Phased migration (one mailbox at a time) from Google Workspace to Microsoft 365 via Utixo Libraesva ESG using both systems simultaneously

Sometimes system administrators are faced with a problem such as migrating mailboxes from Google Workspace to Microsoft 365, a not at all trivial task that requires very careful preparation.
Obviously, the planning process varies greatly depending on the size and structure of the organization that needs to migrate to the new Internet service provider; the larger the company, the more time and resources it takes to complete the transition.

The migration process consists of many essential points each of which should be carefully studied and analyzed before starting the data move, however, the most recurring question always remains the same: how to migrate all mail accounts without interrupting service to the entire company?

The innovation of this migration method is the ability to migrate from one mail system to another while keeping both systems active and continuing to receive/send mail without losing any email.

In this specific case, we are going precisely to find out how you can make the switch of mailboxes from Gmail to M365 without having to reconfigure all the clients immediately, but by migrating mailboxes in small groups or even doing the switch on a user-by-user basis, Always preserving the correct flow of mail Taking advantage of the Libraesva Utixo email security service.

In fact, our email security suite as a service allows the SMTP flow to be routed not only by domain but by individual emails by allowing some emails to be forwarded to one service (G Workspace) and others to another service(M365).

Clearly this also applies to other types of mail servers so it is a useful tool for mail migrations in general.

Before we begin, let us give a brief overview of the tools we need to conduct this migration:

1. Google Workspace administrator account capable of changing the configuration of the Gmail service, or a Super Administrator account
2. Microsoft 365 administrator account capable in changing the configuration of the Exchange Online service, or a Global Administrator account.
3. Libraesva as a service Utixo or a configured and ready-to-use installation of Libraesva Email Security Gateway (LESG) that plays an important role in sorting mail traffic during migration.
4. Access to the DNS zone of the domain that is to be migrated.

Step 1. Configure Libraesva ESG as primary MX record

First we need to reassure ourselves that current mail traffic goes through Libraesva ESG (if ESG filtering is already active on your domain go to Step 2)

To do this, we need to configure a new relay domain on ESG in the
System
->
Mail Transport
->
Relay Configuration
->
Domain Relay
by clicking the
New
.

In the window that opens you need to fill in the following fields:

Domain
: your main domain on which the Gmail service is currently configured

Mail Server
: the hostname of the mail server to which ESG is to deliver messages (in our case, it is the address of the Google Workspace mail server)

Port
: 25

Use MX
: no

All other fields can remain unchanged, since we are not interested in them in this guide.

Step 2. Inbound Gateway Configuration on Google Workspace

Once we have set up our domain on ESG we need to set up an Inbound Gateway on Google Workspace so that all outbound traffic from ESG is accepted by the Gmail service.

• Access the Google Workspace administration interface https://admin.google.com/
• Go to the Application section -> Google Workspace -> Gmail -> Spam, phishing and malware
• Enable the Inbound Gateway by entering the IP addresses of the ESG host.
• Check the box “Reject all mail that does not come from IP gateway” which forces Google to send the internal mail stream to ESG.

Immediately after configuring the Inbound Gateway on Gmail we need to replace the current MX record (the Google one) by going to put the ESG hostname to have the mail stream be routed from Libraesva.

Step 3. Configuring Inbound Connector for Exchange Online

In this step we are going to create an Exchange Online receive connector in order to receive mail messages from ESG.

1. Access the Exchange Online management interface:
2. In the sidebar, select Mail Flow -> Connectors.
3. In the Connectors section click on Add a connector
4. Connection from Partner Organization -> Office 365
5. Click the Next button
6. Assign it a name and click Next
7. Select “Verifying that the IP address of the sender’s server matches…” and enter one or more IP addresses of your ESG installation and then click Next
8. Check the box “Reject e-mail messages if they are not sent with TLS” and click Next
9. Double-check the configuration and click Create Connector

Once we have configured the Receive Connector we need to change the type of our Accepted Domain from Authoritative to Internal Forwarding to have the Microsoft Exchange server send internal mail to our MX for recipients not within Microsoft 365.

In this guide we assume that the network administrator has already configured the primary domain within tenant 365 if you have not already done so follow Microsoft’s official guide: https://docs.microsoft.com/en-us/microsoft-365/admin/setup/add-domain

1. Access the Exchange Online management interface: https://admin.exchange.microsoft.com
2. In the sidebar, select Mail Flow -> Accepted Domains.
3. Select your primary domain and set it as Internal Forwarding and Save Change

Step 4. The migration of mailboxes

Having completed all the essential configurations of the three environments involved in the phased migration, we can finally proceed with the mailbox transition.

• Identify mail accounts to be transferred: there is no generic rule by which mailboxes to be transferred should be selected; each IT manager makes his or her own choices based on the business context and his or her needs.
• Create mailboxes on Microsoft 365: The mail accounts you want to transfer should be created in Exchange Online; then, users should be created in the M365 tenant with the corresponding licenses. (If you need to purchase Microsoft 365 licenses see Utixo’s price list: https://utixo.net/it/microsoft-365/)
• Reconfigure mail routing to ESG: When the Microsoft 365 account is ready to use, we can begin to move the relevant mail flow to Exchange Online, and we can do this through the ESG control panel:
  1. Enter the ESG administration panel
  2. Navigate to the System section -> Mail Transport -> Relay Configuration -> Domain Relay
  3. Create an appropriate relay rule for the user you want to migrate by entering their primary e-mail address in the Domain field
  4. Enter the hostname of your Exchange Online mail server in the Mail Server field.
• Verify that SMTP routing is working properly: perform a test of sending/receiving mail messages from both external and internal domains.
• Carry out data shifting.: If one wanted to keep all messages currently in Google Workspace accounts, one could use automatic synchronization tools to move messages to new mailboxes on Microsoft 365 (e.g., IMAP Sync).

Conclusion

In this article, we looked at how Google Workspace mailboxes can be migrated to Microsoft 365 via the Utixo Libraesva ESG service using the phased migration method, that is, moving one box at a time without disrupting SMTP communication within the organization. This type of migration can also be extended to migration scenarios that require very granular mail flow control and allows you to manage SMTP routing rules at the individual mail account level.

Utixo specializes in migrating and managing mail systems for small and large enterprises using migration automation products.