Google Workspace to Google Workspace Migration and Drive data

[Sean Waite]

Hi all,

I am running a migration from one Google Workspace tenant (call it tenant1.com) to another Google Workspace tenant (call it tenant2.com).

We have about 160k users in tenant1.com and we are transferring around 100 users to tenant2.com using Google Workspace Migrate (GWM).

All is going well except how to deal with the users' My Drive data. We want the data migrated, which is fine as GWM will do that and it will maintain permissions [whitelisting enabled between tenants]. However, we want to restrict access to the My Drive data in tenant1.com after it is migrated to tenant2.com - note, the migration is really a copy so the data is not actually removed from the source. If the user has shared a doc / sheet / slide from their My Drive and they are migrated, we do not want other users to continue accessing the source doc / sheet / slide - they should access it in the migrated users' new My Drive location.

Is it simply a case of disabling the users' 'Drive and Docs' service in the source tenant? We want to keep their mailbox active for 30days or so hence why we do not immediately deleted the account after migration. How would the users who have been granted permissions know that the doc / sheet / slide has been migrated?

Is there something in GAM I could leverage to flag the source My Drive as inactive and then use GAM to re-share all files after migration?

Hope this makes sense - it's late in the evening for me and I've been battling Google Workspace, GWM and multi-tenant GAM Advanced all day!

Props to Ross for the excellent tool that is GAMADV-XTD3 - superb.

Regards,

Sean

[Brian Kim]

You will probably want to revoke any shares that was made from tenant1.com for the migrating users.

https://github.com/taers232c/GAM-Scripts3/blob/master/GetSharedExternallyDriveACLs.py

[Sean Waite]

Thanks Brian - it looks like that should work to revoke access in the source tenant - I've not installed or used Python before but I will give it a shot.

[Sean Waite]

I ended up using the GetSharedFilePermissions.py script to successfully find and remove ACLs from the migrated users' My Drive.

Python installed from: https://www.python.org/downloads/windows/

Script: https://github.com/taers232c/GAM-Scripts3/blob/master/GetSharedFilePermissions.py

Thanks Brian.

Here's my next wrinkle:

While the permissions are migrated successfully by the migration tool, there doesn't seem to be any notification sent to the remaining (unmigrated) user's that the shared file location has changed. Is there a way (using GAM or any other method) of re-sending the 'Document shared with you' notification to users that points them to the migrated file instead? Otherwise they just try and access the original file which gives them 'Access Denied' as the ACL has been removed.

Regards,

Sean

[Brian Kim]

While it may not be feasible to send the share emails, but you should be able to use the same script (or this https://github.com/taers232c/GAM-Scripts3/blob/master/GetSharedWithUserDriveACLs.py) for tenant2.com and find files shared with users on tenant1.com You can then sort/filter by usernames and let them know "these are the files that were owned by migrated users. if you are looking for them, here are the new links to the files.

[Chris River]

Alternatively, GWM provides an option to send email notifications for migrated Drive files (permissions are only sent to external users). I haven't used this option myself, but it should work. An additional wrinkle to be aware of though is that these likely won't be sent if you run a delta migration pass; you'll likely have to run a full migration pass to fully reprocess all files, which will be problematic if your migrated users have already begun using their new accounts.

[Sean Waite]

Thanks Chris - I had already checked that option, BUT, the way we run our migrations is to pre-migrate email first (using a pre-migration template) and then update the Bridge to a full migration template which includes migrating the Drive files. This does technically mean the Drive file migration is run using a delta migration so as you say may not work as expected. To test I have setup a new Bridge that 'only' migrates Drive content (with the original permissions reset) to see if this does indeed email the 'external' users with a notification on the first run.

If it does not, I'll submit a ticket to Google and see what they come back with, as the help file does seem to suggest that this option will do what I am looking for - i.e. send a notification to external users that the permissions have been migrated to a new file.

Thanks again, and I'll keep this thread updated.

Sean

[Sean Waite]

UPDATE: New Bridge did the same so I submitted a ticket to Google and they are currently investigating......