Share via

Error creating endpoint Error executing cmdlet - when trying to migrate Gsuite to O365

EBre 5 Reputation points
2025-12-23T20:00:26.97+00:00

Hi,

With support of ChatGPT I came a long way to migrate Gsuite to Office 365, but now I am stuck.

The MS exchange admin center keeps giving the error "Error creating endpoint Error executing cmdlet" when trying to establish a migration endpoint. I have checked the Google side of things: Service Account, ID, Keys, etc. Also used PowerShell.

How to Fix this?

Who can help me?

ChatGPT gave me this guidance, but not sure if this is the issue:

We are migrating from Google Workspace to Microsoft 365 using Microsoft’s supported Gmail OAuth migration (service account + domain-wide delegation).

Domain-wide delegation is correctly configured with the OAuth2 Client ID, required scopes, and verified service account JSON key.

However, the OAuth token endpoint https://oauth2.googleapis.com/token consistently returns unauthorized_client for JWT bearer flow.

This happens even after re-creating delegation entries, regenerating service account keys, and waiting for propagation.

Please check whether our Google Workspace tenant has any org-level restriction or legacy security policy that blocks service-account based domain-wide delegation.

Exchange Online
Exchange Online
A cloud-based service included in Microsoft 365, delivering scalable messaging and collaboration features with simplified management and automatic updates.
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jade-T 9,030 Reputation points Microsoft External Staff Moderator
    2025-12-23T23:35:00.2033333+00:00

    Hi @EBre

    Thank you for posting your question in the Q&A Forum.

    Based on the details provided, the error “Error creating endpoint / Error executing cmdlet” in Exchange Online is a generic message indicating that a connection to the source provider could not be established.

    The unauthorized_client response returned from https://oauth2.googleapis.com/token indicates that the failure occurs during the initial OAuth authentication on the Google Workspace side. Since this response is generated by Google’s OAuth service, Exchange Online is unable to proceed with creating the migration endpoint.

    An unauthorized_client response typically points to a configuration issue in Google Workspace, such as the service account setup, domain-wide delegation configuration, or API scope authorization.

    From the Microsoft 365 side, there are no cmdlets or settings that can bypass an OAuth token rejection issued by the source identity provider. The migration endpoint depends entirely on a successful OAuth 2.0 authentication flow.

    We recommend reviewing the Google Workspace security and API access settings and confirming that the service account has been granted the required scopes. If the issue persists after verification, contacting Google Workspace Support would be the appropriate next step to determine why the authorization request is being rejected.

    Once Google successfully issues the OAuth token, the migration endpoint in Microsoft 365 should be created without further changes.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread. 

    1 person found this answer helpful.
  2. Q&A Assist
    2025-12-23T20:00:38.3966667+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    It seems that you are encountering an issue with creating a migration endpoint while migrating from Google Workspace to Microsoft 365. The error message "Error creating endpoint Error executing cmdlet" can be caused by several factors. Here are some steps you can take to troubleshoot and potentially resolve the issue:

    1. Verify Service Account Configuration: Ensure that the service account is properly configured with domain-wide delegation. Double-check that the OAuth2 Client ID and required scopes are correctly set up in the Google Workspace Admin console.
    2. Check OAuth Scopes: Make sure that the OAuth scopes you have added are correct and match the required scopes for migration. If they are incorrect, the migration process will fail.
    3. Test Connectivity: Use PowerShell to test the connectivity between Google Workspace and Microsoft 365. You can run the command: 
         Test-MigrationServerAvailability -Gmail -ServiceAccountKeyFileData $([System.IO.File]::ReadAllBytes("C:\\somepath\\yourkeyfile.json")) -EmailAddress ******@yourdomain.com
      Replace ******@yourdomain.com with your super admin email address. Ensure that the test is successful.
    4. Check for Organizational Restrictions: Investigate if there are any organization-level restrictions or legacy security policies in your Google Workspace tenant that might be blocking the service account's access.
    5. Regenerate Keys and Wait for Propagation: If you have already regenerated the service account keys and re-created delegation entries, ensure that you wait for the changes to propagate, which can take up to 24 hours.
    6. Review Logs and Error Messages: Check any logs or error messages in the Exchange admin center for more specific details about the failure. This can provide insights into what might be going wrong.

    If the issue persists after trying these steps, you may want to reach out to Microsoft support for further assistance, as they can provide more tailored help based on your specific environment and configuration.

    References:

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.