This is due to a Google Workspace limitation.
General and Source Platform prerequisites
Setting up a service account and Google APIs
General and Source Platform prerequisites
Setting up a service account and Google APIs
Destination Platform prerequisites
Obtaining the Service Account Key File
- Go to https://console.cloud.google.com/
- Ensure your project is set at the top of the screen.
- To create the Service Account Key File, go to IAM & Admin > Service Accounts from the left menu
- Go to any active service account (preferable) or create a new one.
- Select the Keys tab.
- Select Add Key > Create New Key > JSON
- You will need to upload the Service Account JSON key file later when configuring the Archive feature in CloudM Manage. Keep the file confidential as it allows full access to your archive.
Creating a Key Ring and Key
- Search for KMS in the search field, or select Security > Key Management
- Select Create Key Ring. The name can be set to the same as the bucket name.
- Ensure the keyring location matches the bucket location (europe-west1 or us-central1)
- Click Next,
- On the Create Key screen, use the same Key name as the Key ring name (optional),
- Leave all the other settings as default except Rotation Period,
- Set Rotation Period to Never (manual rotation) and select Create.
- Copy the Resource name of the KMS key that you have just created (by selecting the 3 dot ellipsis under Actions and clicking Copy resource name)
The key ring and key are used to encrypt the blob storage and should not be removed or deleted at any point. If they are removed or deleted, the blobs in the storage bucket will become inaccessible.
Creating a Bucket
- From the Navigation menu (accessed by selecting the "Hamburger" Menu icon in the top left of the screen), go to CloudStorage>Bucket and select CreateBucket > Set to specific region (europe-west1 or us-central1), as set in step 3 of the Creating a Key Ring section above (if completed).
- Make sure to use a prefix for the bucket name (e.g. archive-test) so that you can quickly identify the bucket.
- Leave all settings to default except for Advanced Settings,
- Under Advanced Settings, select Google-managed key in the Encryption section,
- Click Save to create the Bucket.
Adding permissions to the Service Account
The owner is the only one with permissions to add members, and you will need someone to do this for you if you do not have the relevant permissions.
- Go to IAM & Admin > Service Accounts and select the service account that you created the Service Account JSON key file on,
- Copy the Email address in the Service account details section,
- Go to Cloud Storage>Bucket and then select the bucket you created earlier,
- Click on the Permissions tab and select Add a permission,
- Paste the email from step 1 in to the members field,
- Add Storage Admin and Storage Object Admin roles and Save,
Adding permissions to the Storage Bucket and KMS CryptoKey (optional)
The owner is the only one with permissions to add members, and you will need someone to do this for you if you do not have the relevant permissions.
- Go to Cloud Storage>Settings,
- Copy the Service Account email (under the Cloud Storage Service Account section) and add the roles in the previous step to this email as well,
- Click on the KMS key you created in Security>Cryptographic Keys. On the next page, where only the specified KMS Key should be listed, click on it again.
- Click on Permissions>Add Member, in the panel on the right side of the screen.
- Click on the Show Info Panel option if you cannot see the panel.
For more information on KMS keys, please refer to the Using customer-managed encryption keys article on the Google Cloud help site. |
Configure Source Platform settings
Google Cloud Storage
Account Details
- Domain Name – The name of the Google domain to migrate from. This may be either a primary or secondary domain. Note: you can only migrate users to one domain at a time. If you have both primary and secondary domain users, they must be processed in separate migrations.
- Authentication Method - Set whether to use a P12 key or a JSON key as the authentication method.
- Service Account Email Address - Before attempting to configure CloudM Migrate, you should have created a Google Cloud platform project and created a service account for it. If you have selected to use a P12 key, you will need to input the service account's email address in this field.
- Private Key - The file path to the P12 or JSON key that was generated and downloaded when creating the OAuth service account.
Google Cloud Storage Details
- Bucket Name - The name of the bucket that has been created in the Google Cloud Platform, under Storage > Browser.
Google Cloud Storage Options
- List Objects Page Size - The maximum number of results to return for individual queries to the Storage API.
Decryption Options
- Decryption Key File Path - The location of your decryption key file.
Configure Destination Platform settings
Google Cloud Storage
Account Details
- Domain Name – The name of the Google domain to migrate to. This may be either a primary or secondary domain. Note: you can only migrate users to one domain at a time. If you have both primary and secondary domain users, they must be processed in separate migrations.
- Authentication Method - Set whether to use a P12 key or a JSON key as the authentication method.
- Service Account Email Address - Before attempting to configure CloudM Migrate, you should have created a Google Cloud platform project and created a service account for it. If you have selected to use a P12 key, you will need to input the service account's email address in this field.
- Private Key - The file path to the P12 or JSON key that was generated and downloaded when creating the OAuth service account.
Google Cloud Storage Details
- Bucket Name - The name of the bucket that has been created in the Google Cloud Platform, under Storage > Browser.
Google Cloud Storage Options
- Max File Size - The maximum size of the files to be uploaded (in bytes).
- Compress Objects - Compress the objects before they are uploaded. Setting to True will use less cloud storage space at the expense of slowing down the import.
Encryption Options
Please note that only one encryption method is required - either KMS or Encryption Key File.
- KMS Key Full Name - The full name of the Google Cloud key management service key. The service account must have the Encrypter / Decrypter role on the key. Please note that the service account referred to here is Cloud Storage service account and not the service account for migration.
-
Encryption Key File Path (.gkey) - OPTIONAL - If you select Customer-managed key rather than the recommended Google-managed key for your bucket, you will need to supply your own local encryption key from a file.
- See https://cloud.google.com/storage/docs/encryption/using-customer-supplied-keys to generate the key file, which should be a text file containing a 32 bytes base64 string saved as XXXX.gkey
For more information on KMS keys, please refer to the Using customer-managed encryption keys article on the Google Cloud help site. |
Select which users to migrate
It's now time to add which users you'd like to migrate.
When migrating, you may be able to Get Users from the actions menu. If this option is unavailable, you can manually import users via a CSV file or simply add them individually via the plus icon.
Selecting a star next to any specific user or users will prioritize their migration. When a migration starts, threads will be assigned to any starred user so that their migration can start immediately.
At this point you can choose what to migrate for each user, you can migrate mail, contacts and calendars.
Enter your user's full email address within the Export Name field. If you have already created your Office 365 users then you will just need to enter their username.
Select how much mail to migrate
CloudM Migrate lets you decide how much mail you'd like to migrate to your shiny new system.
If you are changing your email address as part of the migration you can verify that the domain names are correct here. You can also specify specific address replacements in the respective section of the advanced settings.
For more information on domain and address replacements, see this page.
Start your migration
We know that you may want to start your migration in the middle of the night, or over the weekend, but we don't expect you to stay up in order to do so. With CloudM Migrate, you can decide to schedule exactly when you'd like the migration to occur.
Start the migration.
Review your migration results
During the migration process, CloudM Migrate will report back in real time exactly who is being migrated and the items being processed. All you now need to do is sit back, relax and wait for your migration to complete.
Check the progress of your migration.
Once complete you can download a full report for your migration.