avatarTeri Radichel

Summary

The provided content outlines a comprehensive guide to migrating emails and domains from one Google Workspace to another, detailing the necessary steps, potential pitfalls, and security considerations to ensure a smooth transition.

Abstract

The article "Migrating Emails and Domains From one Google Workspace to Another" by Teri Radichel offers an in-depth exploration of the process for transferring email accounts and domain names between Google Workspace environments. It emphasizes the importance of understanding the implications of such migrations, including the potential loss of access to Google services tied to specific email addresses. The guide covers practical steps such as verifying domain ownership, transferring emails, handling Google Voice numbers, and ensuring continuity of service for YouTube and other Google-associated services. Radichel also discusses the use of shared drives for data transfer, the management of alternate emails, and the necessity of updating DNS records to maintain email deliverability and security. The article serves as a valuable resource for IT administrators and cybersecurity professionals navigating the complexities of Google Workspace migrations.

Opinions

  • The author expresses frustration with the complexity of Google's migration process and suggests improvements, such as easier transfer methods for services like Google Voice and YouTube.
  • Radichel advocates for the use of multi-factor authentication (MFA) and hardware keys, like YubiKey, for enhanced security during the migration process.
  • The author criticizes the potential security risks associated with inadvertent or malicious email transfers, highlighting the need for strict authorization controls.
  • There is a clear preference for not associating many services with a Google account to avoid complications during account transfers.
  • The article suggests that Google should streamline the migration process to reduce the risk of data loss and to make it more user-friendly.
  • Radichel recommends keeping detailed records of all services and data associated with an email address to facilitate a smoother migration process.
  • The author emphasizes the importance of being cautious when deleting domains and email accounts to prevent loss of access to critical services and data.

Migrating Emails and Domains From one Google Workspace to Another

Taking a look at the new Google Migration process

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

⚙️ Check out my series on Automating Cybersecurity Metrics. The Code.

🔒 Related Stories: Google Security | Cloud Governance | DNS Security

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I’ve been writing about network security lately but I’m going to jump topics to something completely different.

I needed to move a few email accounts around. It is important to understand how emails can be migrated from one account to another so that your emails don’t get inadvertently or maliciously transferred. Also when emails get migrated around between Google Workspaces you can lose access to services. Lock this down as needed so it doesn’t happen without your authorization. Make sure you understand all the implications of transferring an account from one workspace to another.

Why Google hasn’t made this easier yet, I do not understand. #googlewishlist

Before you start moving emails to a new account, you’ll want to set up your new account securely. I’ll save that for another post. This post is only covering moving the emails since I found this information difficult to find in entirety in one place.

Also note that if you have a Google Organization set up with groups, organizational units, etc. you might have some other things you’ll need to configure to get all the permissions right to carry out these steps. I’m starting with a new account, setting up some basic permissions, transferring the domains and accounts without the organization just yet. If and when I have time I’ll write about that.

The big caveat before you make the move

If you need to migrate users between two Google workspace accounts anywhere along the way this article is pretty good except that there are some new options now for migrating emails, and this post below skips over a couple of steps.

One of the big caveats that article helps with is the fact that there are some Google services that do not transfer when you migrate emails between accounts and you could lose access to those accounts if you delete the email associated with them — even if you recreate it later. You’ll need to figure out all the things on Google that you have tied to a particular email address before you transfer it. For example:

  • Google developer accounts
  • YouTube accounts
  • Google Voice (personal and through Google Workspace)
  • Applications of any kind
  • I presume this applies to Google Cloud as well.

If you have anything tied to a Google email address, take these steps first. And unfortunately, I can’t find a way to transfer certain things.

I really, really wish Google would make this process easier.

Oops I just wrote that didn’t I?

Finding things associated with an email account

I was trying to find out all the things associated with my email account that might be dependent on that Google ID. Unfortunately there’s not a single place you can look to easily figure this out.

Here are a few things I found. Log into your account and click on Manage your Google Account.

Click On Payments & subscriptions. I don’t use any of these things and don’t know if these are tied to a Google ID, but just to be safe you might want to move them over before you transfer the domain and account.

Click on Security and check what third-party apps & services are associated with your account.

On that same page, check out the Password Manager. I presume you would lose any passwords associated with your account but I don’t use it and didn’t test it. Move those before you transfer the account and domain.

Click on Apps and Services. Notice what exists there and before you delete the email make sure anything you need has been transferred related to all these services.

One thing I don’t see here anywhere is anything related to YouTube and this account is associated with YouTube. Where can I find that?

If I look at App status in my Google Workspace administrator panel there’s nothing here for YouTube.

Also, there’s another problem. I have a Google Voice number associated with one of the emails but it’s not listed here because it’s not a Google Workspace voice number.

I have to enable Google Voice for that number to work but the number doesn’t show up anywhere in my Google Workspace account.

Oops I need to change my location here to Savannah, Georgia. This is an older Workspace I was trying to consolidate into another.

I also can’t find any information about that voice number anywhere in my Google account profile for that email address.

The only way you will know if that email address has a Google Voice number associated with it is if you log into Google Voice with that email address and Google Voice is enabled for your workspace.

I guess the same goes for YouTube.

By the way if you lose access to YouTube I found this page which may be helpful:

Log into the service and change the email address before you transfer the email and domain

Log into all those services and change the primary email to something you’re not moving or have already moved.

For example, let’s say you have a youtube account associated with the email: [email protected]

You set up [email protected] in the new workspace.

You transfer all the email from [email protected] to [email protected].

You delete [email protected].

You just lost your youtube account potentially as it’s tied to an ID, not just the email you transferred. Even if you recreate [email protected] that won’t get you into the Google services tied to the old email address.

That’s so someone can’t register your domain and recreate your email address if you decide to delete it and take over old accounts and impersonate other people.

What you can try to do is change the primary email for the Google service such as a YouTube account before you transfer the email and domain. Make sure you can login to the YouTube account with the new email.

Then complete the transfer of the domain and recreate the email in the new account.

Then log into your YouTube account with the temporarily assigned email address and change it back to the original email address. The recreated email will have a new ID and your YouTube account will then be associated with that new ID.

If you have anything else tied to your Google email ID that you’ll be transferring, you’ll want to make sure you follow the same process to change the email associated with the service before you transfer the account.

Make sure you migrate emails associated with services such as the above first, not last, since you need some other email in the account to which you can move things while you perform the transfer.

Changing your YouTube email prior to a transfer

I found these posts on how to fix the email account associated with YouTube.

This first example seems to be for a non-workspace account. I’ll explain why when I explain the problems I had changing the email for a non-commercial Google Voice number in the next section.

This option looks more promising if you have a YouTube account associated with a business.

First I checked to see if I had any videos associated with an account I was going to transfer. Head over to https://youtube.com.

Click Your channel.

In this account I have none. And 1 follower 😆. I presume that is my own account? I didn’t look.

In another account I do have videos. I also have a couple of channels.

You can find my one glorious video on jobs in Cybersecurity here on my 2nd Sight Lab channel:

I know. I should do more. I’m working on it.

According to the second post I can change this to a brand account and add multiple emails.

In that post I linked to above, it shows how to check if you have a brand account. I do.

If you don’t, change your account to a brand account as described in that post.

You can change the primary email associated with your brand account to something other than the one you’re about to delete and transfer as explained below.

First, I added a second email to the account that I had already transferred to the new Google Workspace using the instructions below. I also left an email I had not yet transferred in the list to be safe.

After you add a new email, you have to log into that email and click a link to accept the link to the YouTube brand account.

Then I made a Google account in the new Google Workspace the primary owner of the YouTube account and tested the access.

Once I verified that was set up, I moved over the second email. Then I could change the primary owner of the YouTube account back to that second email.

Google Voice Consumer Account Problems

If you can’t change the email in the service, then you can’t delete the original email without losing access to the service. I tested this with a non-workspace Google voice number I got eons ago. I somehow added the email address associated with that number to a Google Workspace probably back before Google bought Postini or when it was G-Suite.

I changed the email address to a different email address in Google Workspace but did not move or change the account. So in other words, the original ID I used to set up a consumer Google voice number years ago was associated with a new email address but it still had the same ID.

When I changed the email address in Google Workspace for that account I could no longer access that account on voice.google.com. I had to restore the email address.

What a pain. I want to transfer that domain and email to a consolidated Google Workspace and in order to do that I’d have to transfer that Google voice number to something like a cell phone and then back into a Google voice number in the workspace. And it would then cost money which I’d happily pay if I could move the number to Google voice (securely and easily.)

Short of buying a new cell phone just to transfer my Google Voice number to a new account I don’t see a way to fix this.

That said, it’s a good idea to have a backup email in a secondary account as I’ll explain in my an upcoming post.

Once you have taken steps to ensure you don’t lose access to anything associated with your Google account ID, you can proceed with the migration as explained below.

!! > Make sure you can login to the account where you need to make DNS changes before you start this process < !!

You need to make some DNS changes below. Make sure you can login to wherever you need to make those DNS changes before you start this process. Also make sure you don’t delete the domain for the email you use to log into your DNS records to avoid somehow losing access to all your domain names. I would set up a separate email and associate that with your account used to manage your DNS records. Then change it back after you migrate the account normally associated with those DNS records just to be safe.

Tip: Track everything associated with your email addresses!

If you ever need to transfer those emails to a new account or workspace, your future self will thank you.

Also, in general, I don’t associate many services with my Google Account for this reason. That way if something happens to my Google Account I can still get into those other applications. I was actually asked about this in a Wired article a while back:

OK once you’ve done all that, move the email and domain. You might want to leave the old accounts hanging around for a while until you confirm you don’t need them. Unfortunately this doubles your cost for a period of time.

Before you add your corporate domain to a Google service…

By the way, I have one other caveat. Before you add your corporate domain name to a Google service like Google Cloud or a Google Workspace, you might want to remove any Google services associated with that domain first otherwise you might have problems accessing them. I’ve heard of people moving their domain to a Google account and then the marketing department can’t get into youtube or some team was working on a Google Cloud project that now they can’t access.

Oh, and the same applies to adding your domain to Azure…things previously associated with the domain may become inaccessible and then you have to sort it all out…fun times.

Register a new domain (if you don’t already have one you can use)

Once you’ve sorted out and removed any and all services from the email addresses you want to transfer, here’s the process I used.

  • Register a new domain name if you don’t have one you can use for this purpose. I wrote about that here:

If you are using Google Domains, now SquareSpace, and it offers to create a Google Workspace for you, don’t do it. Create the Google Workspace separately or SquareSpace will have admin access to your account.

Create a new Google Workspace

  • Create a new Google Workspace.

This article covers that topic. If it’s a new workspace, you can associate the domain you created with the workspace when you create it.

When you are done transferring everything, this page explains how to change the primary domain of your Google WorkSpace to one that you transferred over if you want to do that.

So let’s say you want to transfer everything out of a Google workspace. You won’t have any emails left. Well, you might need to add some email you don’t want I guess for your last domain before you cancel the workspace. I haven’t gotten that far yet.

When you delete your workspace, I presume that last temp email will be deleted and the domain will be disassociated with that workspace. But I don’t know how long that process will take. If it’s anything like the lat time I tried to disassociate a domain from a Workspace added by Google Domains, it will take a few days at least.

Activate a new domain in your workspace

Add the new domain to the workspace that you are using to transfer the emails over.

In my case, I was adding a secondary domain and it looked like this:

  • Account > Domains > Manage Domains
  • Click “Activate Domain”
  • Copy the txt record.

Add the TXT record to your domain NS records.

  • Add it to your NS records.
  • Return to your Google Workspace and click Activate.
  • Check back periodically for the process to say Verification successful.

Create temporary email addresses for the emails you want to transfer

  • Create an email account for each email account you want to transfer.

For example if I want to transfer [email protected] to a new Google Workspace, I might register and add the domain 2sltemp.com to that new workspace. Then I’d add [email protected] as a user in that new workspace.

Then I would follow all the steps below to transfer the mail in [email protected] to [email protected].

When I’m done I can rename [email protected] to [email protected].

Unfortunately all the steps in between are kind of tedious.

  • Add MFA to any new email accounts you create, preferably a Yubikey. Other brands may work as well but Google’s initial attempt to create a hardware key had bluetooth flaws. I tend to stick to keys from Yubico until I hear a reason not to do so.

The old method for migrating email accounts — make sure your accounts are protected from inadvertent or malicious transfer

Here’s the old method for transferring email. I think the new process is much better and suggest you don’t use this but adding it here to avoid confusion.

  • Data migration > Click SET DATA MIGRATION UP
  • Set Source: Google Workspace
  • Click Select Users. That will take you to this screen.
  • You can add a user via their name and password.

As you can imagine if someone obtains admin access, they can simply reset user names, passwords, and MFA devices. With access to the user account they may also be able to create an app password.

I wrote about MFA here:

App passwords are created by the email owner when they log into their email account and generate one to use with less secure applications like Microsoft Outlook. Personally, I prefer not to use them and I don’t use Outlook. I log in on the web instead or use iOS apps that don’t require app passwords.

That process is a bit scary from a security perspective and I’m glad Google is changing it. Also, it didn’t work since I have MFA setup on my account and I don’t want to create an app password.

The new and improved migration process which requires authorization

Google is working on a new migration tool which is a bit better as it requires authorization in both workspaces.

  • Click the beta link at the top of the screen.

With this migration tool you have to request authorization to transfer the email.

  • Enter a super admin email address and click Request authorization.
  • Click Download a sample CSV:

I’m opening this file on the command line but you can open it in a spreadsheet also.

If you take a look at what’s in the file you’ll see that it has two values separated by a comma:

Those are column headers.

  • Enter the source and destination email accounts in that order.
  • Save the file.

Note that I think the Google instructions currently have a bug. The first email is the email you are migrating and the second email address is where you want the data to end up.

  • Upload the CSV file.

On my Mac I had to choose all files as it wasn’t recognizing my file as a CSV for some reason.

  • Choose your configuration migration settings:

You’ll get an authorization email like this at the super admin email you specified above.

  • Click the View authorization request.
  • Click View authorization request.
  • Click the button to authorize the request.
  • Return to the destination workspace. Refresh the migration screen.
  • Click Verify authorization.

Then a Disconnect button will appear.

The Start migration button will be enabled at the bottom once you complete all the steps.

  • Click Start migration.

The status of the migration will turn to In progress.

Wait for the results. In my case, it failed. Click Download migration report.

Click Download CSV to view the Execution logs.

I had a typo in one of my email addresses.

At this point I deleted the migration and started over.

Once I fixed the typo it worked.

Configuring forwarding of any new mail after the migration process

You might want to go into the old email account and set up forwarding to the new email account so you don’t miss any mail in the migration process.

In the mailbox you are about to migrate, click on the settings gear and then See all settings.

Under Forwarding and POP/IMAP click Add a forwarding address.

Enter the email to which you are forwarding the mail. Click Next.

Click proceed.

Remember to remove this after the migration process is complete.

Verify you can login and all the data got transferred

Login and make sure your new email address is set up correctly. Verify all the emails, calendar events, tasks, files in Google Drive, and anything else you require exist in the new account. I explain how to fix a few things that didn’t transfer below.

You can also verify that the amount of data matches. I can see the amount of email usage data in both accounts matches.

Here are some things that might not transfer:

  • Google voice numbers
  • Data in Google drive
  • Alternate emails

When I checked after this process all the data in my Google drive for the user I transferred was still in the Google Drive so we’ll have to fix that.

Move files in Google Drive to a shared folder

Here’s how it should work:

The problem was I was trying to copy from the user’s drive to the shared drive in the other organization and that didn’t work. Here’s the problem:

You can’t move folders or files external users own, even if the external user is a member of the destination shared drive.

So first I had to create a shared drive in the old organization, move the user’s files to the shared drive, and then transfer from the shared drive in workspace 1 to the shared drive in workspace 2.

In the google admin site go to:

Apps > Google Workspace > Settings for Drive and Docs > Sharing settings

Make sure people are allowed to create shared drives. You can be specific about which organizational units can do this. For example, create an organizational unit named driveadmin. Add users to that organizational unit who are allowed to create shared drives.

If you don’t see this you may need to ensure you have the correct plan that includes Shared Drives. When you enable sharing you can select from a number of different options.

Also enable this setting.

Once you do that you’ll see the Shared Drive item in the menu when you are in Google Drive.

Add a new drive for transferring files. I created a new shared drive named Transfer with a separate subfolder for each user I want to transfer to the new workspace.

I created the same folders in the new workspace with a slightly different name to avoid confusion.

Once the user permissions are set up for the source email user on the shared drive in the source account:

  • Select all the files in the user’s drive, right click, and choose Organize.
  • Choose All locations and select the shared directory and folder in the source workspace.
  • Then, to keep things simpler, I granted the admin in the source account manager access to my transfer shared directory in the destination account.
  • I used the admin in the source account to copy and move the files into the shared directory in the destination workspace.

At this point, everything related to my old user is in the new account.

Alternate emails

Another thing I noticed did not get transferred over were alternate emails.

Click on Users.

Click on the user name link.

Click ADD ALTERNATE EMAILS.

Here you’ll find a list of alternate emails which you’ll want to manually transfer over to the new email in case any are in use. Since the domain doesn’t exist in the new account yet, you may need to make a copy of the alternate emails and save them to add in after the domain is transferred.

User photo

The user photo was not copied over. If you have a photo you want to save, right click, open it in a new tab, save it, and add it to the new account.

Migrate Organization Details

If you have a specific organization configuration in your source workspace you might want to recreate that in your new workspace and add the new user to any groups as appropriate.

Delete the old email account

Once you are certain all the data and any settings have been transferred, delete the old email account.

Here’s where you want to be absolutely sure you’ve transferred all your data including any data in any apps.

Click DELETE USER.

Repeat that step for any other users for that domain you need to transfer.

Once all the users you want to transfer are gone from the users list when you refresh the screen proceed.

Delete the domain name

Do not delete your domain name registration. We are only going to remove it from the source workspace.

Also, do not do this if you need to log into an email in this domain to get to your DNS records! Make sure you can log into the account where you update your DNS records with some other email that does not use this domain name before you start this process.

  • Account > Domains > Manage Domains

In my case I am initially removing a non-primary domain.

When you click remove you’ll get this warning:

  • It may take up to thirty minutes for this change to take effect.
  • If you have any Google sites they will be deleted.
  • Email will bounce until you get the domain set up in the other account and the MX records configured.

In my case, the domain where I need to set up the MX records is in AWS. You have to know where you registered the domain or where your domain name server records exist to fix the MX record after you take this step. You might want to make sure you know where that is, login, and get ready to make the changes before you delete the domain to minimize downtime.

  • Login to the account where you manage your domain NS records.
  • Be prepared to enter the domain validation record and MX records.
  • Click REMOVE DOMAIN on the screen above.

Since this process may take some time and cause a disruption you might choose to do it during off hours.

Add the domain in the new account

Add the domain you removed to the new workspace. Follow the same steps as above to add the domain to the destination account.

  • Account > Domains > Manage Domains
  • Click Add a domain
  • Click Add domain and start verification.

Google figured out that I am using AWS. Follow the steps to add a TXT record to your DNS records in AWS as instructed.

On step 2 you’ll get the value for the TXT record to verify you own the domain.

In my case I had to edit the existing TXT record to add the new value from the new account.

Add MX Records

  • Account > Domains > Manage Domains
  • Click Validate MX records.
  • Verify that the MX records are the same, otherwise update them.
  • Monitor these records until it says Active.

Rename the email to use the new domain

  • Users > Click on the destination email address
  • Click Rename user.
  • Enter the source email address.
  • Save.

Update alternate emails

  • If you have any alternate emails, add them to the new email account.
  • You can delete the temporary email which was changed to an alias when you renamed the email.

Grant the new email account access to Shared Folders

  • If you moved files to Shared Folders grant the user access to the folder specifically created for their username
  • Grant them access to whatever other folders they need to access.

Enable any required services

  • If the user needs access to any Google Workspace apps or licenses, enable that.
  • Disable anything they don’t need.

I generally do this at the organization level and enable only what is required for the user by adding them to a group with that permission. More on that later.

Change the email address back in any services you modified

  • Change the email address in any services you modified back to the proper email address.

Verify all your Email DNS records are correct

In order for your email to flow properly and remain secure, double check that all these records are correct. You may need to repeat some of these processes. I’m working through that for the domain I transferred.

  • MX records
  • DNSSEC records
  • SPF
  • DKIM
  • DMARC

Specifically these posts which may vary if you’re not using AWS:

That’s all a bit cumbersome. I hope Google is working on a way to make that easier. 😊 But it seems to work.

Follow for updates.

Teri Radichel | © 2nd Sight Lab 2024

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab
Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation
Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab
Google
Workspace
Transfer
Email
Migration
Recommended from ReadMedium
avatarThe Useful Tech
Why Apple Passwords Is The Only Password Manager You Need

Read This If You Are Still Paying For A Password Manager

7 min read
avatarY.L. Wolfe
What You Need to Know If Your Wife Has Opted Out of Sex

If you’re operating on the usual assumption, nothing’s going to change…

7 min read
avatarVasileiadis A. (CyberKid)
Detect hidden surveillance cameras with your phone

A family recently it had a big surprise on their Airbnb: a hidden camera disguised as a smoke detector in the living room, monitoring their…

6 min read
avatarHenrique Centieiro & Bee Lee
The Top 6 AI Tools That I Simply Can’t Live Without

These Tools Have Given Me an Unfair Advantage

7 min read
avatarAdrian V
I Lost 30 lbs After Healing My Gut By Quitting These 4 Inflammatory Foods.

You can’t lose weight against a sick gut.

3 min read
avatarAlexander Nguyen
The resume that got a software engineer a $300,000 job at Google.

1-page. Well-formatted.

4 min read