This guide covers the steps necessary to migrate an instance of Google Vault to Microsoft 365.
This migration guide contains the necessary steps to perform the actual migration, but there are many steps to preparing for migration. If this is your first time performing a migration, we have created a Migration Planning & Strategy Guide to walk you through planning, set-up, and general migration best practices.
Archived Email Folders and emails are able to be migrated from Google Vault only.
MigrationWiz is a migration tool, not a syncing tool. If changes are made at the source after migration, they will not sync to the destination, nor will changes made at the destination sync to the source. We do not have “live” monitoring of changes (as with a sync agent) and we cannot handle scenarios such as conflict resolution without user interaction.
We are not able to support migrations with two-factor or multifactor authentication.
The maximum file size for migration through MigrationWiz varies by migration type and environment, but may never exceed 60GB.
Items located in the root folder of the mailbox are not migrated.
Prerequisites for Google Vault Migrations
Migrating from Google Vault is a three-step process:
- Identify the data to be exported from Google Vault.
a. Complete export or targeted data.
2. Search, Export and Upload Files (to Azure) using BitTitan Google Vault Extractor.
a. Search Google Vault.
b. Export and download the contents from Google Vault.
c. Use UploaderWiz to upload the locally stored files to Azure Blob storage.
3. Migrate the data using MigrationWiz.
a. It is suggested to migrate the results into the Recoverable Items Folder in the primary Microsoft 365 mailbox, but can be migrated to any location (Primary mailbox or Archive mailbox).
Export Server: It is required that BitTitan Google Vault Extractor be run from a locally managed server. This export server is setup and maintained by the customer. The export server is a requirement and not provided by BitTitan. This server can be a local workstation, on-premise server, or a virtual server.
Azure Storage Account (BLOB)
Buy an Azure subscription.
Create an Azure storage account. Note this information somewhere for use during the endpoint process.
- Visit https://portal.azure.com
- Click New.
- Select Storage > Storage account.
- Enter a name for your storage account.
- Choose Resource manager for the Deployment model.
- Choose Blob storage for the Account kind with Standard performance. If you are using the v2 endpoint for a document migration, do NOT select Blob Storage, you will instead need to select STORAGEV2 (general purpose v2) with Standard performance.
- In the Replication field, select Locally Redundant Storage (LRS).
- Select the subscription in which you want to create the new storage account.
- Specify a new resource group or select an existing resource group.
- Select the geographic location for your storage account.
- Do NOT select to enable Data Lake Storage Gen2.
- Click Create to create the storage account.
- Now the storage account appears in the storage list.
To obtain your Access Key
- Log on to the Azure portal
- Click Dashboard.
- Click All Resources.
- Click All subscriptions.
- Click Storage Account name .
- Click Settings.
- Click Access Key.
- Make a note of the Storage Account Name and the Primary Access Key. These will need to be entered when creating your MSPComplete Destination Endpoint.
Create an Azure public blob container named migrationwiz. Confirm that the blob container is empty and accessible. Migrationwiz is the default container name that MigrationWiz looks for. This can be modified in the Advanced Options of the MigrationWiz project.
Google Vault OAuth Client API Setup
BitTitan’s Google Vault Extractor allows for the use of your own OAuth Client API, rather than the BitTitan shared API. This option has many benefits and allows for greater control over throttling and security. It’s not a requirement of the migration, but BitTitan recommends this option.
List of Users to Export
BitTitan’s Google Vault Extractor requires a .txt file with the email addresses of the users that need to be extracted. As part of migration planning, you will need to consider batching the users into multiple text files. The extractor will systematically work its way down the list and process each user in a serial means. It is recommended that each user list contains no more than fifty users to easily manage the batch. You will also need to plan out the storage requirements for the list of users. If the list contains fifty users and those fifty users add up to 100GB in exported data volume, the local export server needs to have the required free space.
Sample input file:
Microsoft 365 Mailboxes
Important note: If you are migrating into the Recoverable Items Folder of the users mailbox, make sure the user is on Litigation Hold in Microsoft 365. If you do not, the data will be automatically deleted in Microsoft 365. Learn how to place the mailboxes on Litigation Hold from this TechNet article.
Identify the data to be exported from Google Vault
The key to a successful Google Vault migration is to properly identify the data you want to extract from Google Vault. The key to getting data out of Google Vault is to search for it then export the search results. The search is the key to successfully exporting the data required. To correctly search the data, use Google Search Terms to target the data required. BitTitan Google Vault Extractor will programmatically search, export, and download the results automatically and at scale.
Search, Export and Upload Files (to Azure) using BitTitan Google Vault Extractor and UploaderWiz
1. From the Export Server, open an administrative command prompt.
2. Navigate to your working directory.
3. Run the command to Search, Export, Download and Upload (optional). Build your export command depending on the data export requirements
Example: Search, Export, Download, then Upload automatically using your own Google Vault OAuth Client API Setup:
GoogleVaultExport.lnk -process-start-args "-command exportandupload -clientid GOOGLE CLIENT ID -clientSecret GOOGLE CLIENT SECRET -NewEmailsTimeout 86400000 -CompressionTimeout 86400000 -inputFile C:\GVault\input.txt -outputFolder c:\GVault\Export -uploadAccessKey AZURE CLIENT -uploadSecretKey AZURE SECRET KEY -uploadBucketName AZURE BUCKET -searchTerms ""label:^deleted"""
Example: Search, Export, Download, then Upload automatically not using your own Google Vault OAuth Client API Setup:
GoogleVaultExport.lnk -process-start-args "-command exportandupload -NewEmailsTimeout 86400000 -CompressionTimeout 86400000 -inputFile C:\GVault\input.txt -outputFolder c:\GVault\Export -uploadAccessKey AZURE CLIENT -uploadSecretKey AZURE SECRET KEY -uploadBucketName AZURE BUCKET -searchTerms ""label:^deleted"""
4. This will automatically launch a browser window for authentication. Log in with the Google Administrator Account and select that account to authenticate for access to Google Vault data.
Note: To switch to a different Google Administrator account after logging in, you can use the reset option GoogleVaultExport.exe "-command reset".
5. Once access is granted, the extractor will run in the command window.
6. When completed:
a. Confirm that all expected Google Vault data is available in the Azure BLOB, if you used the option to extract and upload or
b. Manually upload the results to the Azure BLOB if you used the option to only extract.
Note: The extractor will download two files from Google; the compressed zip folder with the data and an XML file, and a .done file, which indicates a successful extraction. It will do this for each user in the input file. If the extractor fails on a user, it will create a .fail file for the user.
a. Run the extraction again. The extractor will skip any users with a .done file and only re-try the ones with a .fail.
b. Refer to the Troubleshooting Google Vault Extractor KB article.
Note: Storage management is critical on the Export Server.
Prepare the Destination Environment
Important note: If you are migrating into the Recoverable Items Folder of the mailbox, make sure the user is on Litigation Hold in Microsoft 365. If you do not, the data will be automatically deleted in Microsoft 365.
Create the admin account
Add an admin in Microsoft 365 to use for this migration, or use the global admin account for the tenant.
Set up accounts
Set up accounts on Microsoft 365 and assign licenses. These can be created in several ways:
Modern Authentication Requirements
The steps listed below apply to both the source and/or destination tenant when they are Exchange Online, in regards to Exchange Web Services (EWS) in mailbox, archive mailbox, and public folder projects. Use a Global Administrator for the configuration steps.
For setup steps that include images, see under Enabling Modern Authentication for EWS between MigrationWiz and your Exchange Online Tenant in the following KB: Authentication Methods for Microsoft 365 (All Products) Migrations
Important: Failure to perform the steps for your Microsoft 365 endpoints, can result in failed jobs with 401 errors like the following in your project: Http POST request to 'autodiscover-s.outlook.com' failed - 401 Unauthorized
The administrator account being used for the project needs to be excluded from any MFA/2FA policies or Conditional Access policies that can block access for the administrator account. This requirement does not apply to the items or users being migrated in the project.
Configuring Modern Authentication to work with MigrationWiz for mailbox, archive mailbox, and public folder projects in Exchange Online is now the default method after Microsoft discontinued support for Basic Authentication in Exchange Online after December 2022. The following Microsoft documentation outlines this change in more detail. Should you have additional questions on how this change may impact your tenant, please contact Microsoft to assist with providing that information: Deprecation of Basic authentication in Exchange Online
The Azure Security Defaults must also be disabled in the tenant. (This is often enabled by default for all new Exchange Online tenants and there is no workaround for this requirement). For steps on where to enable/disable the Azure Security Defaults, see Enabling security defaults in the following Microsoft documentation. To disable, set Enable Security defaults to No: Security defaults in Azure ADModern Authentication Steps
- Log in to the Azure AD admin console with a Global Administrator login.
- Select Azure Active Directory in the Azure Active Directory Admin Center.
- Select App Registrations, which is found under Manage.
- Select New Registration at the top of the screen.
- Give the app a distinct name. You can change this later if necessary.
- Select the Accounts in any organizational directory button.
- Under Redirect Uri, select Public Client (mobile & desktop) and set it to urn:ietf:wg:oauth:2.0:oob
- Click Register.
- Go back to App registrations.
- Select the App you just created.
- In the Overview, you will find a ClientId (aka Application) and Directory (Tenant) ID.
- Copy both of these to another application, such as Notepad, for use later in this process.
- Under the Manage menu, select Authentication.
- Set the option Allow public client flows to Yes.
- Click Save.
- From the Manage menu, select API permissions.
- If API permission named User.Read under Microsoft Graph is already present, this can be removed. The Microsoft Graph API is not applicable to this project type and is not used.
- Select Add a Permission.
Select APIs my organization uses
Scroll down and select Office 365 Exchange Online
Then select Delegated Permissions
- Check the box under EWS for EWS.AccessAsUser.All.
- Click Add permissions. This permission only allows the OAuth application (MigrationWiz) to be associated with EWS.
- Important: This does not grant access to all mailbox data.
- Click Grant admin consent.
- Click Yes to confirm the settings.
- In MigrationWiz, select the project that needs to be configured for Modern Authentication.
- Click the Edit Project menu.
- Select Advanced Options.
- Under Support Options enter the ClientID and TenantID information you saved earlier in the following format:
- If enabling Modern Authentication for the Source:
- If enabling Modern Authentication for the Destination:
- Enter the specific ClientID and TenantID for your tenant in place of the xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.
- These options can be entered for either the Source or the Destination, or both, depending on the settings on the tenants.
- These options need to be configured for each MigrationWiz project that needs to have Modern Authentication enabled.
- If enabling Modern Authentication for the Source:
- Run a Verify Credentials to confirm that MigrationWiz can connect using Modern Authentication.
- Click on the item that was verified. There will be a message in the MigrationWiz Migration Information page that Modern Authentication is being used. This message will show in the “Migration Errors” box; however, it is not an error. This is just a message confirming that Modern Authentication is now active and being used for the connection.
We recommend that you purchase the User Migration Bundle license for this migration scenario. User Migration Bundle licenses allow multiple types of migrations to be performed with a single license. They also allow DeploymentPro to be used to configure Outlook email profiles. For questions on licensing, visit MigrationWiz Licenses
To purchase licenses:
- Sign in to your BitTitan account.
- In the top navigation bar, click Purchase.
- Click the Select button and choose User Migration Bundle licenses.
- Enter the number of licenses you want to purchase. Click Buy Now.
- Enter a Billing address if applicable.
- Click Next.
- Review the Order Summary and enter a payment method.
- Click Place Your Order.
Create a Migration Project
Create an Personal Archive Migration project.
- Click the Go to My Projects button.
- Click the Create Project button.
- Select Personal Archive Migration.
- Click Next Step.
- Enter a Project name and select a Customer.
- Click Next Step.
Endpoints are now created through MigrationWiz, rather than through MSPComplete. The steps for this section outline how to create the endpoints in MigrationWiz.
If you are selecting an existing endpoint, keep in mind that only ten endpoints will show in the drop-down. If you have more than ten, you may need to search. Endpoint search is case and character specific. For example, Cust0mer will not show up if the search is customer. We recommend keeping a list of endpoints you have created, along with any unique spellings or capitalization you may have used.
Select a Google Vault (Azure Storage) source endpoint or create a new endpoint.
- To create a new source endpoint:
- Click New.
- Name the endpoint.
- Select type Google Vault (Azure Storage).
- Enter Storage Account Name and Access Key in the fields provided.
- Click Add.
- Click Next Step.
Select an existing Office 365 destination endpoint or create a new destination endpoint.
- To create a new destination endpoint:
- Click New.
- Name the endpoint.
Select Office 365 for the endpoint type.
Fill in the required fields.
- Click Add.
- Click Next Step.
- Click Save and Go to Summary.
- Select Add > Autodiscover Items.
- Edit Destination email addresses as needed to set the Destination mailbox to ingest each file into.
- Click the Edit Item icon to the right of the row.
- Under Destination Email Address, enter the mailbox this file will be ingested into.
Set the Project Advanced Options
- Set the Destination to migrate data into: DESTINATION: MICROSOFT OFFICE 365 > Migrate to: Mailbox or Archive or Recoverable Items. Best practices recommend you migrate into the Recoverable Items Folder so the user does not have access to the data. The default setting is Mailbox in MigrationWiz.
When “Recoverable Items' is selected, add the folder filter
^(?!Permanently Deleted)to prevent incorrect migration statistics. Note that without this Folder filter, MigrationWiz will map all source folders to destination “Deletions” folder that will cause migration statistics to be incorrect.
- Optional: Add GoogleVaultCustomEndpointSuffix=Azure URI under Support/Support options. This allows you to choose your Azure location.
- Optional: Enable Audit Logging. This option provides a detailed audit trail and log of all the actions taken during a migration. The audit log includes entries for actions performed against items, such as item read at the Source, item skipped, item created at the Destination, item-level errors that occurred during migration, etc. These are logged to a SQL Azure database that you create and own. You are then able to build on top of the data by creating customized reports that provide the transparency necessary for security and compliance.
Run Verify Credentials
You may verify the credentials of items in MigrationWiz without migrating data or consuming any licenses.
- Open the Project containing items you wish to validate.
- Select the items you wish to validate.
- Click the Start button in your dashboard.
- Select Verify Credentials from the drop-down list.
Once complete, the results of the verification will be shown in the Status section.
Notify users that a migration is occurring. Send an email to all users telling them the time and date of the migration.
Perform a full migration pass
Delta migrations are not supported for Google Vault migrations. Google Vault migrations only require a single Full Migration pass.
- Check the box next to the line item you wish to migrate.
- From the top navigation, click Start then select Full Migration.
- Under the Select what to migrate section, choose which item types to migrate.
- Click Start Migration.
Click the pie chart icon in the MigrationWiz dashboard to receive an email containing all the project migration statistics.
The following can be deleted:
- On the Google Vault admin portal:
a. Matter files that were created for each query
b. Downloaded Matter files
c. The client OAuth Client API (if one was created)
2. On the client computer being used to run the Google Vault Extractor:
a. The Google Vault Extractor and directory
3. On Azure:
a. Azure storage containers used for uploading the extracted matter files into
b. The Azure storage account, if it was set up just for the purpose of the Google Vault project
4. On MigrationWiz:
a. Your Google Vault MigrationWiz project
Note: This is optional because MigrationWiz has a 180-day auto-delete policy.
5. On Office 365:
a. Endpoints that were created for this project
b. If a separate account was created for migrating the Google Vault items to Office 365 (e.g., email@example.com), this account can be deactivated and removed.