This is a practice that we certainly do more often than the other way around, a company has found that they have outgrown Google Workspace and needs the Microsoft Office Suite to integrate into their workflow along with the far more diverse landscape of tools available.
While the process changes often, I’ve found that simple documentation to get the Google Workspace migration going from Office 365 is lacking right now, especially in authorizing the Google Cloud side of things.
I’m writing this as a bit of a reference piece for myself, but figured others may stumble across it, saving them hours of “why is this so difficult” when they may not know the ins and outs of Google Cloud… As I certainly would not claim I do.
- Make sure to go to https://cloud.google.com, accept the terms and create a default project
- You’ll need to start the free trial and associate a credit card, this won’t get charged but there needs to be a billing profile as far as I can tell.
- In the top left, choose the organization level instead of the project
- Go to the top level IAM & Admin, this should then say “Permissions for organization xyz.com”
- Edit the user you’re going to use for the migration, which I’m assuming is already a Super Admin, and make sure it has these roles, all of which may not be necessary but it certainly works:
- Billing Account Administrator
- Billing Account Creator
- Organization Administrator
- Organization Policy Administrator
- Project Creator
- I won’t claim to be a patient person, but I strongly believe after doing this you need to give it about 10 minutes. Grab a coffee, no doubt you’ll need it.
- Click the command icon in the top right to open the Shell [>_] and accept any terms etc
- In the URL you’re going to see organizationId=111111111111111 (it won’t be 1s obviously, but for my example that’s the number I’ll use) copy that number
- In the shell enter this command:
gcloud org-policies delete constraints/iam.disableServiceAccountKeyCreation –organization=111111111111111 - Back to that patience thing… give it 10 minutes then head back to the Exchange Admin Center
- Now go through the steps which will generate the JSON file and prompt you to save it, this creates the project in Google Cloud
- Make sure to follow the steps that appear just below when the JSON is created to add the Client ID and scopes here
- Pause at the step where it asks you to upload the CSV of users (this is just a text file formatted with EmailAddress at the top then the emails of the users you’re migrating one per line).
- Go to Google Cloud, click the project selector in the top left and under All find the project that was created, it will be projectname-xyz and coincide with the name of the JSON file that you downloaded.
- Go to APIs and Services – Enabled APIs and Services and make sure these are all enabled:
- Admin SDK API
- Gmail API
- Google People API
- Contacts API
- Google Calendar API
- Google Drive API
- Okay back to Exchange Admin, upload the CSV of users.
- The last step asks to validate the endpoint, I’ve never had this work, so skip it.
Okay that’s all the notes I have for now, realistically they should work but I find there’s always some fine tuning to do… the error in the migration will point you in the right direction. Also Google and Microsoft both love to change things up, so while this worked today, it may not tomorrow.
If you’re keeping the Google Workspace tenant, keep in mind you can change the users to Cloud Identity Free and setup Sync and SSO so that you have the best of both worlds, and your users have managed profiles in Chrome. You should also re-enable the security we disabled above to avoid future issues.
SSO – https://learn.microsoft.com/en-us/entra/identity/saas-apps/google-apps-tutorial
Provisioning – https://learn.microsoft.com/en-us/entra/identity/saas-apps/g-suite-provisioning-tutorial
Happy migrating 🙂