Admin Guide: Mail Migration – from Google Vault mail archives


  1. Google Vault archive mail migration with Cloudiway
    1. How does it work?
  2. Security
  3. Performance
  4. Mail migration scope
    1. What can be migrated?
    2. Migration limitations
    3. Considerations
    4. Audience
  5. Pre-migration configuration
    1. Before you start
    2. G Suite — Create and set up a migration account
    3. G Suite — Set up permissions for Cloudiway service account
    4. Office 365
    5. Exchange On-Premises — set up an account via PowerShell
  6. Use the Cloudiway platform to migrate your mail
    1. Create your Google Vault source connector
    2. Office 365 — Create your target connector
    3. Other target connector configurations
    4. Check the global settings before migration
    5. Import or create your users
      1. Option 1: CSV import
      2. Option 2: Import Users tool
      3. Option 3: Single user creation details
    6. Activate and monitor your migration
  7. Troubleshooting

1. Google Vault archive mail migration with Cloudiway

Cloudiway’s mail archive migration solution helps businesses perform migrations through a simple SaaS interface. As a result, vault migrations require no additional software installation or overhead, and migrations can be performed securely and quickly.

The Cloudiway platform is flexible enough to support all types of migration paths. However, this mini-guide focusses on migrating Google Vault archives. For more information about migration types (cutover vs. staged), please visit our mail migration whitepaper.

1.1. How does it work?

Vault archives are an exact copy of the online mailbox + the permanently deleted items. During the Vault migration, all you need to do is migrate the permanently deleted items because the other items are duplicates of mails stored in the online mailbox.

Google Vault can be migrated to the following targets:

  • an Office 365 inbox (either a separate inbox for archiving or a user’s inbox);
  • within the In-Place Archive of an Office 365 inbox;
  • a mix of both an In-Place Archive and any Office 365 inbox;
  • an Exchange On-Premises inbox;
  • a Gmail inbox; or,

The most common scenario is to migrate Google Vault contents to an Office 365 In-Place Archive. This guide explains how to migrate to an In-Place Archive, a mix of inbox and In-Place Archive, and a standard inbox. The new Vault migration engine is using the Office 365 PST Import Service.

The platform exports the archives from Vault in PST format and upload them directly into the Azure Blob Storage using the Office 365 PST Import service.

Once imported, you will run the Office 365 PST import service manually.

2. Security

For more information about security, please refer to this article.

3. Performance

For more information about migration performance, please refer to this article.

4. Mail migration scope

4.1. What can be migrated?

The Cloudiway Vault migration tool migrates permanently deleted emails stored in the user’s Vault. Attached files in these emails are also migrated. No other emails, files, or other vault items are migrated.

4.2. Migration limitations

Google Vaults has the capacity to store Google Hangout chats if the history setting has been activated as well as any Google Talk chats that are on the record. The Cloudiway platform currently does not migrate Google Hangout chats or Google Talk chats.

Google Vaults can retain Google Groups messages only if the Groups owner has archiving activated. The Cloudiway platform currently does not migrate Google Groups messages as part of Vault migration. However, it can handle Google Groups migrations to Office 365 (unified groups or shared mailboxes) as a separate migration project.

During migration, Outlook profiles are not created. This is the responsibility of the system administrators performing the migration.

4.3. Considerations

Migration takes place between existing mailboxes, whether they’re dedicated archive mailboxes or standard mailboxes. This means that mailboxes must exist in the target at the time of migration. Before starting a migration, please ensure that all mailboxes to be migrated have had their target mailbox created in the target domain (steps are included in this guide).

Please note: During the migration of the mailbox, you will migrate all the mails. The Vault migration will extract only the permanently deleted items.

4.4. Audience

This guide is aimed at experienced system administrators who are capable of connecting to remote systems and using a variety of administration tools.

Although we provide support for our own products, we do not provide support for third-party products such as PowerShell or server administration of Google or Office 365.

If you are concerned you might have any difficulty completing these steps, please consider a solution with our consulting team, contactable via This will ensure a fast, cost-effective and stress-free implementation.

5. Pre-migration configuration

5.1. Before you start

Before you start, you will need to ensure you have the details outlined in the following table. In each case, we recommend you create an account especially for migration (we provide steps for each system), which you can delete upon completion of migration. This ensures full security and simplicity.

Name Description Location
Cloudiway login Stores details and provides communication between the systems you already use.
Knowledge base access Our extensive knowledge base is always accessible, with videos, troubleshooting tools, samples & more.
Google Vault Admin console This is where administrators manage Google services for people in an organization.
Target: Exchange On-Premises

Exchange account and secure port

Used for impersonation to access mailboxes. This doesn’t have to be the main admin account. However, it must be an administrator account if  you wish to migrate the permissions. The account must be able to bypass SSO and authenticate using username/password credentials (with a password set to never expire). This is not required if self-migration is used. The Cloudiway platform needs to connect to Exchange securely. Use SSL port 443. If you can’t access an account with impersonation privileges, you can use the self-migration option.
Target: WorkMail

WorkMail migration account

Used for impersonation to access mailboxes. It can be any user. Your AWS console


5.2. G Suite — Create and set up a migration account

You need the username and password of a Vault Administrator.

5.3. G Suite — Set permissions for the service account

    1. Go to and log in with your Super Admin console credentials
    2. Click on Security, then Advanced settings (you might need to click on Show more to see this)
    3. Click on API Permissions
    4. Click MANAGE DOMAIN WIDE DELEGATION, then Add NewGoogle Admin API
    5. In the Client ID: paste 114818336788408865729
    6. Add the following scope into the OAuth Scopes (comma-delimited) field:,

7. Click on the Authorize button

NOTE: 1. Each scope must be separated by a comma.
2. Some scopes require slashes (/) at the end and others don’t: please use the above strings.
3. If you add another scope later, existing scopes will be removed: you need to add the whole list at the same time.

5.4. Office 365

The latest version of the Google Vault migration engine uses Office 365 PST Import Service.

There is no prerequisites.

5.5. Exchange On-Premises — set up an account via PowerShell

If you’re migrating from Exchange On-Premises, you can create a migration account with admin and impersonation permissions using your existing Exchange server interface or using the command line instructions shown in the steps below.

  1. Launch Exchange Management Shell to connect to your Exchange server with an Exchange Admin account
  2. Copy the commands below:
New-ManagementRoleAssignment –Name "Impersonation for migration " –Role "ApplicationImpersonation" –User ""

Then paste the command into the command prompt, ensuring you have updated “” with your own mail migration account

6. Use the Cloudiway platform to migrate your mail

For the Cloudiway platform to migrate archives, it must connect (bind) to a source Vault mailbox with a specific Google Vault connector. Archives can be entirely migrated to the In-Place Archives folder within an Office 365/Exchange 2010 or later inbox or directly to an inbox or a mixture of both. Cloudiway requires a special archive license (quota) to ensure archive emails are migrated from an archive mailbox. (You can buy archive packages the same way you buy a standard user license for Cloudiway, or you can contact us at to request archive packages.)

The most straightforward way to migrate archives is to create a new source and target connector to use especially for archive migrations. This allows you to begin an archive migration even if you’re performing standard mail migrations on the Cloudiway platform at the same time. In effect, this treats a Google Vault migration as separate migration on the Cloudiway platform.

The following steps are required to migrate a Google Vault:

  1. Create a Google Vault source connector
  2. Create a target connector (perhaps with ‘archive’ in the name), with the archive option, switched on and at zero for In-Place Archive migration, or switched of for migration directly to an inbox
  3. Create an archive user and link the user to the Google Vault source connector and the archive target connector


6.1. Create your Google Vault source connector

To facilitate mail archive migration, the Cloudiway platform needs to be able to communicate with both your source and target domains. To do this, Cloudiway uses connectors, which are configured on You will need to set up a connector for each Google Vault source and each target system. Follow the steps below to configure a Google Vault source connector.

    1. From your browser, go to and log in
    2. Click on Mail Migration on the left, then Sources
    3. Click on the + New option at the bottom of the screen
    4. Click on Google Vault and type a meaningful name in Connector name
    5. Click on the Create button
    6. Set the administrator and password. Also fill the security questions: Google will detect that the migration account will login from an unusual location and will request to answer one or two security questions. Cloudiway would then have to logon to Google from the server in order to “whitelist” the IP address of the server. This would be necessary only one time, then the server would remain whitelisted during all the project.
    7. Click on the Save button at the bottom of the screen

Your source connector has now been created. Next up is the target connector.

6.2. Office 365 — Create your target connector

If you are migrating to Office 365, you need to create a target connector of type Office 365 PST Import.

  1. From your browser, go to and login
  2. Click on Mail Migration on the left, then Targets
  3. Click on the + New option at the bottom of the screen
  4. Click on PST Import and type a meaningful name in Connector name

The migration is a 3 Step Process.

The Cloudiway platform is automating the upload of the PST files to Office 365..

For the complete Microsoft documentation, follow:

Step 1:

Go to
On the left side menu, click on Information Governance.

Information Governance

On the Information Governance page, click on Import, then click on New Import Job:

Information Governance New Import Job

Give your job a name and click next.

Job name

Then select Upload your Data and click next:

Upload data

Click on Show Azure SAS URL, copy its value.

SAS URL copy value

Paste it in your target PST Import connector in the Cloudiway platform.

You can leave the Import data page open (in case you need to copy the SAS URL again) or click Cancel to close it.

Step 2.

Upload the PST files to the blob storage using Cloudiway platform:

From the archive user list, select the users and click Start

When the migration is completed, proceed to step 3.

Step 3.

Once your Cloudiway migration jobs are done on the Cloudiway platform, which means that your Google Vault PST Imports were uploaded successfully into the Azure Blob Storage, come back to this page:

Mapping File

Check on I’m done uploading my files and I have access to the mapping file

Click Next

The next step is to upload the mapping file.

Generate the following csv file:


In the following line, the format is

Exchange,,Export_<source email address>-1.pst,<target email address>,FALSE,

For example, if the source email address is, the platform will export the archive and upload it with the following name:

Once you have your mapping table, upload it and validate it on this page:

Select mapping file

This step above can only be done after finishing the migration jobs on the Cloudiway platform.

Click on Next and then Submit.

Import job mapping file succeeded

Once you reach this step, you will have to wait for Office365 to finish the job. Once done, the status will show “Import Completed”.

Mapping File Import Completed

Check the job and then click on Import to Office 365

Mapping File Import to Office 365

Click on “No, I want to import everything.” And then click Next

Import Everything

Once you submit the job, you will have to wait for it to complete.
Once completed, your items will appear in your Archive Mailbox.


6.3. Other target connector configurations

It’s possible to migrate Google Vault archives to any other target, even if archiving isn’t supported. The Vault items will simply be placed directly into the target inbox, without being placed in a specific archive folder.

Follow the steps in the previous section to create the basics of your target connector, then check below for specific details.

  • For Exchange On-Premises, the connector requires a few extra details:

If autodiscovery is active, the Server Name field doesn’t need to be filled. Make sure you select the right server version from the dropdown list.

The admin login is in UPN format.

  • For G Suite, the connector requires a few different details:

This Cloudiway connector will use the Cloudiway migration service account. Read more 5.6 G Suite —set up permissions for the Cloudiway service account

6.4. Check the global settings before migration

If you’ve already set up any other mail migrations on the Cloudiway platform, you have probably already configured the global settings according to your needs, and you can probably leave alone.

As these settings are global, changing them for a Vault migration will change them for all other migrations running concurrently. In addition, Vault data is less varied than an inbox, with no calendars, contracts or trash to migrate. Therefore, only a few global settings can apply to a Vault migration, so it’s unlikely that you’ll need to do any further configuration to the global settings.

However, if required, you can use the date and timestamp settings (in UTC) to choose particular dates of emails that should be migrated. For example, if you wish to migrate only the past three years of a Vault which has been active for five years, you can specify the date range here. Make sure that you check these settings before performing any other migrations later on, and that you don’t run any other migrations requiring different dates during Vault migration.

The Convert Email Address option can be used during Vault migration and is active by default. It rewrites email addresses found in the header and replaces source email addresses with their corresponding target email addresses.

The Convert X500 Address is not used for Gsuite or Vault Migration (it’s used only when the source is Exchange or Office 365).

For example, sends an email to A week later, after migration, replies to Bob. The Cloudiway platform has already updated the SMTP header in Bob’s original email in her inbox, so her reply will be sent to How does it do this?

  1. For migrations where both the domain name and alias change ( becomes, the Cloudiway platform already uses a mapping table to link each user.
  2. For migrations where only the domain name changes, the Cloudiway platform still uses the user list as a mapping table and if it doesn’t find a matching username in the list, it uses the domain name defined in the target connector to convert source email addresses. In other words, the user list mapping table is also used by the Convert Email Addresses option in this situation. Therefore, it’s important that all users exist in the mapping table before migration begins (this guide contains instructions).
  3. From the same Mail Migration area of, click on Global Settings
  4. Click on the Edit button at the bottom of the screen. The grey buttons will turn blue, indicating you can now edit these to your preferred global migration plan.
  5. Update any settings you wish to alter, remembering that time and dates are set to the UTC time zone, and that changes affect all mail migrations.
  6. Click on the Save button at the bottom of the screen to update your global settings.

6.5. Import or create your users

There are a number of ways to add users that you wish to migrate. These include:

  • CSV file upload;
  • Cloudiway’s Import Users tool; and,
  • creation of single users.

6.5.1 Option 1: CSV import

You can upload a user CSV file to Cloudiway. It must have the following fields in the header row:


Many browsers limit CSV file uploads to 5000 lines. Larger files can be split and uploaded separately. Data already uploaded will not be overwritten, so you can upload as many files as needed.

The BatchName field can be left blank. If required, you can use this field to name different batches so they can be run in a certain order. A sample CSV file is available for download during the steps below.

  1. Ensure you’re still in the Mail Migration area of and go to Archive
  2. Click on User in the bottom left corner and select Upload CSV
  3. If required, click on Download sample CSV and add your users to the CSV file using the sample headers (FirstName;LastName;SourceEmail;TargetEmail;BatchName)
  4. When you have a complete CSV file with the correct headers, click on the Upload button.
  5. Locate your CSV file within your own file system, and double-click on it to select it.
  6. Select the appropriate connectors in the Source and Target fields
  7. Click on the Upload button: if the format is not correct, you will see an error message:
  8. If you see any error messages, check your CSV file to ensure it has five columns with a separator between each and try uploading again
    Once the CSV file format is correct, you will see a confirmation message:
  9. Check your email or refresh the screen to see when the user list has been updated.
    When you have received confirmation that the upload has been completed, you can refresh the Cloudiway platform to display your imported users

6.5.2. Option 2: Import Users tool

Cloudiway’s Import Users tool helps you to retrieve users from your source. The functionality works via Identity Access Management. The tool requires you to specify any transformation rules you wish to apply. It will then add new users in the Mail Migration User List view within the Cloudiway platform. This is an advanced tool that is best used in partnership with Cloudiway consultants. If you are interested in using this option, please get in touch with your Cloudiway contact.

6.5.3. Option 3: Single user creation details

Many of our customers create a single user for testing. This lets you watch the migration process without affecting all users. Single users can also be created for migrations affecting just a few users.

  1. Click on Archive from the Mail Migration menu
  2. Click on User in the bottom left corner and select Create Single to display the pop-up screen:
  3. Fill in all details for a new user
  4. Click on the Create button to add the new user to the Archive Migration / User List screen:
  5. Repeat steps 1 to 4 for any more users you’d like to create.

6.6. Activate and monitor your migration

Now that you have performed all the pre-migration steps within your remote systems and within Cloudiway, you’re ready to migrate. We recommend you run a test migration on a single user first to check that your configuration produces the outcome you expect.

To start your migration, select the users or batch you wish to migrate and click on the Start button. Your batch will be scheduled and will begin as soon as resources are available.

The Cloudiway platform currently does not support delta passes on Vault migrations. You should plan to migrate all of this data in a single pass. We anticipate supporting delta passes on Vault migrations in the future. Contact your Cloudiway Sales Manager for any updates.

7. Troubleshooting

Cloudiway provides an extensive knowledge base with many resources, including common error messages, video guides and downloads.

Please visit the entire knowledge base here (where you can search for keywords or read through topics):

The knowledge base also contains information on how you can ask for further support, should you require it.

Download PDF Here:
Cloud Migration Cloudiway
Want to try?
Cloud Migration Questions
Any questions?