This setup is for both a source Google Workspace account and a Destination Google Workspace account.
Migrating from Google Vault
If you are migrating from Google Vault, billing must be enabled for the Google project being used for the migration. This is necessary to avoid very low Google Vault export quota limits.
Step-by-step guide
To create a service account and obtain the private key for the account
- Go to cloud.google.com/console
- Click the project selection menu in the blue navigation bar (1).
- Next to ‘Select from’ ensure the correct domain you are creating the service account for is selected (2).
- Click ‘NEW PROJECT’ (3).
- Enter a project name (1).
- Ensure the correct organization is selected (2).
- The location can be left as the default or changed at your discretion (3).
- Click CREATE (4).
- Click on the 'hamburger' menu icon next to "Google Cloud Platform" in the top left of the page (1).
- Click 'APIs & Services' (2), then 'Credentials' (3).
- Click CREATE CREDENTIALS (1), then select 'Service account' (2).
- Enter a service account name (1).
- Click ‘CREATE’ (2).
- In the ‘Select a role’ menu (1), click ‘Project’ (2), then select ‘Owner’ (3).
- Click CONTINUE (1).
- Click DONE.
- Click CONFIGURE CONSENT SCREEN (1).
- Select ‘Internal’, then click ‘CREATE’.
- Enter an application name (1) and enter a Support email and a Developer Contact Email.
- Click SAVE
- Navigate back to the ‘Credentials’ page (1).
- Click the edit button (pencil icon) on the service account that was created (1).
- Expand the ‘SHOW/HIDE DOMAIN WIDE DELEGATION’ dropdown (1) and check the ‘Enable G Suite Domain-wide Delegation’ checkbox to enable it (2).
- Click the ‘ADD KEY’ dropdown (3), then click ‘Create new key’ (4).
- Select ‘P12’ (1), then click ‘CREATE’ (2) - this will download the private P12 key file to be imported into CloudM Migrate.
- Close the ‘Private key password’ screen (1) as this is not needed.
- Click ‘SAVE’ (1).
- Notice the Oauth 2.0 Client ID has now appeared. Click the copy icon (1) to take a note of the client ID. This will need to be added to Google Workspace later.
- Take a note of the Service Account Email (2). This will need to be added to CloudM Migrate later.
- Navigate to the DASHBOARD page (3).
- Click ‘ENABLE APIS AND SERVICES’ (1).
- In the ‘Search for APIs & Services’ search box, enter ‘Admin SDK’.
- Click Admin SDK (1)
- Click ENABLE (1).
- The Admin SDK overview page is now shown. Click ‘APIs & Services’ (1) to navigate back to the main APIs & Services page.
- Repeat steps 30-34 to enable each of the required APIs:
- Admin SDK
- Google Drive API
- Gmail API
- Google Calendar API
- Contacts API
- Tasks API
- Groups Migration API
- G Suite Vault API (if you are migrating from Google Vault).
- Cloud Storage (if you are Migrating from Google Storage).
- If migrating Google Drive, open the Google Workspace Admin console and navigate to Apps > Google Workspace > Drive and Docs > Features and Applications and enable 'Allow users to access Google Drive with the Drive SDK API':
- Open the Google Workspace admin console and navigate to ‘Security > API Controls > Domain-wide Delegation’ (1). Here is a direct link: https://admin.google.com/ac/owl/domainwidedelegation?hl=en
- Click ‘Add new’ (2) then enter the Client ID from step 28 (3), the relevant OAuth scopes listed at the bottom of this page (4) then click ‘AUTHORIZE’ (5).
- Launch CloudM Migrate and navigate to either the ‘Source Platform’ or ‘Destination Platform’ page depending on what is being configured (1).
- Enter the Google Workspace tenant's primary domain name (2).
- Enter a super admin account email address (3).
- Enter the service account email address noted in step 29 (4).
- Upload the P12 certificate downloaded in step 25 (5).
- Click ‘Next’ to test API access (note: G Suite API access may take up to 60 minutes to propagate from the time it was granted).
If 'Source Platform Migration Settings > Google Workspace > Email Options > Use Limited Scopes' is set to 'True' use the following scopes:
Limited Scopes Source
- https://www.googleapis.com/auth/gmail.labels,
- https://www.googleapis.com/auth/gmail.readonly,
- https://www.googleapis.com/auth/admin.directory.resource.calendar,
- https://www.googleapis.com/auth/gmail.settings.sharing,
- https://sites.google.com/feeds/,
- https://www.google.com/m8/feeds,
- https://www.googleapis.com/auth/admin.directory.group,
- https://www.googleapis.com/auth/admin.directory.user,
- https://www.googleapis.com/auth/apps.groups.migration,
- https://www.googleapis.com/auth/calendar,
- https://www.googleapis.com/auth/drive,
- https://www.googleapis.com/auth/drive.appdata,
- https://www.googleapis.com/auth/email.migration,
- https://www.googleapis.com/auth/tasks,
- https://www.googleapis.com/auth/gmail.settings.basic
If 'Destination Platform Migration Settings > Google Workspace > Email Options > Use Limited Scopes' is set to 'True' use the following scopes:
Limited Scopes Destination
- https://www.googleapis.com/auth/gmail.labels,
- https://www.googleapis.com/auth/gmail.insert,
- https://www.googleapis.com/auth/admin.directory.resource.calendar,
- https://www.googleapis.com/auth/gmail.settings.sharing,
- https://sites.google.com/feeds/,
- https://www.google.com/m8/feeds,
- https://www.googleapis.com/auth/admin.directory.group,
- https://www.googleapis.com/auth/admin.directory.user,
- https://www.googleapis.com/auth/apps.groups.migration,
- https://www.googleapis.com/auth/calendar,
- https://www.googleapis.com/auth/drive,
- https://www.googleapis.com/auth/drive.appdata,
- https://www.googleapis.com/auth/email.migration,
- https://www.googleapis.com/auth/tasks,
- https://www.googleapis.com/auth/gmail.settings.basic
If 'Use Limited Scopes' is set as 'False' (default), use the below scopes
- https://www.googleapis.com/auth/admin.directory.resource.calendar,
- https://www.googleapis.com/auth/gmail.settings.sharing,
- https://mail.google.com/,
- https://sites.google.com/feeds/,
- https://www.google.com/m8/feeds,
- https://www.googleapis.com/auth/admin.directory.group,
- https://www.googleapis.com/auth/admin.directory.user,
- https://www.googleapis.com/auth/apps.groups.migration,
- https://www.googleapis.com/auth/calendar,
- https://www.googleapis.com/auth/drive,
- https://www.googleapis.com/auth/drive.appdata,
- https://www.googleapis.com/auth/email.migration,
- https://www.googleapis.com/auth/tasks,
- https://www.googleapis.com/auth/gmail.settings.basic
Migrating from Google Vault?
If you are migrating from Google Vault, please use these API Scopes:
- https://www.googleapis.com/auth/admin.directory.resource.calendar,
- https://www.googleapis.com/auth/gmail.settings.sharing,
- https://mail.google.com/,
- https://sites.google.com/feeds/,
- https://www.google.com/m8/feeds,
- https://www.googleapis.com/auth/admin.directory.group,
- https://www.googleapis.com/auth/admin.directory.user,
- https://www.googleapis.com/auth/apps.groups.migration,
- https://www.googleapis.com/auth/calendar,
- https://www.googleapis.com/auth/drive,
- https://www.googleapis.com/auth/drive.appdata,
- https://www.googleapis.com/auth/email.migration,
- https://www.googleapis.com/auth/tasks,
- https://www.googleapis.com/auth/gmail.settings.basic,
- https://www.googleapis.com/auth/ediscovery,
- https://www.googleapis.com/auth/ediscovery.readonly,
- https://www.googleapis.com/auth/devstorage.read_write
Service Account and Scopes Propagation Time
Similarly with the Service account and APIs, adding the Client and Scopes in the Google Workspace console may be subject to a propagation time of up-to two hours.
Check Connections for your Google Workspace platform in CloudM Migrate may not be successful immediately.
Comments
0 comments
Please sign in to leave a comment.