Migration from Office 365 or Microsoft 365 mailboxes to G Suite using the G Suite Data Migration Service

Supported Environment

Microsoft 365, Office 365, Exchange 2016, 2013, 2010, 2007 or 2003.

Supported G Suite

G Suite Enterprise, Business, Basic, and Education accounts

G Suite Cost

Standard prices are shown. Google occasionally offers special discounts to some customers for both the Flexible and Annual Plan.

 Flexible PlanAnnual Plan
CommitmentNone1 year of service for licenses purchased at the start of the contract.
Billing cycle MonthlyMonthly
Monthly paymentG Suite Basic: USD 6 per user
G Suite Business: USD 12 per user
G Suite Enterprise: USD 25 per user
G Suite Basic: USD 6 per license
G Suite Business: USD 12 per license
G Suite Enterprise: USD 25 per license
Yearly totalG Suite Basic: USD 72 per user
G Suite Business: USD 144 per user
G Suite Enterprise: USD 300 per user
G Suite Basic: USD 72 per license
G Suite Business: USD 144 per license
G Suite Enterprise: USD 300 per license
Add usersAt any time for additional monthly costAt any time for additional monthly cost
Remove usersAt any time (reduces monthly cost)Only when you renew the annual contract. Until then, you pay for all purchased licenses.
Cancel serviceAt any time without a penaltyMust pay annual commitment (even if you cancel early).

Outlook requirements

Step1: Setup G Suite

To setup G Suite, you need three basic information and privilege to prove ownership of your domain.

  • Primary domain, e.g. mydomain.com
  • Verify Domain. When you sign up for G Suite, you can choose which type of verification record such as TXT, CNAME, MX record you want to use in the Setup Wizard.
  • personal username such as user1@mydomain.com
  • An email address which can be gmail email and can be changed later.

G Suite MX setup for your domain host

  1. Sign in to your domain’s account at your domain host.
  2. Need help? Contact your domain host’s Support team. Domain hosts are experts with MX records, and setup is a common task.
  3. Go to the section where you can update your domain’s MX records. It might be called something like “DNS Management,” “Mail Settings,” or “Advanced Settings.”
  4. Delete any existing MX records.
    If you can’t delete the existing records, change their priority number to 20 or higher.
  5. Add new MX records for the Google mail servers.

If your domain host limits the number of MX records, just add the first 2 records in this table.

Values for G Suite MX records

Name/Host/Alias Time to Live (TTL*) Record Type Priority Value/Answer/Destination
@ or leave blank 3600 MX 1 ASPMX.L.GOOGLE.COM.
@ or leave blank 3600 MX 5 ALT1.ASPMX.L.GOOGLE.COM.
@ or leave blank 3600 MX 5 ALT2.ASPMX.L.GOOGLE.COM.
@ or leave blank 3600 MX 10 ALT3.ASPMX.L.GOOGLE.COM.
@ or leave blank 3600 MX 10 ALT4.ASPMX.L.GOOGLE.COM.
  • Skip this step if you already verified your domain by another method (such as TXT record, HTML file, or meta tag).
  • Save your changes.

Step2: Test G Suite Email

  1. Sign in to admin.google.com with your G Suite username and password. 
  2. In the top right corner, click the App Launcher, Mail.

Step3 (optional): Setup Google Cloud Directory Sync (GCDS)

Setup Directory Sync to use existing authentication or on-premises Windows Domain Controller users.  With Google Cloud Directory Sync (GCDS), you can synchronize the data in your Google domain with your Microsoft® Active Directory® or LDAP server. Your Google users, groups, and shared contacts are synchronized to match the information in your LDAP server. 

Systems Requirements:

  1. Download GCDS
  2. A Google domain.
  3. Access to a Google domain super administrator account to authorize GCDS.
  4. Microsoft® Windows® (supported on Windows 7, Windows 8, Windows 10, Windows Server 2008/2012/2016).
  5. Linux®—If you’re using a 32-bit version of GCDS on a 64-bit Linux system, a 32-bit libc (such as libc6-i386) must be installed.
  6. Administrator access to your Google domain.
  7. LDAP administrator access to your directory server and familiarity with its contents as well as familiarity with the LDAP query language.
  8. Network administrator privileges and familiarity with your network and security settings for internal and outbound traffic.

Enable Authentication in Google Configuration Manager in Google Domain

Authorize access using OAuth

  1. Open Configuration Manager and click the Google Domain Configuration page.
  2. Click Authorize Now to set up your authorization settings and create a verification code.
  3. Click Sign In to open a browser window and sign into your Google domain with your super administrator username and password.
  4. Copy the token that’s displayed.
  5. In the Verification Code field, enter the token and click Validate.

Allow API Access in Google Admin Console

  1. Sign in to your Google Admin console.
  2. Sign in using your administrator account (does not end in @gmail.com).
  3. From the Admin console Home page, go to Security>API reference.
  4. To see Security on the Home page, you might have to click More controls at the bottom.
  5. Make sure the Enable API access box is checked.
  6. At the bottom, click Save.

Configure GCDS

  1. The simplest way to configure GCDS is to record credentials for Google Domain, On-premises Active Directory.
  2. Connect Google Domain and On-premises Active Directory
  3. Test connection
  4. Select an Organizational unit of Active Directory to Sync to Google Domain
  5. You’re done.

Step4: Assign Licenses

On the Licenses page of Configuration Manager, set up the GCDS license synchronisation for users in your Google domain.

If you have purchased different product SKUs for your domain, you may want to disable auto license assignment and use the GCDS license synchronisation feature to manage licenses for your Google user accounts. You should manage user license assignment using a single method. Either assign and manage product licenses through the Admin console or use the GCDS license synchronisation feature described here.

Additional Guide:

Step5 (optional): Setup Mailflow Co-existence between Office 365 and G Suite

Follow this guide to setup mailflow co-existence between Office 365 and G Suite.

Step6: Migrate email from Microsoft Exchange or Office 365

  1. Sign in to your Google Admin console.
  2. . Sign in using your administrator account (does not end in @gmail.com).
  1. From the Admin console Home page, go to Data migration. To see Data migration, you might have to click More controls at the bottom.
  2. Select the Email option and click Continue.
  3. On the Email Migration screen:
    1. From the Migration source list, select the Microsoft Exchange or Office 365 mail server that matches your legacy environment (where you’re migrating from). 
    2. Select the connection protocol of the legacy mail server by choosing an option:
      • To automatically determine the protocol, select Autoselect (Recommended).
      • To specify the Exchange Web Services URL for your legacy service, select Exchange Web Services and type the URL. The URL is the is the address that Exchange uses to communicate with Exchange Web Services, for example, https://outlook.office365.com/EWS/Exchange.asmx.
    3. Enter the email address and password for your role account.  
  4. Click Connect
  5. (Optional) If the connection fails, verify that the role account and connection protocol information is correct. Then, click Connect again. 
  6. In the Migration start date and Migration options sections, accept the default options or choose to exclude data that doesn’t need to be migrated. 
  7. Click Select Users.

Step7: Migrate a test email for a single user

  1. Complete the steps to set up the data migration service.
  2. Hover over Add and click Select user .
  3. In the Migrate From field, enter the user’s Exchange email address.
  4. In the Migrate To field, start typing the user’s new G Suite email address and choose from the list of suggested users. 
  5. Click Start.
  6. (Optional) To migrate another user’s email, repeat these steps. 
  7. To exit a completed migration, click Settings > Exit migration

Step8: Migrate email for multiple production users

  1. Complete the steps to set up the data migration service.
  2. Hover over Add and click Select multiple users.
  3. Click Attach File to upload a CSV file containing the legacy email addresses and the new G Suite email addresses. For details on how to format the file, see Use CSV files with the data migration service.
  4. Click Upload and start the migration.
  5. If there are errors in your file, choose an option:
    • To update the file, click Cancel, fix the file, and reload the updated file.
    • To ignore the incorrect mappings, check the Ignore errors box.

Notes: Formatting the CSV files

You can use a spreadsheet application, such as Google Sheets or Microsoft Excel®, or a text file to create the CSV file. Data in your CSV file is case-sensitive: make sure to use the correct case for emails, passwords, usernames, and resources.

Don’t include headers or use commas to separate the fields. Use line breaks to separate each entry.

Example CSV File

john.doe@googledomain.com,john.doe@microsoftdomain.onmicrosoft.com,calender1

In this example, you’re migrating john.doe@microsoftdomain.onmicrosoft.com (office 365) to john.doe@googledomain.com (G Suite) with a calender1 of Office 365.

Prepare Windows 10 Master Image & Deploy Windows Virtual Desktop

Microsoft announced Windows Virtual Desktop and began a private preview. Since then, we’ve been hard at work developing the ability to scale and deliver a true multi-session Windows 10 and Office 365 ProPlus virtual desktop and app experience on any device.

Windows Virtual Desktop will also be extended and enriched by leading partners in the following ways:

  • Citrix can extend Windows Virtual Desktop capabilities with their Citrix Cloud services.
  • Through our partnership with Samsung, Windows Virtual Desktop will provide highly mobile First line Workers access to a full Windows 10 and Office 365 ProPlus experience with Samsung DeX.
  • Software and service providers will extend Windows Virtual Desktop to offer targeted solutions in the Azure marketplace.
  • Microsoft Cloud Solution Providers (CSPs) will deliver end-to-end desktop-as-a-service (DaaS) offerings and value-added services to their customers.

Prepare Image

Prepare Windows 10 Ent Golden Image to be used for Windows Virtual Desktop in Azure Cloud. Execute the following steps on the Windows 10 Ent master image.

Step1: Remove Persistent Routing using this command, route delete

Step2: Remove Proxy Server using this Command, netsh winhttp reset proxy

Step3: Set the disk SAN policy to Onlineall using this command, diskpart then san policy=onlineall

Step4: Set time zone to Windows Automatic

Set-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\TimeZoneInformation’ -name “RealTimeIsUniversal” -Value 1 -Type DWord -force

Set-Service -Name w32time -StartupType Automatic

Step5: Setup Power Profile using this command powercfg /setactive SCHEME_MIN

Step6: Setup TEMP and TMP and location to default

Set-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment’ -name “TEMP” -Value “%SystemRoot%\TEMP” -Type ExpandString -force

Set-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment’ -name “TMP” -Value “%SystemRoot%\TEMP” -Type ExpandString –force

Step7: Setup Windows Services to automatic

Set-Service -Name bfe -StartupType Automatic

Set-Service -Name dhcp -StartupType Automatic

Set-Service -Name dnscache -StartupType Automatic

Set-Service -Name IKEEXT -StartupType Automatic

Set-Service -Name iphlpsvc -StartupType Automatic

Set-Service -Name netlogon -StartupType Manual

Set-Service -Name netman -StartupType Manual

Set-Service -Name nsi -StartupType Automatic

Set-Service -Name termService -StartupType Manual

Set-Service -Name MpsSvc -StartupType Automatic

Set-Service -Name RemoteRegistry -StartupType Automatic

Step8: Setup Remote Desktop registry

Set-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server’ -name “fDenyTSConnections” -Value 0 -Type DWord -force

Set-ItemProperty -Path ‘HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services’ -name “fDenyTSConnections” -Value 0 -Type DWord –force

Set-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp’ -name “PortNumber” -Value 3389 -Type DWord –force

Set-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp’ -name “LanAdapter” -Value 0 -Type DWord –force

Set-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp’ -name “UserAuthentication” -Value 1 -Type DWord -force

Set-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp’ -name “SecurityLayer” -Value 1 -Type DWord -force

Set-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp’ -name “fAllowSecProtocolNegotiation” -Value 1 -Type DWord –force

Set-ItemProperty -Path ‘HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services’ -name “KeepAliveEnable” -Value 1  -Type DWord -force

Set-ItemProperty -Path ‘HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services’ -name “KeepAliveInterval” -Value 1  -Type DWord -force

Set-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp’ -name “KeepAliveTimeout” -Value 1 -Type DWord –force

Set-ItemProperty -Path ‘HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services’ -name “KeepAliveEnable” -Value 1  -Type DWord -force

Set-ItemProperty -Path ‘HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services’ -name “KeepAliveInterval” -Value 1  -Type DWord -force

Set-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp’ -name “KeepAliveTimeout” -Value 1 -Type DWord –force

Set-ItemProperty -Path ‘HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services’ -name “fDisableAutoReconnect” -Value 0 -Type DWord -force

Set-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp’ -name “fInheritReconnectSame” -Value 1 -Type DWord -force

Set-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp’ -name “fReconnectSame” -Value 0 -Type DWord –force

Set-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp’ -name “MaxInstanceCount” -Value 4294967295 -Type DWord –force

Remove-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp’ -name “SSLCertificateSHA1Hash” –force

Step9: Setup Firewall

Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True

Enable-PSRemoting -force

 Set-NetFirewallRule -DisplayName “Windows Remote Management (HTTP-In)” -Enabled True

Set-NetFirewallRule -DisplayGroup “Remote Desktop” -Enabled True

Set-NetFirewallRule -DisplayName “File and Printer Sharing (Echo Request – ICMPv4-In)” -Enabled True

Step10: Check VM disk on next boot

Chkdsk /f

Step11: Set the Boot Configuration Data (BCD) settings

 bcdedit /set {bootmgr} integrityservices enable

 bcdedit /set {default} device partition=C:

 bcdedit /set {default} integrityservices enable

 bcdedit /set {default} recoveryenabled Off

 bcdedit /set {default} osdevice partition=C:

 bcdedit /set {default} bootstatuspolicy IgnoreAllFailures

 #Enable Serial Console Feature

 bcdedit /set {bootmgr} displaybootmenu yes

 bcdedit /set {bootmgr} timeout 5

 bcdedit /set {bootmgr} bootems yes

 bcdedit /ems {current} ON

 bcdedit /emssettings EMSPORT:1 EMSBAUDRATE:115200

Step11: Setup Crash dump

# Setup the Guest OS to collect a kernel dump on an OS crash event

Set-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\CrashControl’ -name CrashDumpEnabled -Type DWord -force -Value 2

Set-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\CrashControl’ -name DumpFile -Type ExpandString -force -Value “%SystemRoot%\MEMORY.DMP”

Set-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\CrashControl’ -name NMICrashDump -Type DWord -force -Value 1

#Setup the Guest OS to collect user mode dumps on a service crash event

$key = ‘HKLM:\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps’

if ((Test-Path -Path $key) -eq $false) {(New-Item -Path ‘HKLM:\SOFTWARE\Microsoft\Windows\Windows Error Reporting’ -Name LocalDumps)}

New-ItemProperty -Path $key -name DumpFolder -Type ExpandString -force -Value “c:\CrashDumps”

New-ItemProperty -Path $key -name CrashCount -Type DWord -force -Value 10

New-ItemProperty -Path $key -name DumpType -Type DWord -force -Value 2

Set-Service -Name WerSvc -StartupType Manual

Step12: Verify that the Windows Management Instrumentations (WMI) repository

winmgmt /verifyrepository

Step14: Do not remove or modify access for the following accounts

  • Administrators
  • Backup Operators
  • Everyone
  • Users

Step13: Install Azure VM Agents

Install the Azure VMs Agent.

Step14: Setup Pagefile to different location

Set-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management’ -name “PagingFiles” -Value “D:\pagefile.sys” -Type MultiString –force

Generalise Golden Image

  1. Boot a PC into Audit Mode. When Windows boots into Audit Mode, System Preparation Tool will appear on the desktop. You can choose to either close the System Preparation Tool window or allow it to remain open.
  2. Customize Windows by adding drivers, changing settings, and installing programs. Do not install any Microsoft Store apps using the Microsoft Store.
  3. Run Sysprep. %WINDIR%\system32\sysprep\sysprep.exe /generalize /shutdown /oobe

Convert disk using Hyper-V Manager

  1. Open Hyper-V Manager and select your local computer on the left. In the menu above the computer list, click Action > Edit Disk.
  2. On the Locate Virtual Hard Disk screen, locate and select your virtual disk.
  3. On the Choose Action screen, and then select Convert and Next.
  4. If you need to convert from VHDX, select VHD and then click Next.
  5. If you need to convert from a dynamically expanding disk, select Fixed size and then click Next.
  6. Locate and select a path to save the new VHD file to.
  7. Click Finish.
  8. You can do the same using PowerShell Convert-VHD –Path c:\test\MY-VM.vhdx –DestinationPath c:\test\MY-NEW-VM.vhd -VHDType Fixed

Export Windows 10 Enterprise VHD

  1. On Hyper-V Manager, right-click the virtual machine and select Export.
  2. Choose where to store the exported files, and click Export.
  3. When the export is done, you can see all exported files under the export location.

Upload VHD to Azure Blob Storage

You can also upload a VHD to your storage account using one of the following:

  • AzCopy
  • Azure Storage Copy Blob API
  • Azure Storage Explorer Uploading Blobs
  • Storage Import/Export Service REST API Reference
  • PowerShell

Use the Add-AzVhd cmdlet to upload the VHD to a container in your storage account.

$rgName = “myResourceGroup”

$urlOfUploadedImageVhd = “https://mystorageaccount.blob.core.windows.net/mycontainer/myUploadedVHD.vhd”

Add-AzVhd -ResourceGroupName $rgName -Destination $urlOfUploadedImageVhd

    -LocalFilePath “C:\Users\Public\Documents\Virtual hard disks\myVHD.vhd”

Create a managed image from the uploaded VHD

$location = “Australia East”

$imageName = “Windows10EntGoldImage”

$imageConfig = New-AzImageConfig -Location $location

$imageConfig = Set-AzImageOsDisk -Image $imageConfig -OsType Windows -OsState Generalized -BlobUri $urlOfUploadedImageVhd -DiskSizeGB 20

New-AzImage  -ImageName $imageName -ResourceGroupName $rgName –Image $imageConfig

Create the VM

New-AzVm -ResourceGroupName $rgName  -Name ” VM1″ -ImageName $imageName -Location $location -VirtualNetworkName “myVnet” -SubnetName “mySubnet” -SecurityGroupName “myNSG” -PublicIpAddressName “myPIP” -OpenPorts 3389

Deploy Windows Virtual Desktop Host Pool from the Azure Managed Image.

Use the below KBs to create Windows Virtual Desktop host pool.

KB1 and KB2. Follow the KBs except when selecting an image select Managed Image you created using above how to. 

Convert Synced User to In-Cloud User

Here is the scenario:

Synced ID: Specifies the immutable ID of the federated identity of the user. This should be omitted for users with standard identities.

You have local Active Directory with AAD Connect installed, which sync users and password hash to Office 365. Now you have decided to migrate the authentication from local Active Directory to Office 365 and decommission on-premises Active Directory. The purpose of this exercise to demote on-premises AD, use Office 365 as office productivity tools and Azure AD as the IDaaS.

The following are the steps to transition from on-premises “Synced Identity” to “In Cloud Identity”.

Step1: Sign into the AAD Connect Server and Sync the Delta

Start-ADSyncSyncCycle -PolicyType Delta

Step2: Turn off AAD Connect Sync

Set-MsolDirSyncEnabled -EnableDirSync $false

Step3: Transition a Single Test User from on-premises “Synced Identity” to “In Cloud Identity”.

Get-MsolUser -UserPrincipalName john.doe@domain.com | Set-MsolUser -ImmutableId $null

Step4: Remove Immutable ID of all users

Get-MsolUser | Set-MsolUser -ImmutableId $null

Step5 (Optional): Alternative Scripts

$users=Get-MSOLUser

$immutableID=$null

Foreach($user in $users)

{Set-MsolUser -UserPrincipalName $user.UserPrincipalName -ImmutableID $immutableID}

Step5: Turn o AAD Connect Sync

Now go to local Active Directory, move user out of sync scope. In best practice when you have configured sync, you target a specific OU in active directory to sync users from, moving user to different OU will take user out of sync scope. If you have targeted the sync to all users then you have delete user from your local active directory.

Step6: Turn on AAD Connect Sync

Set-MsolDirSyncEnabled -EnableDirSync $true

Step7: Enable Force Sync if the Sync didn’t work

Import-Module ADSyn
Start-ADSyncSyncCycle -PolicyType Initial

Step8: Change the Federated Domain to Standard Domain if you have ADFS Server

Convert-MsolDomainToStandard -DomainName domain.com -WhatIf
Convert-MsolDomainToStandard -DomainName domain.com -Confim

Step9: Test SSO using Azure AD

Now, last step is to login into Office365 with the same password, it should work.
Also, you will see that in Office365 the user sync status will be shown as Incloud instead of Synced with local AD.

 

Decide on Office 365 Migration Path

Deciding on the best migration path of your users’ email to Office 365 can be difficult. Your migration performance will vary based on your network, existing messaging systems design, mailbox size, migration speed, and so on.

Office365

For migrations from an existing on-premises Exchange Server environment, you can migrate all email, calendar items, tasks and contacts from user mailboxes to Office 365. The available methods are cutover, staged, and Exchange Hybrid migrations.

For migrating third-party email to Office 365, you can configure mail flow coexistence if the third-party email provider permits then migrate the mailboxes using IMAP or cutover migration options.

Migrating from Exchange 2003 or Exchange 2007

Number of mailboxes How quickly do you want to migrate? Use
Fewer than 150 Over a weekend or a few days. Cutover
Fewer than 150 Slowly, by migrating a few users at a time. Staged
Over 150 Over a weekend or a few days. Staged
Over 150 Slowly, by migrating a few users at a time. Staged

Migrating from Exchange 2010 or Exchange 2013 or Exchange 2016 or Exchange 2019

Number of mailboxes How quickly do you want to migrate? Use
Fewer than 150 Over a weekend or a few days. Cutover
Fewer than 150 Slowly, by migrating a few users at a time. Exchange Hybrid
Over 150 Over a weekend or a few days. Exchange Hybrid
Over 150 Slowly, by migrating a few users at a time. Exchange Hybrid

Migrating from third-party email system to Office 365

Number of mailboxes How quickly do you want to migrate? Use
Fewer than 150 Over a weekend or a few days. Cutover
more than 150 Slowly, by migrating a few users at a time. IMAP with mail flow coexistence

If the mailboxes you’re migrating contain a large amount of data, you can also use Office 365 Import Service to import PST files to Office 365.

Azure AD B2B Collaboration With SharePoint Online

Azure AD B2B collaboration capabilities to invite guest users into your Azure AD tenant to allow them to access Azure AD service Azure AD B2B collaboration invited users can be picked from OneDrive/SharePoint Online sharing dialog boxes. OneDrive/SharePoint Online invited users also show up in Azure AD after they redeem their invitations and other resources such OneDrive for Business, SharePoint Online in your organization.

Azure B2B
Azure AD B2B Collaboration (Source Microsoft Corp)

Licensing Requirements for Paid Features:

The customer who owns the inviting tenant must be the one to determine how many B2B collaboration users need paid Azure AD capabilities. Depending on the paid Azure AD features you want for your guest users, you must have enough Azure AD paid licenses to cover B2B collaboration users in the same 5:1 ratio.

Extranet Collaboration.png
Contoso Corp B2B Collaboration with partners (Source Microsoft Corp)

The below guides articulate how to deploy Azure B2B functionality for SharePoint Online.

Turning on Azure AD Integrated App for Office 365

  1. Log on to Office 365 portal.office.com using your work or school account.
  2. Go to the Office 365 admin center, and from the left navigation bar, click Settings> Services & add-ins
  3. On the Integrated apps page, use the toggle to turn Integrated Apps on or off.

Add a B2B User

  1. Sign in to the Azure portal as an Azure AD administrator.
  2. In the navigation pane, select Azure Active Directory.
  3. Under Manage, select Users. Select New guest user.
  4. Under User name, enter the email address of the external user. Optionally, include a welcome message.
  5. Select Invite to automatically send the invitation to the guest user.
  6. To assign Group Permission, Under Manage, select Groups.
  7. Select a group (or click New group to create a new one). It’s a good idea to include in the group description that the group contains B2B guest users.
  8. Select Members. Add the Guest User.

Add Azure AD B2B Licenses

  1. Log on to Azure Portal.Azure.com, Navigate to Azure Active Directory
  2. To assign a license, under Azure Active Directory > Licenses > All Products, select one or more products, and then select Assign on the command bar.
  3. You can use the Users and groups blade to choose multiple users or groups or to disable service plans in the product. Use the search box on top to search for user and group names.
  4. When you assign licenses to a group, it can take some time before all users inherit the license depending on the size of the group. You can check the processing status on the Group blade, under the Licenses

Add guest users to a SharePoint Online App

  1. Sign in to the Azure portal as an Azure AD administrator. In the navigation pane, select Azure Active Directory.
  2. Under Manage, select Enterprise applications > All applications. Select the application to which you want to add guest users.
  3. On the application’s dashboard, select Total Users to open the Users and groups pane.
  4. Select Add user. Under Add Assignment, select User and groups.
  5. If the guest user already exists in the directory, search for the B2B user. Select the user, click Select, and then click Assign to add the user to the app.
  6. The guest user appears in the application’s Users and groups list with the assigned role of Default Access or Under Edit Assignment, click Select Role, and select the role you want to assign to the selected user. Click Select. Click Assign.

Turn on External Sharing for SharePoint Online

  1. Sign in to Office 365 as a global admin or SharePoint admin.
  2. Select the app launcher icon The app launcher icon in Office 365 in the upper-left and choose Admin to open the Office 365 admin center. (If you don’t see the Admin tile, you don’t have Office 365 administrator permissions in your organization.)
  3. In the left pane, choose Admin centers > SharePoint.
  4. In the left pane, click sharing.
  5. Select “Allow sharing only with the external users that already exist in your organization’s directory.”
  6. You can setup additional settings such as Limits external sharing using domains, prevent external users from sharing files, External User must accept sharing invitations.

Turn on External Sharing for Specific Site Collection

  1. Sign in to Office 365 as a global admin or SharePoint admin.
  2. Select the app launcher icon The app launcher icon in Office 365 in the upper-left and choose Admin to open the Office 365 admin center. (If you don’t see the Admin tile, you don’t have Office 365 administrator permissions in your organization.)
  3. In the left pane, choose Admin centers > SharePoint.
  4. Click Try the preview to open the new SharePoint admin center.
  5. In the left pane, click Site management.
  6. Locate the site that you want to update, and click the site name.
  7. In the right pane, under Sharing status, click Change.
  8. Select your option (see the following table) and click Save.

Redemption through the invitation email

If invited through a method that sends an invitation email, users can also redeem an invitation through the invitation email. An invited user can click the redemption URL in the email, and then review and accept the privacy terms.

  1. After being invited, the invitee receives an invitation through email that’s sent from Microsoft Invitations.
  2. The invitee selects Get Started in the email.
  3. If the invitee doesn’t have an Azure AD account or an MSA, they’re prompted to create an MSA.
  4. The invitee is redirected to the Review permissions screen, where they can review the inviting organization’s privacy statement and accept the terms.

Office 365 MailFlow Scenarios and Best Practices

Microsoft Office 365 gives you the flexibility to configure mail flow based on your requirements and uses scenario to delivered email to your organisation’s mailboxes. The simplest way to configure mail flow is to allow Microsoft EOP to handle spam filter and Maiflow of your organisation. However, you may have already invested your infrastructure handle mail flow. Microsoft also accepts this situation and allow you to use your own spam filter.

The below scenario and use cases will allow you to determine how you can configure MailFlow of your organisation.

Mailbox Location MailFlow Entry Point Scenario & Usecases Recommended MailFlow Configuration  and Example MX record
Office 365 Office 365 Use Microsoft EOP

Demote or migrate all mailboxes to office 365

Use Office 365 mailboxes

MX record Pointed to Office 365

MX: domain-com.mail.protection.outlook.com

SPF:  v=spf1 include:spf.protection.outlook.com -all

 

On-premises On-prem Prepare the on-prem to be cloud ready

Build and Sync AAD Connect

Built ADFS Farm

MX record Pointed to On-prem

MX1.domain.com

SPF: v=spf1 include: MX1.domain.com  include:spf.protection.outlook.com -all

Third-party cloud, for example, G-Suite Both third-party and office 365 Prepare to migrate to Office 365

Stage mailbox data

MailFlow co-existance

MX record pointed to third-party cloud

MX record Pointed to On-prem

in.hes.trendmicro.com

SPF: v=spf1 include:spf.protection.outlook.com include: in.hes.trendmicro.com include: ASPMX.L.GOOGLE.COM -all

Combination of On-premises and Office 365 On-premises Hybrid Environment

Stage mailbox migration

MailFlow co-existance

MX record Pointed to On-prem spam filter

MX record Pointed to On-prem

MX1.domain.com

SPF: v=spf1 include: MX1.domain.com  include:spf.protection.outlook.com -all

Combination of On-premises and Office 365 Third-party cloud spam filter Hybrid Environment

Stage mailbox migration

MailFlow co-existance

MX record Pointed to third-party cloud spam filter

MX record pointed to third-party cloud

MX record Pointed to On-prem

in.hes.trendmicro.com

SPF: v=spf1 include:spf.protection.outlook.com include: in.hes.trendmicro.com -all

MailFlow Configuration Prerequisites:

  1. Make sure that your email server (also called “on-premises mail server”) is set up and capable of sending and receiving mail to and from the Internet.
  2. Check that your on-premises email server has Transport Layer Security (TLS) enabled, with a valid public certification authority-signed (CA-signed) certificate.
  3. Make a note of the name or IP address of your external-facing email server. If you’re using Exchange, this will be the Fully Qualified Domain Name (FQDN) of your Edge Transport server or CAS that will receive an email from Office 365.
  4. Open port 25 on your firewall so that Office 365 can connect to your email servers.
  5. Make sure your firewall accepts connections from all Office 365 IP addresses. See Exchange Online Protection IP addresses for the published IP address range.
  6. Make a note of an email address for each domain in your organisation. You’ll need this later to test that your connector is working correctly.
  7. Make sure you add all datacenter IP addresses of Office 365 into your receive connector of on-premises Exchange server

Configure mail to flow from Office 365 to your email server and vice-versa. There are three steps for this:

  1. Configure your Office 365 environment.
  2. Set up a connector from Office 365 to your email server.
  3. Change your MX record to redirect your mail flow from the Internet to Office 365.

Note: For Exchange Hybrid Configuration wizard, connectors that deliver mail between Office 365 and Exchange Server will be set up already and listed here. You don’t need to set them up again, but you can edit them here if you need to.

  1. To create a connectorExchange in Office 365, click Admin, and then click to go to the Exchange admin center. Next, click mail flow click mail flow, and click connectors.
  2. To start the wizard, click the plus symbol +. On the first screen, choose the appropriate options when creating MailFlow from Office 365 to On-premises Server
  3. Click Next, and follow the instructions in the wizard.
  4. Repeat the step to create MailFlow between On-premises to Office 365.
  5. To redirect email flow to Office 365, change the MX (mail exchange) record for your domain to Microsoft EOP, i.e. domain-com.mail.protection.outlook.com

Relevant Articles:

Mailflow Co-existence between G-Suite and Office 365 during IMAP Migration

Office 365 Hybrid Deployment with Exchange 2016 Step by Step

Centralized MailFlow: NDR Remote Server returned ‘550 5.7.1 Unable to relay’

Migrate Office 365 Relying Party Trust to Different ADFS Farm

To migrate Office 365 Relying Party Trust from an existing ADFS Farm to new ADFS Farm, follow the step by step guide. Migrating Office 365 Relying Party Trust will incur a minor disruption to SSO environment.

Prerequisites:

  • Existing ADFS Farm with FQDN sts.domain.com
  • New ADFS Farm with FQDN sts1.domain.com
  • Existing Certificate CN=sts.domain.com or a wildcard certificate
  • New certificate with CN=sts1.domain.com
  • New public IP address for the public CNAME sts1.domain.com
  • A public CNAME record sts1.domain.com
  • An internal CNAME record sts1.domain.com

Note: keep the existing AAD Connect unless you have a requirement to build a new one.

Here are the steps:

Step1: Verify AAD Connect Configuration

  • Open AAD Connect, View Sign-in Option.
  • Check AAD Connect Wizard to make sure you did not configure “Federation with ADFS” Sign-in option. If you have done so then run AAD Connect Wizard again and replace the certificate and ADFS farm details to new ADFS server sts1.domain.com

Step2: Build ADFS and WAP Servers

Build a new ADFS farm side by side with an existing ADFS farm. It would be redundant effort to write another blog. Please follow my previous blog to deploy ADFS and WAP.

Building Multiple ADFS Farms in a Single Forest

Deploy Web Application Proxy Role in Windows Server 2012 R2 –Part I

Branding and Customizing the ADFS Sign-in Pages

Step3: Test SSO

Log on to the https://sts.domain.com/adfs/ls/idpinitiatedsignon.aspx using on-premises credentials to make sure you can single sign-on.

Step4: Gather list of existing federated domains from existing ADFS Farm

Log on to the existing primary ADFS Server, Open PowerShell as an Administrator, execute the following cmdlets.

$cred=Get-Credential

Connect-MsolService –Credential $cred

Get-MsolDomain

Record a list of Federated Domains.

Step5: Update Office 365 RP within the new ADFS Farm

Log on to the new primary ADFS Server, Open PowerShell as an Administrator, execute the following cmdlets.

$cred=Get-Credential

Connect-MsolService –Credential $cred

Update-MsolFederatedDomain –DomaiName “Domain.com” –SupportMultipleDomain –Confirm  Execute Update-MsolFederatedDomain Cmdlets if you have additional federated domains such as DomainB.com

GetMsolDomain

Open ADFS Management Console, Make sure Office 365 RP has been created with necessary tokens and permissions. If necessary, clone all incoming and outgoing claims and permission from previous ADFS farm to new ADFS Farm and apply to the newly created Office 365 RP.

Step6: Test SSOOnce you have completed the Step5, wait for Microsoft to update their backend Identity and Federation systems. In my previous implementation work, it took 30 minutes the change to take effect.  Sign on to portal.office.com; you will be redirected to https://sts1.domain.com to authenticate. Once you have sign-in successfully, you have completed the migration work.

Step7: New AAD Connect Server (Optional)Check step1 before running AAD Connect Wizard and reconfigure sign-in options. If you need to change sign-in options, please follow the guide to change Sign-in Option.

Relevant Articles:

Upgrading AD FS to Windows Server 2016 FBL

Deploy Web Application Proxy Role in Windows Server 2012 R2 –Part II