The C2C Connect: UK and I group, led this week by @fintan.murphy and
60 Minutes Summed Up in 60 Seconds
Presenter Michele Chiappalone talked to our members about the Google Workspace Domain Transfer service. He covered what the tool is, what the transfer process looks like, and how to engage with him and his team. There was a record number of questions from the audience - and the notes below capture the key points from both presentation and answers to those questions:
-
Traditional migration pain points - disruption, complexity, time, expense
-
The Domain Transfer tool enables you to merge two environments with no business interruption
-
It is only available to “Select” or “Enterprise” customer segments, through a PSO engagement
-
Benefits: data never leaves, entities are left intact, content sharing is retained, low operational complexity, it usually completes in <24 hrs, with no downtime
-
IAM is not impacted - the user is the same - just transferred to a new tenant
-
Customers love it! 150 transfers, since august 2017; up to 65k users, 450M files
-
There are some limitations: licenses are not transferred, it’s all-or-nothing, there’s no identity merge / deduplication, there’s no going back!
-
Source and destination admin access is revoked during the process; only the destination admin is automatically restored
-
The public Help Center article has the latest on what is / is not supported: https://support.google.com/a/topic/10308467
-
Policies and settings are not copied over
-
GCP Projects will continue to exist, but they stay in the source, moving these is a separate effort (to be done either before or after - and not during the domain transfer)
-
Additional Google Services (adwords, youtube, etc) - are NOT supported (officially); experience suggests that ownership / access remains, as the Google account remains the same. To date, the team has not seen reports of issues with these services / access
-
Services offered by Google’s Professional Services Organization (PSO) - with experts in Workspace and Domain Transfer - at a cost of 1 advisory unit; with a max of 12 transfers in a single PSO engagement (1 transfer = 1 source to 1 destination environment). It is not based on the numbers of users or domains within a given tenant.
-
There are some eligibility checks - blockers include e.g. accounts undergoing service wipeout, those with legacy data locations, google voice, google advanced MDM in source, or client side encryption.
-
Partners can access these resources (published in Partner Advantage):
-
There is now no lower limit to the number of users (there used to be, but this has been superseded by the customer classification)
-
Chromebook devices need to be reprovisioned in the destination environment
-
Plans to update the service to allow for partial carve-out (divestiture, etc) are being discussed! Stay tuned! Let your partner know of any desired use cases in this regard
-
These, and any other changes to the service should be announced on the Workspace Roadmap, for those who have access - and in Partner Advantage updates. The team will advertise updates - but also be sure to let them know if there are particular unmet needs.
-
The migration of an external IDP (e.g. Okta) is out of scope. The settings for this need to be adapted (post transfer) - this is also true for SAML apps, and any auto-provisioning will need to be stopped and re-attached / reconfigured. This approach of stop and re-attach / reconfigure is also necessary for GCDS (and GCDS should recognise that it’s the same user).
-
Only a few of the organization policies and settings from the admin console can currently be exported via API - and Michele isn’t aware of any changes that are coming there, but it may be worth checking the Workspace Roadmap. Typically this isn’t a blocker, because most customers want to apply destination policies (not preserve those from the source).
-
Groups are moved, Groups settings should also transfer - but Michele will follow up on this.
-
EDU is not supported (eg.for teaching / learning upgrades) - and no current plans / ETA (but maybe in the future)
-
Stay tuned for future plans about GWS partner access to the tool
-
File sharing permissions with external domains are preserved through the migration
-
Customers typically apply Chromebox for Meetings licenses to the destination (and set up those CfM devices again) manually, ahead of transfer
-
The transfer plan is a deliverable of the engagement.
-
Drive additional storage license purchased / attached to end-users - Michele will check if / how these might transfer, but it’s not a hard blocker (it can be overcome)
-
The service has evolved over the past 3 years - but there are still some things that might not be covered (eg. rules) - so if there are concerns about a particular feature, it’s best to check help center article: https://support.google.com/a/topic/10308467
-
The OU structure will continue to exist in the source. It is not intended to be used, but it can still act as a reference, if needed when setting up destination policies and settings.
-
As part of the migration, you can opt to recreate the OU structure manually in advance, or let the service recreate it automatically during migration. Doing it manually may help in checking settings ahead of the move.
-
Data studio files - as they live in Drive, so it should work - but will follow up
-
There are no data limitations (beyond who it is available to)
-
Admin / audit logs will not be moved - but a separate system could be put in place (e.g. via a SIEM) if you need to preserve the logs.
-
Chromebooks need to be re-enrolled. Android needs to be downgraded to basic MDM, then re-set up (including private apps, etc).
-
Apps Script is a corner case: the file itself is moved, but the default GCP project continues to live in the source. Recommend making a copy, and recreating the whole thing in the destination; triggers, events, permissions (OAuth) may need to be regranted after the transfer.
-
Small customers still have options for copy-based migrations - we’ll provide a link for this
-
Chrome Browser Cloud Management (CBCM) - needs to be reconfigured in the destination.
There were so many questions, we didn’t get to all of them! We’ll post them, and the answers as we get them, in the comments below.