add the folder filter ^(?!Permanently Deleted) to prevent incorrect migration statistics. Note that without this Folder filter, MigrationWiz will map all source folders to the destination “Deletions” folder which causes migration statistics to be incorrect.

mceclip0.png

Source/Destination Tab

Set the Destination to migrate data into DESTINATION: MICROSOFT OFFICE 365 > Migrate to: Mailbox or Archive or Recoverable Items. 

Best practices recommend you migrate into the Recoverable Items Folder so the user does not have access to the data. The default setting is Mailbox in MigrationWiz.

Audit Log Options Tab

Enable Audit Logging. This option provides a detailed audit trail and log of all the actions taken during a migration. The audit log includes entries for actions performed against items, such as item read at the Source, item skipped, item created at the Destination, item-level errors that occurred during migration, etc. These are logged to a SQL Azure database that you create and own. You are then able to build on top of the data by creating customized reports that provide the transparency necessary for security and compliance.

Run Verify Credentials

You may verify the credentials of items in MigrationWiz without migrating data or consuming any licenses.

  1. Open the Project containing items you wish to validate.
  2. Select the items you wish to validate.
  3. Click the Start button in your dashboard.
  4. Select Verify Credentials from the drop-down list.

Notify Users

Notify users that a migration is occurring. Send an email to all users telling them the time and date of the migration. 

Perform a full migration pass

Delta migrations are not supported for Google Vault migrations. Google Vault migrations only require a single Full Migration pass.

  1. Check the box next to the line item you wish to migrate. 
  2. From the top navigation, click Start then select Full Migration.
  3. Under the Select what to migrate section, choose which item types to migrate. 
  4. Click Start Migration

Request Statistics

Click the pie chart icon in the MigrationWiz dashboard to receive an email containing all the project migration statistics. 

Post-Migration Steps 

The following can be deleted: 

On the Google Vault admin portal:

  1. Matter files that were created for each query 

  2. Downloaded Matter files 

  3. The client OAuth Client API (if one was created)

On the client computer being used to run the Google Vault Extractor:

  1. The Google Vault Extractor and directory 

On Azure:

  1. Azure storage containers used for uploading the extracted matter files into.
  2. The Azure storage account, if it was set up just for the Google Vault project.

On MigrationWiz

  1. Your Google Vault MigrationWiz project

    Important

    This is optional because MigrationWiz has a 180-day auto-delete policy.

On Office 365

  1. Endpoints that were created for this project 

  2. If a separate account was created for migrating the Google Vault items to Office 365 (e.g., migrationwiz@domain.com), this account can be deactivated and removed.

Related Topics

Was this article helpful?
0 out of 0 found this helpful