Home / / Google Workspace Connector Configuration

Google Workspace Connector Configuration

This article explains how to configure a Google Workspace Connector and the Google feeds you need in your Google admin console whenever migrating TO and FROM G Suite.

Create The Google Workspace Connector

Go to the Connectors area of your project.

Select New.

Choose your Connector Type (GSuite), and give it a name such as Google tenantname.

Select if it is a source or target connector.

Choose your migration products, or for coexistence choose which coexistence products you will use.

Click Next, and you will see the connector configuration page where you have 2 options:

1. Either use the our predefined Cloudiway service account:

Cloudiway Service Account

2. Or define and use your own service account by following these steps.

Google Service Account

For both options you have to populate these fields:

  • Domain Names: enter the Domain Names to manage.
  • Migration Account: most of the Google APIs need an account to impersonate (run on behalf of), enter the email address of that account here.

For best results the migration account specified should be administrator (superadmin) of the tenant for Google Site, Groups, Team Drive migration, or GALSync, and Free/Busy. It is not used for Mailbox and Drive migration. If you do not wish to use a superadmin account for this, the migration account specified must have appropriate admin/owner/manager rights manually applied to each of the source items to migrate; every site, Team Drive, etc.

It’s for the migration connectors where we can level down the super admin account to the appropriate admin/owner/manager for each corresponding Google workload to migrate.

For more information please read: Do I Need A Global Admin Service Account For Cloudiway?

  • Migration Account Password: Enter the password of your migration account.  Please make sure the password will not change or expire during the project.
  • Phone Number and Favorite Logon Location are required by Google Site and Google Groups migration (Google may ask to answer security questions if it detects login from an unusual location).
  • Google service account which is not the migration account specified above:
    • The Cloudiway Google service account is always the same and its Oauth 2 client ID is 114818336788408865729. You don´t need to enter anything in the connector for this option.
    • The custom Google service account must be created following these steps and the Oauth 2 client ID will be unique to each customer. Enter the service account name, import the certificate and provide the certificate password.

Click on NEXT then COMPLETE.

 

Set The Google Workspace Feeds

You need to give Cloudiway permissions to access your data through the Google APIs. This will grant Cloudiway products access to the appropriate scopes.

Go to https://admin.google.com and log in with your Super Admin console credentials

Google API Controls

  1. Click on Security, Access and data Control, then API Controls
  2. Scroll down and under Domains Wide Delegation, click on MANAGE DOMAIN WIDE DELEGATION
  3. Click Add New
  4. In the Client ID field depending on which Google service account you are using, paste the following:
      • The Cloudiway Google service account is always the same so copy 114818336788408865729 and paste in Client ID.
      • The custom Google service account is always unique. Once you have created the custom service account following these steps, copy the Oauth 2 client ID and paste in the Client ID field.
  5. Determine the required scopes or Google feeds (see list below)
  • Each scope must be separated by a comma. 
  • Some scopes require slashes (/) at the end and others don’t: please use the strings below.
  • If you add another scope later, existing scopes will be removed: you need to add the whole list at the same time.
  • The last scope “admin.directory.user.readonly” in each block is required only if you want to discover users with Get List in Mail and File migration products. If you are combining several blocks, you can just remove the redundant ones.
  • Copy all scope blocks you need to a for example notepad to easily paste them into the OAuth Scopes (comma-delimited) field as in the screenshot below. Leave the section titles out. Copy the entire built scope block from the notepad.

Migration FROM Google Workspace:

Mail Migration FROM G Suite (Gmail)
https://www.googleapis.com/auth/admin.directory.resource.calendar.readonly,
https://www.googleapis.com/auth/admin.directory.user,
https://www.googleapis.com/auth/admin.directory.user.readonly,
https://www.googleapis.com/auth/admin.directory.group,
https://www.googleapis.com/auth/admin.directory.group.readonly,
https://www.googleapis.com/auth/calendar,
https://www.googleapis.com/auth/gmail.labels,
https://www.googleapis.com/auth/tasks.readonly,
https://www.googleapis.com/auth/contacts.readonly,
https://www.googleapis.com/auth/gmail.imap_admin,
https://www.googleapis.com/auth/gmail.readonly,
https://www.googleapis.com/auth/admin.directory.user.readonly,

Migration FROM Google Groups and Vault
https://www.googleapis.com/auth/ediscovery,
https://www.googleapis.com/auth/devstorage.full_control,
https://www.googleapis.com/auth/admin.directory.user.readonly,

Migration FROM GDrive or Google Team Drive
https://www.googleapis.com/auth/drive.readonly,
https://www.googleapis.com/auth/admin.directory.group.readonly,
https://www.googleapis.com/auth/admin.directory.user.readonly,

If you want to grant automatically the organizer permission on all team drives, you need to add https://www.googleapis.com/auth/drive,

Migration FROM Google Sites
https://www.google.com/calendar/feeds/,
https://www.googleapis.com/auth/calendar,
https://www.googleapis.com/auth/drive.readonly,
https://www.googleapis.com/auth/admin.directory.user.readonly,
https://sites.google.com/feeds/,
https://www.googleapis.com/auth/admin.directory.user.readonly,

Migration TO Google Workspace:

Mail Migration TO G Suite (Gmail)
https://www.googleapis.com/auth/admin.directory.resource.calendar,
https://www.googleapis.com/auth/admin.directory.group.readonly,
https://www.googleapis.com/auth/calendar,
https://www.googleapis.com/auth/gmail.labels,
https://www.googleapis.com/auth/tasks,
https://www.googleapis.com/auth/gmail.insert,
https://www.googleapis.com/auth/gmail.readonly,
https://www.googleapis.com/auth/contacts,
https://www.googleapis.com/auth/gmail.imap_admin,
https://www.google.com/m8/feeds/,

Migration TO GDrive or Google Team Drive
https://www.googleapis.com/auth/drive,

Google Workspace Coexistence:

GALSync G Suite
https://apps-apis.google.com/a/feeds/user/,
https://apps-apis.google.com/a/feeds/groups/,
https://apps-apis.google.com/a/feeds/policies/,
https://www.google.com/m8/feeds/,
https://apps-apis.google.com/a/feeds/alias/,
https://www.googleapis.com/auth/admin.directory.user,
https://www.googleapis.com/auth/admin.directory.user.readonly,
https://www.googleapis.com/auth/directory.readonly,
https://www.googleapis.com/auth/contacts,

Free/Busy G Suite
https://www.googleapis.com/auth/calendar.freebusy,

6. Finally, paste the Google Workspace feeds block from the notepad into the OAuth Scopes (comma-delimited) field (you only need to do this once, it’s not needed to add Google feeds one by one but the entire built block at once) and click on the Authorize button

Google Workspace ID Authorize

 

 

Want to learn more about Cloudiway? View our professional resources, including white papers, datasheets, and customer stories on cloudiway.com

Meet Cloudiway - A powerful migration and coexistence platform. We support Teams, G Suite, Office 365, Zimbra, Lotus, and more...
Register Now