Migration from Office 365 or Microsoft 365 mailboxes to G Suite using the G Suite Data Migration Service

Supported Environment

Microsoft 365, Office 365, Exchange 2016, 2013, 2010, 2007 or 2003.

Supported G Suite

G Suite Enterprise, Business, Basic, and Education accounts

G Suite Cost

Standard prices are shown. Google occasionally offers special discounts to some customers for both the Flexible and Annual Plan.

 Flexible PlanAnnual Plan
CommitmentNone1 year of service for licenses purchased at the start of the contract.
Billing cycle MonthlyMonthly
Monthly paymentG Suite Basic: USD 6 per user
G Suite Business: USD 12 per user
G Suite Enterprise: USD 25 per user
G Suite Basic: USD 6 per license
G Suite Business: USD 12 per license
G Suite Enterprise: USD 25 per license
Yearly totalG Suite Basic: USD 72 per user
G Suite Business: USD 144 per user
G Suite Enterprise: USD 300 per user
G Suite Basic: USD 72 per license
G Suite Business: USD 144 per license
G Suite Enterprise: USD 300 per license
Add usersAt any time for additional monthly costAt any time for additional monthly cost
Remove usersAt any time (reduces monthly cost)Only when you renew the annual contract. Until then, you pay for all purchased licenses.
Cancel serviceAt any time without a penaltyMust pay annual commitment (even if you cancel early).

Outlook requirements

Step1: Setup G Suite

To setup G Suite, you need three basic information and privilege to prove ownership of your domain.

  • Primary domain, e.g. mydomain.com
  • Verify Domain. When you sign up for G Suite, you can choose which type of verification record such as TXT, CNAME, MX record you want to use in the Setup Wizard.
  • personal username such as user1@mydomain.com
  • An email address which can be gmail email and can be changed later.

G Suite MX setup for your domain host

  1. Sign in to your domain’s account at your domain host.
  2. Need help? Contact your domain host’s Support team. Domain hosts are experts with MX records, and setup is a common task.
  3. Go to the section where you can update your domain’s MX records. It might be called something like “DNS Management,” “Mail Settings,” or “Advanced Settings.”
  4. Delete any existing MX records.
    If you can’t delete the existing records, change their priority number to 20 or higher.
  5. Add new MX records for the Google mail servers.

If your domain host limits the number of MX records, just add the first 2 records in this table.

Values for G Suite MX records

Name/Host/Alias Time to Live (TTL*) Record Type Priority Value/Answer/Destination
@ or leave blank 3600 MX 1 ASPMX.L.GOOGLE.COM.
@ or leave blank 3600 MX 5 ALT1.ASPMX.L.GOOGLE.COM.
@ or leave blank 3600 MX 5 ALT2.ASPMX.L.GOOGLE.COM.
@ or leave blank 3600 MX 10 ALT3.ASPMX.L.GOOGLE.COM.
@ or leave blank 3600 MX 10 ALT4.ASPMX.L.GOOGLE.COM.
  • Skip this step if you already verified your domain by another method (such as TXT record, HTML file, or meta tag).
  • Save your changes.

Step2: Test G Suite Email

  1. Sign in to admin.google.com with your G Suite username and password. 
  2. In the top right corner, click the App Launcher, Mail.

Step3 (optional): Setup Google Cloud Directory Sync (GCDS)

Setup Directory Sync to use existing authentication or on-premises Windows Domain Controller users.  With Google Cloud Directory Sync (GCDS), you can synchronize the data in your Google domain with your Microsoft® Active Directory® or LDAP server. Your Google users, groups, and shared contacts are synchronized to match the information in your LDAP server. 

Systems Requirements:

  1. Download GCDS
  2. A Google domain.
  3. Access to a Google domain super administrator account to authorize GCDS.
  4. Microsoft® Windows® (supported on Windows 7, Windows 8, Windows 10, Windows Server 2008/2012/2016).
  5. Linux®—If you’re using a 32-bit version of GCDS on a 64-bit Linux system, a 32-bit libc (such as libc6-i386) must be installed.
  6. Administrator access to your Google domain.
  7. LDAP administrator access to your directory server and familiarity with its contents as well as familiarity with the LDAP query language.
  8. Network administrator privileges and familiarity with your network and security settings for internal and outbound traffic.

Enable Authentication in Google Configuration Manager in Google Domain

Authorize access using OAuth

  1. Open Configuration Manager and click the Google Domain Configuration page.
  2. Click Authorize Now to set up your authorization settings and create a verification code.
  3. Click Sign In to open a browser window and sign into your Google domain with your super administrator username and password.
  4. Copy the token that’s displayed.
  5. In the Verification Code field, enter the token and click Validate.

Allow API Access in Google Admin Console

  1. Sign in to your Google Admin console.
  2. Sign in using your administrator account (does not end in @gmail.com).
  3. From the Admin console Home page, go to Security>API reference.
  4. To see Security on the Home page, you might have to click More controls at the bottom.
  5. Make sure the Enable API access box is checked.
  6. At the bottom, click Save.

Configure GCDS

  1. The simplest way to configure GCDS is to record credentials for Google Domain, On-premises Active Directory.
  2. Connect Google Domain and On-premises Active Directory
  3. Test connection
  4. Select an Organizational unit of Active Directory to Sync to Google Domain
  5. You’re done.

Step4: Assign Licenses

On the Licenses page of Configuration Manager, set up the GCDS license synchronisation for users in your Google domain.

If you have purchased different product SKUs for your domain, you may want to disable auto license assignment and use the GCDS license synchronisation feature to manage licenses for your Google user accounts. You should manage user license assignment using a single method. Either assign and manage product licenses through the Admin console or use the GCDS license synchronisation feature described here.

Additional Guide:

Step5 (optional): Setup Mailflow Co-existence between Office 365 and G Suite

Follow this guide to setup mailflow co-existence between Office 365 and G Suite.

Step6: Migrate email from Microsoft Exchange or Office 365

  1. Sign in to your Google Admin console.
  2. . Sign in using your administrator account (does not end in @gmail.com).
  1. From the Admin console Home page, go to Data migration. To see Data migration, you might have to click More controls at the bottom.
  2. Select the Email option and click Continue.
  3. On the Email Migration screen:
    1. From the Migration source list, select the Microsoft Exchange or Office 365 mail server that matches your legacy environment (where you’re migrating from). 
    2. Select the connection protocol of the legacy mail server by choosing an option:
      • To automatically determine the protocol, select Autoselect (Recommended).
      • To specify the Exchange Web Services URL for your legacy service, select Exchange Web Services and type the URL. The URL is the is the address that Exchange uses to communicate with Exchange Web Services, for example, https://outlook.office365.com/EWS/Exchange.asmx.
    3. Enter the email address and password for your role account.  
  4. Click Connect
  5. (Optional) If the connection fails, verify that the role account and connection protocol information is correct. Then, click Connect again. 
  6. In the Migration start date and Migration options sections, accept the default options or choose to exclude data that doesn’t need to be migrated. 
  7. Click Select Users.

Step7: Migrate a test email for a single user

  1. Complete the steps to set up the data migration service.
  2. Hover over Add and click Select user .
  3. In the Migrate From field, enter the user’s Exchange email address.
  4. In the Migrate To field, start typing the user’s new G Suite email address and choose from the list of suggested users. 
  5. Click Start.
  6. (Optional) To migrate another user’s email, repeat these steps. 
  7. To exit a completed migration, click Settings > Exit migration

Step8: Migrate email for multiple production users

  1. Complete the steps to set up the data migration service.
  2. Hover over Add and click Select multiple users.
  3. Click Attach File to upload a CSV file containing the legacy email addresses and the new G Suite email addresses. For details on how to format the file, see Use CSV files with the data migration service.
  4. Click Upload and start the migration.
  5. If there are errors in your file, choose an option:
    • To update the file, click Cancel, fix the file, and reload the updated file.
    • To ignore the incorrect mappings, check the Ignore errors box.

Notes: Formatting the CSV files

You can use a spreadsheet application, such as Google Sheets or Microsoft Excel®, or a text file to create the CSV file. Data in your CSV file is case-sensitive: make sure to use the correct case for emails, passwords, usernames, and resources.

Don’t include headers or use commas to separate the fields. Use line breaks to separate each entry.

Example CSV File

john.doe@googledomain.com,john.doe@microsoftdomain.onmicrosoft.com,calender1

In this example, you’re migrating john.doe@microsoftdomain.onmicrosoft.com (office 365) to john.doe@googledomain.com (G Suite) with a calender1 of Office 365.

ADFS 4.0 Step by Step Guide: Federating With Google Apps

To integrate On-Premises SSO with Google Apps, you need the following items:

Step1: Export ADFS Token Signing Certificate

  1. Log into the ADFS 2016 server and open the management console.
  2. Right-click Service>Certificate
  3. Right-click the certificate and select View Certificate.
  4. Select the Details tab.
  5. Click Copy to File. The Certificate Export Wizard opens.
  6. Select Next. Ensure the No, do not export the private key option is selected, and then click Next.
  7. Select DER encoded binary X.509 (.cer), and then click Next.
  8. Select where you want to save the file and give it a name. Click Next.
  9. Select Finish.

Step2: Download Google Certificate

  1. Login to Google Admin console with administrator permission to add new apps.
  2. Go to Apps > SAML Appsand click “+” at the right bottom of the page to add a new SAML IDP (“Enable SSO for SAML Application”).
  3. Select the “Setup my own custom app” at the bottom of the window. You will see the “Google IdP Information” page. Click Download button to retrieve google certificate.

Step3: Create a Relying Party Trust

  1. Log into the ADFS 2016 server and open the management console.
  2. Right-click Service>Relying Party Trusts>Select Add Relying Party Trust from the top right corner of the window.
  3. Click Claims aware>Click Start
  4. Click Enter Data about the relying party manually
  5. Give it a display name such as GoogleApps>Click Next>Click Next
  6. On the Configure URL Page, Check Enable support for the SAML 2.0 WebSSO protocol and type  https://www.google.com/a/domain.com/acs, Click Next
  7. On the Configure RP Identifier Page, type the identifiers: google.com/a/domain.com, Click Add
  8. Ensure I do not want to configure multi-factor authentication […] is chosen, and click Next
  9. Permit all users to access this relying party.
  10. Click Next and clear the Open the Claims when this finishes check box.
  11. Close this page. The new relying party trust appears in the window.
  12. Right-click on the relying party trust and select Properties.
  13. Select to the Advanced tab and set the Secure hash algorithm to SHA-256.
  14. Under the Endpoints tab, click Add SAML Logout with a Post binding and a URL of https://sts.domain.com/adfs/ls/?wa=wsignout1.0
  15. Select to signature tab, Click Add.. Import the google certificate, you have exported from Google admin console. Click Apply, Click Ok.

Step4: Add Claim Rule for the Relying Party

  1. Log into the ADFS server and open the management console.
  2. Right-click on the GoogleApps relying party trust and select Edit Claim Rules.
  3. Click the Issuance Transform Rules tab.
  4. Click Add Rules. Add a Rule Type the Name as GoogleApps Rule
  5. Ensure Send LDAP Attributes as Claims is selected, and click Next
  6. Select the below details
  • Claim Rule Name =  Send Email Address As NameID
  • Attribute Store = Active Directory
  • LDAP Attribute = E-mail-Addresses
  • Outgoing Claim Type = Name-ID
  1. Click Finish. Click Apply

Step5: Configure Google Apps in Admin Console

  1. Sign into the Google Apps Admin Console using your administrator account.
  2. Click Security. If you don’t see the link, it may be hidden under the More Controls menu at the bottom of the screen.
  3. On the Security page, click Setup single sign-on (SSO).
  4. Perform the following configuration changes:
  1. In Google Apps, for the Verification certificate, replace and upload the ADFS token signing certificate that you have downloaded from ADFS.
  2. Click Save Changes.

Step6: Testing SSO

To test SSO, visit http://mail.google.com/a/domain.com.  You will be redirected to ADFS STS Signing Page. Enter your on-premises email address and password as the credential.  You should be redirected back to Google Apps and arrive at your mailbox.

Mailflow Co-existence between G Suite and Office 365 during IMAP Migration

This article will explain how to create mail flow coexistence between disparate IMAP source and Exchange Online destination.

Use case:

  1. Customer wants a mailflow co-existence between hosted email e.g. Gmail and Exchange Online during mailbox migration phase.
  2. Customer has on-premises Exchange Server but does not want to create hybrid environment or have a situation where hybrid configuration is not feasible.
  3. Customer plans to migrate mailboxes, calendar, contacts, resources and distribution groups to Exchange Online in phases.
  4. Customer does not want a cutover migration to Exchange Online.

Source Environment:

  1. Email Domain: Domain.com
  2. Migration Method: IMAP
  3. Source Infrastructure: On-premises Microsoft Exchange or Hosted Gmail

Destination Environment:

  1. Office 365 Tenant: domain.onmicrosoft.com
  2. Default Domain: domain.onmicrosoft.com
  3. Email Domain: Domain.com
  4. CatchAll Domain or Subdomain: subdomain.domain.com

Migration Method:

  • Pre-stage: In pre-stage migration, data will be pre-filled to a place holder mailbox then migrate delta changes.
  • Backfill: In backfill method, data will be back filled to a real mailbox after cutover.

Prepare Source Email Domain:

  1. Add Proxy address or alias to all mailboxes.

To add proxy address, create a CSV file with the below header and run the scripts

Name, EmailAddress

User1@domain.com, user1@domain.onmicrosoft.com

Import-Csv c:\data.csv | Foreach{

$maileg = Get-Mailbox -Identity $_.Name

$maileg.EmailAddresses += $_.emailaddress

$maileg | Set-Mailbox -EmailAddresses $_.emailaddress

}

  1. Create target address or forwarding address to all mailboxes. To add target address, create a CSV file with the below header and run the script

CSV Headers are Mailbox, ForwardTo

User1@domain.com, user1@domain.onmicrosoft.com

user1@domain.com, user1@subdomain.domain.com

Import-CSV “C:\CSV\Users.csv” | ForEach {Set-Mailbox -Identity $_.mailbox -ForwardingAddress $_.forwardto}

  1. Send & Receive Connector

If you have strict mailflow condition on the on-premises environment or hosted environment, you may have to create a send connector and receive connector to allow Office 365 email in both directions.

  1. MX record still pointed to source environment.

Prepare Exchange Online

  1. Create Office 365 tenant: domain.onmicrosoft.com
  2. Add customer domain e.g. domain.com on the Office 365 portal and validate the domain
  3. Go to Office 365 ECP, Select Mailflow, Click Accepted Domain, Select Domain.com, Click Edit and set the domain to Internal Relay
  4. Go to Office 365 ECP, Select Recipient, Go to Groups, Create a distribution group and add all users to the distribution group. To find a script to do the job, refer to step3 of post migration section of this article. replace remove-distributiongroupmember to add-distributiongroupmember on the script.
  5. Go to Office 365 ECP, Select Mailflow, Connectors, create an Outbound Send Connector to send email from Office 365 to Your organisation email server. When creating this Connector select the smart host option and on the smart host window, type the Public IP Address or FQDN of MX record of domain.com
  6. Go to Office 365 ECP, Select Mailflow, Rules, create a rule to forward any inbound emails coming to @domain.com and member of special distribution group created in step 4 to be forwarded to the send connector you have created in previous steps 5.
  7. Enable Mailflow for subdomain or catchall domain i.e. @subdomain.domain.com Set-AcceptedDomain -Identity domain.com -MatchSubdomains $true

Mailflow during migration phase

When an Exchange Online mailbox user1@domain send mail to user2@domain.com (On-premises/hosted Gmail), as user2 does not exist at Exchange Online side, and the domain: domain.com set as “Internal Relay” under “Accept domain” configuration, so the message will delivery to on-premises/Gmail through special outbound connector.

Post Migration:

Once you have migrated a batch of mailboxes, you have to remove proxy address and forwarding address from that batch of source mailboxes on the source email domain.

  1. Remove Proxy Address from Source Environment

CSV Headers are Name and EmailAddress

User1@domain.com, user1@domain.onmicrosoft.com

Import-Csv C:\CSV\ProxyAddress.csv | Foreach{

$maileg = Get-RemoteMailbox -Identity $_.Name

$maileg.EmailAddresses += $_.emailaddress

$maileg | Set-Mailbox -EmailAddresses @{Remove=$_.EmailAddress} }

 

  1. Remove Forwarding address from Source Environment

CSV headers are Mailbox, ForwardTo

User1@domain.com, user1@domain.onmicrosoft.com

Import-CSV “C:\CSV\Users.csv” | ForEach {Set-Mailbox -Identity $_.mailbox -ForwardingAddress @{Remove=$_.forwardto}}

  1. Remove the batch of mailboxes from the distribution groups once migrated to Office 365.

CSV Headers are

Identity, Members

Accounts, user1@domain.com

Import-Csv “C:\CSV\RemoveMembers.csv” | foreach{Remove-DistributionGroupMember -Identity $_.identity -Member $_.members}

  1. Delete special Distribution Group, Maiflow rule and Outbound Connector created on the step 4, step 5 and step 6 after MX record cutover to Office 365.