Google Workspace Tenant Migration Assessment

Publishers Voleer
1

Overview

This template produces a Google Workspace Tenant Migration Assessment that provides information about your Google tenant environment including mailboxes, Google drive and shared drives, groups, domains, org units etc.

This is useful in the following use cases:

  • Google tenant to tenant pre-migration assessment providing information about the source tenant.
  • Generate purpose Google tenant reporting.

How it works

This template will retrieve data across your Google tenant to generate a report detailing the following information

  • User and resource mailboxes including suspended mailboxes
  • Google drive including drives associated with suspended accounts
  • Shared drives
  • Google groups (collaborative and non-collaborative)
  • Holds and Matters
  • Tenant Domains
  • Organizational units
  • Admin users

Requirements

To run this report, you will need to setup a Google Project, enable APIs for a Service Account and then set up scopes. To do this, complete the following steps

Create a project and enable APIs

  1. Log into the Google Cloud Platform (GCP) Console and sign in as a super administrator.

  2. Under the section Dashboard, click on Create Project. If the button Create Project doesn’t exist, click on the dropdown next to an existing project, then click on New Project

    image
    image1132×406 59.4 KB

  3. Provide the project a name (for example, Voleer Google Report), then click Create

  4. Once the project is created, click on Enable APIs and Services

  5. Type in Admin SDK API in the search box, then hit Enter. Click on the result labelled Admin SDK API

  6. Click on the button Enable
    image

  7. Click on the APIs & Services breadcrumb along the top left hand side to get back to the Dashboard page to continue adding APIs

    image
    image873×234 20.9 KB

  8. Repeat steps 5 - 7 for the following APIs
    – G Suite Vault API
    – Gmail API
    – Google Drive API
    – Cloud Identity
    – Groups Settings API
    – Google People API

Create Service Account

  1. Log into Google Cloud Platform IAM & Admin and sign in as a super administrator.

  2. Select the project created above

  3. Click on + Create Service Account

    image
    image795×106 12.3 KB

  4. Provide a service account name and description. Then click on Create and Continue

  5. Select the role of Owner, then click on Continue and finish creating the service account by clicking on Done. You will return to the Service accounts page. Make note of the newly created service account email address as you will be required to input this when running the Voleer template

    image
    image825×168 23.1 KB

  6. On the Service accounts page, click on the vertical ellipsis under the Actions column for the newly created service account. Click on Manage keys

    image
    image825×168 20.5 KB

  7. Click on Add KeyCreate new key and select key type P12. Click Create

  8. The key file will be downloaded onto your machine. Keep track of this file as it will be uploaded into Voleer later.

    image
    image828×515 49.6 KB

  9. Navigate back to the service account back clicking on Service Accounts on the left hand menu

  10. Find the Unique ID field for that service account by clicking the Column Display Options button in the right upper corner above Actions and selecting Unique ID.

    image
    image872×342 23.8 KB

  11. Copy the Unique ID for later use

Setting the scopes

  1. Go to Domain Wide Delegation and sign in as a super administrator

  2. Click on Add new

  3. Paste in the Unique ID from step 11 above, then paste in the following text within the OAuth scopes (comma-delimited) field

https://www.googleapis.com/auth/admin.directory.customer.readonly,
https://www.googleapis.com/auth/admin.directory.domain.readonly,
https://www.googleapis.com/auth/admin.directory.group.readonly,
https://www.googleapis.com/auth/admin.directory.orgunit.readonly,
https://www.googleapis.com/auth/admin.directory.resource.calendar.readonly,
https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly,
https://www.googleapis.com/auth/admin.directory.user.readonly,
https://www.googleapis.com/auth/admin.reports.usage.readonly,
https://www.googleapis.com/auth/apps.groups.settings,
https://www.googleapis.com/auth/cloud-identity.groups.readonly,
https://www.googleapis.com/auth/contacts.readonly,
https://www.googleapis.com/auth/drive.readonly,
https://www.googleapis.com/auth/ediscovery.readonly,
https://www.googleapis.com/auth/gmail.readonly
  1. Click Authorize

Getting Started

To start using this template, perform the following:

  1. Sign in to your Voleer account or sign up for a new account
  2. Find and click on the tile labelled Google Workspace Tenant Migration Assessment template from the list of templates within the library
  3. Select a workspace from the dropdown and click on Launch
    image
  4. Select Save a new integration from the Google Service Account Integration
  5. Provide a name and a description. Note - for ease of management, name the integration the Google tenant name
  6. For Service account email, enter the email from step 5 in Create Service Account above. for *Service account .p12 file, upload the file from step 8 in Create Service Account. For Admin account email, provide the email address of the admin account of the Google tenant. Click on Submit
  7. Click on Close
  8. Select the newly created integration from the Google Service Account Integration dropdown, then Submit
  9. Configure the template by provide the recipient email address, then click on Validate Template Configuration
  10. Validate the details of the configuration and then click on Execute . Note - if the configuration is incorrect, cancel the run and start a new instance

Sign in or sign up to use this template

2

Good day, I hope you are well.

At the “Getting Started” portion on step 8, I get the following error when I click Submit:

“Failed to validate the service account.
Exception occurred while retrieving an access token. This could mean that the Google tenant has not been configured properly:
The remote server returned an error: (401) Unauthorized.”

Please can you assist me with this?

3

Hi, I have followed this guide, however i can’t find the Cloud Identity API it doesn’t seem to exist.

Trying to add the Google Service Account integration without this throws the error message 'Failed to validate the service account. Exception occurred while retrieving groupLabels with ‘admin email address’. The remote server returned an error: (403) Forbidden.

The admin account email is for a Super Admin Account.

4

Hola Buen día, ¿Existe alguna solución a los errores reportados?.
Tengo un error similar, comparto el log si alguien lo puede revisar mientras reviso las configuraciones del tenant

2024-02-26T21:35:27Z [Information] Validating credentials.
2024-02-26T21:35:27Z [Information] Creating status message: ‘[Information]: Validating credentials.’
2024-02-26T21:35:27Z [Information] Checking scopes.
2024-02-26T21:35:27Z [Information] Creating status message: ‘[Information]: Checking scopes.’
2024-02-26T21:35:28Z [Information] Retrieving access token.
2024-02-26T21:35:28Z [Information] Creating status message: ‘[Information]: Retrieving access token.’
2024-02-26T21:35:29Z [Warning] Exception occurred while retrieving an access token. This could mean that the Google tenant has not been configured properly:
The remote server returned an error: (400) Bad Request.

2024-02-26T21:35:29Z [Information] Creating status message: '[Error]: Exception occurred while retrieving an access token. This could mean that the Google tenant has not been configured properly:
The remote server returned an error: (400) Bad Request.

2024-02-26T21:35:29Z [Information] Telemetry-Full Task-0-00:00:01.7371591
2024-02-26T21:35:29Z [Warning] Failed to validate the service account.
Exception occurred while retrieving an access token. This could mean that the Google tenant has not been configured properly:
The remote server returned an error: (400) Bad Request.

2024-02-26T21:35:29Z [Information] Creating validation message: 'Failed to validate the service account.
Exception occurred while retrieving an access token. This could mean that the Google tenant has not been configured properly:
The remote server returned an error: (400) Bad Request.

2024-02-26T21:35:29Z [Error] : The validation was unsuccessful.