G-Suite Migration Error - Unauthorized

Question

I'm attempting to migrate/merge a GSuite tenant into our corporate Microsoft 365 tenant using the EAC migration tool (https://docs.microsoft.com/en-us/exchange/mailbox-migration/perform-g-suite-migration).

I did the prerequisites (https://docs.microsoft.com/en-us/exchange/mailbox-migration/googleworkspace-migration-prerequisites) and have verified the temporary subdomain both on the GSuite and Microsoft side (o365.domainname.com).

I ran the automated utility (https://docs.microsoft.com/en-us/exchange/mailbox-migration/automated-migration-neweac) and everything looked okay. All the mail users I created in the prerequisite step got converted over to mailboxes with a primary address of ******@o365.domainname.com. But when I try to sync it, I get the message:

Error: OAuthBadResponseUnauthorizedClientException: The call to https://www.googleapis.com/oauth2/v4/token returned with status code Unauthorized: Unauthorized Error response: unauthorized_client Error description: Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested

From what I've read, this could be due to the Google service account assigned to the created project needing global admin rights, but nothing I've read explains how to do that and it wasn't listed in the instructions for the migration utility. Can someone please help?

Answer 1

Hi AbbasUni,

Good day ,

Thanks for your reply and details , It would definitely help our other community members.

Furthermore I would like to know have you able to managed to fix that issue ?

Let me know if you have any further question on this thread , I would be more then happy to assist you.

Sincerely,

Amul | Microsoft Community Moderator

Answer 2

I found the domain-wide delegation settings that were needed, but it took me several attempts to get this working.

The automated tool is too problematic, so I went with the manual method in the Classic EAC. The scopes to add to the service account that gets created are:

https://mail.google.com/

https://www.googleapis.com/auth/calendarhttps://www.googleapis.com/auth/contactshttps://www.googleapis.com/auth/gmail.settings.sharing

Also, never reuse an endpoint that didn't work the 1st time. Delete the old one and create a new one.

Finally - and THIS wasn't mentioned anywhere until I finally got a new error message - the Gmail API needs to be enabled (https://console.cloud.google.com/apis/library/gmail.googleapis.com)

I also enabled the Calendar API and People API from the library, just in case.

Answer 3

Dear AbbasUni,

Good day ,

Thanks for posting in Microsoft Community.

I understand that you have an concern on sync issue after migrations from Gsuite to O365. Based on the error mentioned message would you please have a look on the below possible solutions ?

Gsuite admin > Security > API Permissions and then try to add the Service Account as a trusted app > And then try it agian.

Use the Service Account email ID as the endpoint

Add the following scopes in Google Admin > Security > API Controls > Domain-wide Delegation

Additionally : Please make sure the token is valid, and has the necessary permissions/scopes as detailed here: Perform a Google Workspace (formerly G Suite) migration to Microsoft 365 or Office 365 and check if you have done this point "Grant access to the service account for your Google tenant"

NOTE : For your security and privacy , kindly don't mention any email address / password or other confidential information.

We look forward to your response. Thanks for your cooperation.

Sincerely,

Amul | Microsoft Community Moderator

***Note: In the event that you're unable to reply to this thread, please ensure that your Email address is verified in the Community Website by clicking on Your Account Name > "My Profile" > "Edit Profile" > Add your Email Address > tick "Receive email notifications" checkbox > click on "Save".***