Transcription
Mail migrationAdmin guide for G Suite to Office 365 migrations
Copyright 2017 CLOUDIWAY. All rights reserved.Use of any CLOUDIWAY solution is governed by the license agreement included in your originalcontract.The copyright and all other intellectual property rights in the Software are and remain theproperty of CLOUDIWAY and/or its subsidiaries (“CLOUDIWAY”). The licensee shall not acquireany title, copyright or other proprietary rights in the Software or any copy than specified in.You may not attempt to copy, modify, alter, disassemble, de-compile, translate orconvert in human readable form, or reverse engineer all or any part of theFeatures and/or Data.You acknowledge that the Software and all related products (including but not limited todocumentation) are the subject of copyright. You therefore, shall not during or any time afterthe expiry or termination of this Agreement, permit any act which infringes that copyright and,without limiting the generality of the foregoing, You specifically acknowledge that You may notcopy the Software or Products except as otherwise expressly authorized by this Agreement.CLOUDIWAY provides this publication “as is” without warranty of any either express or implied,including but not limited to the implied warranties of merchantability or fitness for a particularpurpose. CLOUDIWAY may revise this publication from time to time without notice. Somejurisdictions do not allow disclaimer of express or implied warranties in certain transactions;therefore, this statement may not apply to you.Document historyDateEditorChange details14/10/2016 WRFirst publication20/01/2017 WRMail archiving sections updated screen dumps updated22/02/2017 WRUpdated performance section to include more detail31/03/2017 WRUpdated screen dumps for new platform; added rooms andequipment provisioning sectionMail migration: G Suite to Office 365Page i
Table of Contents11.1Mail migration with Cloudiway . 1Cutover migration . 11.1.1Cutover migration benefits . 11.1.2Cutover migration considerations . 11.2Staged migration . 21.2.1Staged migration benefits . 21.2.2Staged migration considerations. 21.3Supplementary tools . 31.3.1Automatic provisioning . 31.3.2Calendar free/busy . 32Security . 43Performance . 54Mail migration scope . 64.1What can be migrated? . 64.2Migration limitations . 64.3Considerations . 64.4Audience . 65Pre-migration configuration . 75.1Before you start. 75.2G Suite — Create and set up a service account. 85.3G Suite — Set permissions for the service account .105.4Office 365 — Set up account with impersonation privileges .125.5Recreate your resources (using provisioning) .136Use the Cloudiway platform to migrate your mail . 146.1Create your G Suite source connector .146.2Create your Office 365 target connector .166.3Create a partial archive from a normal inbox .186.4Configure the global settings for migration.196.5Import or create your users .21Mail migration: G Suite to Office 365Page ii
6.5.1Option 1: CSV import .216.5.2Option 2: Import Users tool .246.5.3Option 3: Single user creation details .246.6Recreate your resources (using provisioning) .266.7Activate and monitor your migration .286.8Migrate permissions globally.287Post-migration options . 307.1Link calendar meeting entries .307.2Migrate existing archive mailboxes .318Troubleshooting . 34Mail migration: G Suite to Office 365Page iii
1Mail migration with CloudiwayCloudiway's mail migration solution helps businesses perform elaborate technical migrations througha simple SaaS interface. As a result, mail migrations require no additional software installation oroverhead, and migrations can be performed securely and quickly.The Cloudiway platform is flexible enough to support all types of migration paths. Your migrationstrategy will depend on your business setup, type and size. Whichever migration path you choose,Cloudiway provides all the essential features including automatic account provisioning, licenseassignment, archive migration, mail routing and calendar coexistence (free/busy scheduling).Two of the most common migration strategies are cutover and staged migrations. Cutover strategiesinvolve migrating all mailboxes over a weekend, ready for your users on Monday morning. Stagedstrategies provide more flexible migration options, as discussed below.1.1 Cutover migrationYou migrate everybody over a weekend. This strategy is the simplest to implement. You can migrateyour mailboxes in a single pass migration or envisage a prestaging strategy where you run multiplemigration passes.Cutover migration is therefore a strategy where the entire company is switched at the same time.1.1.1 Cutover migration benefits Fastest, simplest form of migration.Your users can start using the new mail system immediately.New mails are received in the target messaging system.Old mails are migrated in a single pass.1.1.2 Cutover migration considerationsYou can combine your cutover migration with pre-staging, if required. In this case, during the days orweeks leading up to your cutover, you would migrate all mails up to a week or so ago along withcalendars and contacts, then on the day of your cutover, you would run a quick delta pass to migratethe remaining items.Mail migration: G Suite to Office 365Page 1/34
1.2 Staged migrationA staged migration allows you to migrate batches of mailboxes over the course of a few weeks ormonths. This strategy is useful for migrations with large volumes of data (very full mailboxes or manymailboxes) and you estimate that you won’t be able to do your migration over a single weekend.Cloudiway offers you additional flexibility in your approach to a staged migration. For example, youcould migrate the last six months of emails over a weekend and leave older emails and email archivesto be migrated after cutover, explaining to users that their older emails will appear soon.Prestaging is also an option on the Cloudiway platform. For example, you could perform a multi-passmigration where you migrate most mailbox items before performing the final cutover. During thedays or weeks leading up to your cutover, you would migrate all mails up to a week or so ago alongwith calendars and contacts, then on the day of your cutover, you would run a quick delta pass tomigrate the remaining items.Cloudiway provides a number of options to help you find the best strategy for a staged mailmigration. We provide coexistence services, plus mail routing, and batch migration of users, whichyou can define in any way you like. Basically, you can choose who, when and what gets migratedduring each pass.1.2.1 Staged migration benefits Many flexible migration strategies when using the Cloudiway platform.Allows more time before final cutover, avoiding tight deadlines.Complex migrations can be completed without disrupting end users.Can be performed in batches according to your needs.1.2.2 Staged migration considerationsStaged migrations tend to be more complicated than single cutover migrations. Therefore, it'simportant that you have planned your approach thoroughly prior to starting any migration.Mail migration: G Suite to Office 365Page 2/34
1.3 Supplementary toolsCloudiway has developed a number of tools to enable seamless migration for the most intricatemigrations. Our supplementary tools include: automatic account provisioning (users, distribution lists, shared contacts);mail routing; andcalendar free/busy display.These tools are available as additional modules, and therefore incur an extra cost. Please contact usfor more information on presales@cloudiway.com.1.3.1 Automatic provisioningAutomatic account provisioning is handled by the IAM module. It synchronizes your Active Directoryinfrastructure with Office 365 and lets you manage your cloud users from your local Active Directory.It synchronizes users, groups and contacts, and also provides real time password synchronization. Itsupports multi-domain and multi-forest environments and avoids costly directory consolidationprojects. Visit www.cloudiway.com for more information, or contact us.For a G Suite to Office 365 migration, it’s also possible to synchronize from G Suite to Active Directoryor Office 365 and to retrieve and synchronize objects that do not exist in your local Active Directory.1.3.2 Calendar free/busyCloudiway provides a coexistence tool for calendar free/busy time display. For example, a G Suiteuser on one can check the free/busy time of an Office 365 user. Coexistence manages cross-platformcommunication with no impact on the end user. It provides a seamless connection between twodifferent remote systems during migration.To discuss any of these supplementary tools further, please get in touch with your existing Cloudiwaycontact, or via sales@cloudiway.com.Mail migration: G Suite to Office 365Page 3/34
2SecurityWe take your privacy and security seriously at Cloudiway, and we have invested significant effort intomaking our platform and your data secure. Cloudiway provides a cloud-based application hosted inWindows Azure. It means that the software and data are centrally hosted and accessed by clientsusing a web browser and internet connection. In addition, Cloudiway's SaaS benefits from WindowsAzure's certifications, ensuring security of the infrastructure, network and physical security layers ofthe Cloudiway cloud.For total assurance, Cloudiway provides auditing tools, secure, authenticated data connections and alogging system. More specifically: Cloudiway doesn’t store your mail, files or site datathe migration takes place in memory only: the migration engine connects to the source, pullsdata and pushes it in real time;connections to the source and the target are done using HTTPS so no data is transferredunencrypted over the internet; and,nothing is stored internally: no data persists in the platform.**For the delta pass mechanism, the messageID of each email is used. This ensures that no data isduplicated, and for efficiency, only the changes are propagated. We automatically delete inactiverecords after 90 days, or upon request.In addition, because the Cloudiway platform needs credentials to connect to the source and thetarget, you define connectors to connect to them and enter credentials that will be used for theconnection. These credentials are stored encrypted using AES 256.For complete peace of mind, we recommend that you create a temporary migration account duringyour migration which you can delete at the completion of your project.Mail migration: G Suite to Office 365Page 4/34
3 PerformanceThere are several considerations regarding email migration performance. The Cloudiway migrationplatform uses all available resources to provide the fastest migration possible and can support bothsmall and large migrations. The on-demand migration engine allocates the capacity that you need tomigrate the volume of data of your choice in the time slot you have allocated.However, there are limitations. Many mail systems can heavily throttle users. When you perform toomany calls, the remote server will begin throttling and decrease the number of calls that can beperformed each minute, thus reducing the migration throughput. Cloudiway constantly attempts towork at the maximum capacity allowed to achieve excellent throughput.Google LimitationsGoogle limits migration to 2.5 GB per user per day. Usually, some additional data migration ispossible before throttling begins. When throttling does begin, the Cloudiway platform will attempt tomigrate 10 GB of data per user, then sleep for 6 hours and automatically restart the migration whereit left off.Office 365 limitationsOffice 365 uses throttling policies to limit the resources consumed by a single account. To maximizethroughput and limit throttling, Cloudiway follows Microsoft best practice and uses impersonation.An account that has impersonation privileges can impersonate 100 users concurrently to migrate 100mailboxes in parallel. The platform uses EWS (Exchange Web services) protocol; Microsofttheoretically allows throughput of around 300 MB per user per hour. The Cloudiway platformtypically sees throughput between 200 Mb and 300 MB per mailbox per hour. This gives an averagethroughput of around 500 GB per day with a constant migration of 100 concurrent mailboxes.If you wish to further improve throughput, you can create distinct migration accounts and createadditional connectors in the platform. For example, if you create two target Office 365 connectors(each with its own distinct migration account), you can migrate 200 mailboxes concurrently andreach a throughput of around 1 TB per day.Mailbox item count is also a factor: because Office 365 throttling policies limit migration to 1500 to1800 mails per user per hour. Therefore, a mailbox with 1,000,000 small emails will be slower tomigrate than a mailbox with 1,000 large mails containing attachments.Mail migration: G Suite to Office 365Page 5/34
4Mail migration scope4.1 What can be migrated?When migrating from G Suite to Office 365, all of the following mail-related items can be migrated: EmailsContactsCalendarsSecondary CalendarsLabels (primary label converted to folder; other labels discarded)DelegationsRooms and resourcesArchives (each mailbox requires one separate archive license)TasksProvisioning of users, distribution lists, shared contacts (requires additional IAM component)4.2 Migration limitationsG Suite uses labels rather than folders to organize emails, and users can apply multiple labels to asingle email. Office 365 mail doesn't use labels, so storage for each email is limited to one folder. TheCloudiway platform takes the first label applied to an email and creates a folder with the same name,where the email will be stored. Any additional labels are ignored during migration.Currently, inbound rules (including out of office rules) are not migrated from G Suite to Office 365.4.3 ConsiderationsMigration takes place between existing mailboxes. This means that mailboxes must exist in the targetat the time of migration. Before starting a migration, please ensure that all mailboxes to be migratedhave had their target mailbox created in the target domain (steps are included in this guide). Ifrequired, you can use the optional IAM module to provision the target.4.4 AudienceThis guide is aimed at experienced system administrators who are capable of connecting to remotesystems and using a variety of administration tools.Although we provide support for our own products, we do not provide support for third partyproducts such as PowerShell or server administration of Google or Exchange.If you are concerned you might have any difficulty completing these steps, please consider a solutionwith our consulting team, contactable via presales@cloudiway.com. This will ensure a fast, costeffective and stress-free implementation.Mail migration: G Suite to Office 365Page 6/34
5Pre-migration configuration5.1 Before you startBefore you start, you will need to ensure you have the details outlined in the following table.NameDescriptionLocationCloudiway loginStores details and providescommunication between thesystems you already use.https://apps.cloudiway.comKnowledge baseaccessOur extensive knowledge base isalways accessible, with videos,troubleshooting tools, samples andmore.http://kb.cloudiway.comG Suite APIconsoleRequired to enable APIs and todownload the G Suite private key.This can be accessed via your GoogleAdmin e AdminconsoleThe Admin console is whereadministrators manage Googleservices for people in anorganization.https://admin.google.comOffice 365account withimpersonationprivilegesUsed for impersonation to accessmailboxes (read or write). Thisdoesn't have to be the tenant'sadmin account. However, it must bean administrator account if you wishto migrate the permissions. Theaccount must be able to bypass SSOand authenticate usingusername/password credentials withthe format:user@tenant.onmicrosoft.com (witha password set to never expire).Exchange Admin Center.Mail migration: G Suite to Office 365We recommend you create a nonfederated domain account (on your*.onmicrosoft.com domain) especiallyfor mail migration. After all migrationsare complete, simply delete thisaccount. We provide steps below tohelp you set up an account withimpersonation privileges if you don'talready have one.Page 7/34
5.2 G Suite — Create and set up a service accountYou can create a project in your Google service account, where you can enable APIs and create aproject key. Cloudiway needs this key to open communication with G Suite.1.In your browser, go to http://console.developers.google.com to launch the Google APImanager2.Click on Credentials on the left. If you already have a project, you can jump to step 4. If youdon’t have any projects set up, you will need to create one before you continue.3.Click on the Create a project button, and add a meaningful name to Project name (such as‘Cloudiway’) and click the Create buttonA message might appear prompting you to create credentials. If it does, you can simplyignore it for now (we'll create them later).4.Click on Library on the left to display a search bar for Google APIs5.Type Google Calendar API and search for it (information about the API will bedisplayed)Mail migration: G Suite to Office 365Page 8/34
6.Click on the ENABLE API linkOnce the API has been enabled (the link will change to display DISABLE): some other APIsmight be automatically enabled (but only Google Calendar API is required for coexistence).You can check which APIs are activated by clicking on Dashboard on the left.7.Search for the following APIs and enable them:CalDAV APIContacts APIGmail APITasks API8.Click on Credentials on the left and from the Create credentials button, click on Serviceaccount key. The following screen will appear:9.Click on New service account from the dropdown menu10.Give the service account a recognizable name in Service account name (such as ‘Cloudiwaymail migration'); you can leave the Role field unselected as it's not used by Cloudiway11.Click on the P12 radio buttonMail migration: G Suite to Office 365Page 9/34
12.Click on the Create buttonThe following message will appear:13.Once you have read and understood the message (and take note of where the downloadedkey is: you will need to upload it to Cloudiway later), click on the Close button14.At the far right of the screen, click on the link for Manage service accounts15.A list of service accounts will appear. Find the one with the name you just created, and clickon the option dots ( ) on the far right, then select Edit16.Tick the checkbox for Enable G Suite Domain-wide Delegation and type a product name intoProduct name for the consent screen, if prompted:17.Click on the Save button5.3 G Suite — Set permissions for the service accountAfter you’ve created a service, you can use the Google Admin console to manage the service and itsAPI calls. The following steps show you how to grant access permissions for the service account youcreated in the previous steps.1.Ensure that you are still logged in to http://console.developers.google.com and from ServiceAccounts on the left, locate the Cloudiway mail migration service account2.Click on View Client ID on the far right, and copy the number displayed in Client IDMail migration: G Suite to Office 365Page 10/34
3.In a new browser tab, go to https://admin.google.com and login with your Admin consolecredentials4.Click on Security, then Advanced settings (you might need to click on Show more to see this)5.Click on Manage API client access6.Paste the number you copied into Client Name7.Click in the One Or More API Scopes field and add the following TE: 1. Each scope must be separated by a comma.2. Some scopes require slashes (/) at the end and others don't: please use the above strings.3. If you add another scope later, existing scopes will be removed: you need to add the wholelist at the same time.8.Click on the Authorize button9.You can check that the scopes were successfully registered by looking for the names next tothe client ID you pastedMail migration: G Suite to Office 365Page 11/34
5.4 Office 365 — Set up account with impersonation privilegesAn Office 365 account with impersonation privileges can access up to 100 mailboxes concurrently.Therefore, by default, Cloudiway allows you to migrate 100 concurrent users in an Office connector.If you wish to speed up your migration, you should set up additional Office 365 target connectors onthe Cloudiway platform and associate different accounts with admin access to each one. These canbe connected to a single G Suite source connector.Below are the steps to show you how to set up impersonation using the Office 365 Exchange AdminCenter. If you don't already have impersonation set up, please follow the steps below.1.Login with your administrator account to the Office 365 portal2.Go to the Exchange admin center, then click on permissions and the admin roles3.Click on the plus sign ( ) to create a new roleMail migration: G Suite to Office 365Page 12/34
4.Give your group a name and assign it the role of ApplicationImpersonation, then add a userto the group:5.Click on the Save button to save your group5.5 Recreate your resources (using provisioning)Resources from your source must be available in your target before migration can begin. Cloudiwayprovides a tool to automatically recreate rooms and equipment for migrations from G Suite to Office365, which will be explained later in this guide. Cloudiway can also recreate shared mailboxes in thetarget, but this tool is not yet available on the platform. If you'd like a preview, please get in touch viasales@cloudiway.com.Mail migration: G Suite to Office 365Page 13/34
6Use the Cloudiway platform to migrate your mail6.1Create your G Suite source connectorFor Cloudiway to migrate your email, it needs to be able to communicate with both your source andtarget domains. To do this, Cloudiway uses connectors, which are configured on apps.cloudiway.com.You will need to set up a connector for each source tenant you wish to migrate and each targettenant that mail should be migrated to. Follow the steps below to configure a G Suite sourceconnector.1.From your browser, go to https://apps.cloudiway.com and login2.Click on Mail Migration on the left, then SourcesMail migration: G Suite to Office 365Page 14/34
3.Click on the New option at the bottom of the screen4.Click on Google Apps and type a meaningful name in Connector name5.Click on the Create button6.Paste your Service Account Email (you can copy it from the Manage service accounts screenfrom the project you created in http://console.developers.google.com)Mail migration: G Suite to Office 365Page 15/34
7.Upload the file that you downloaded earlier (it ends in .p12) to the Service Account PrivateKey field8.Click on the Save button at the bottom of the screenYour source connector has now been created. Next up is the target connector.6.2Create your Office 365 target connectorWith the source connector now configured on the Cloudiway platform, it's time to create andconfigure the target connector. Follow the steps below to configure an Office 365 target connector.Each account with impersonation privileges can access up to 100 mailboxes concurrently. Therefore,by default, each Cloudiway connector can migrate 100 concurrent users. If you wish to speed up yourmigration, you should set up additional Office 365 connectors on the Cloudiway platform andassociate different accounts with admin access to each one.1.From your browser, go to https://apps.cloudiway.com and loginMail migration: G Suite to Office 365Page 16/34
2.Click on Mail Migration on the left, then Targets3.Click on the New option at the bottom of the screen4.Click on Office 365 and type a meaningful name in Connector name5.Click on the Create button6.Type your target domain name in DomainMail migration: G Suite to Office 365Page 17/34
7.Type your Office 365 account credentials (with administrator and impersonation rights)The remaining field is for archiving older emails from inboxes (switched off by default):8.For now, click on the Save button without activating this option (it's covered in the nextsection).6.3 Create a partial archive from a normal inboxCreating a partial archive of emails provides a number of benefits. From a migration perspective, thebiggest benefit is reduced bandwidth. End-users who access mail via Outlook have their mailboxlocally cached (in .ost file format). After a mail migration, Outlook will download all migratedmailboxes the first time users access their mailboxes. Therefore, if many users are likely to accessOutlook at around the same time after migration (for example, if you've completed a cutovermigration one weekend before staff arrive at 9am Monday morning), your bandwidth might slowdown due to a glut of downloads.This can be avoided by partially migrating data to the online archive. For example, you could chooseto migrate all items older than 30 days to a mail archive, which would be performed prior to the finalcutover. The data will remain online and accessible from each user’s inbox as an In-Place ArchiveMail migration: G Suite to Office 365Page 18/34
folder. The most recent 30 days of emails will be migrated and downloaded when each user first logsin, reducing overall bandwidth usage due to smaller mailbox sizes.Note: you must ensure that In-Place archiving is switched on within your Exchange Admin center(you can bulk-activate using the instructions on TechNet as 7(v exchg.150).aspx).1.With your target connector selected, click on the Edit button on the action bar at the bottomof the screen2.Click on the ON button to activate the Archive mails old than x months option3.Enter a number in the field to indicate the minimum age (in months) of mails to be archived4.Click on the Save button at the bottom of the screenNow, when your migration starts, any emails older than the number of months you specified will bemigrated to an In-Place archive. Younger items will be migrated to the target mailbox. The user cancontinue to use the source mailbox until final cutover, whether it be the following day or in amonth's time.During final cutover, all new and remaining emails w
For a G Suite to Office 365 migration, it's also possible to synchronize from G Suite to Active Directory or Office 365 and to retrieve and synchronize objects that do not exist in your local Active Directory. 1.3.2 Calendar free/busy Cloudiway provides a coexistence tool for calendar free/busy time display. For example, a G Suite
