sync: auto-sync from GURU-5070 at 2026-06-25 19:18:08

Author: Mike Swanson
Machine: GURU-5070
Timestamp: 2026-06-25 19:18:08
This commit is contained in:
2026-06-25 19:19:06 -07:00
parent 2391b510a5
commit d1de83a6d3
3 changed files with 184 additions and 0 deletions

View File

@@ -0,0 +1,72 @@
# Birth Biologic — Google Workspace → Microsoft 365 mail migration (scope)
Scoping doc for moving Birth Biologic's live mail off Google Workspace onto their existing M365
tenant. Started 2026-06-25. Process reference: `projects/msp-tools/runbooks/google-workspace-to-m365-migration.md`.
## Why now / current state
Birth Biologic has an **M365 Business Premium** tenant (`birthbiologic.com`) with **mailboxes
already provisioned**, but **mail still flows to Google Workspace** — i.e. they're half-staged for a
cutover that was never finished. Confirmed 2026-06-25:
- **M365 tenant:** `birthbiologic.com` (Business Premium). 13 licensed EXO mailboxes provisioned.
- **MX:** → **Google Workspace** (`aspmx.l.google.com` + alts) — **live mail is on Google, not M365.**
- **DNS host:** **SiteGround** (`ns1/ns2.us92.siteground.us`). **Registrar:** **Name.com.**
- **Web:** `www` → Google Cloud `35.215.115.203` (separate from mail; not in scope).
## Prerequisite status (gates)
| Prereq | Status | Notes |
|---|---|---|
| **Google super-admin on source tenant** | **MISSING — must obtain** | No Birth Biologic Google creds in the vault (only RMM enrollment). ACG's `acg-msp-access` SA is **not** delegated to `birthbiologic.com`. **This is the #1 blocker.** |
| M365 target mailboxes provisioned | **Mostly done** | 13 mailboxes exist; verify licensing covers everyone who needs mail (see the 2 enabled-no-mailbox accounts below). |
| Domain verified in M365 | Assumed (tenant uses `birthbiologic.com`) | Confirm the domain is verified and ready to receive (don't cut MX yet). |
| DNS edit access for MX cutover | **Pending** | SiteGround DNS — Mike accepting the SiteGround **collaborator invite** (released from EOP quarantine 2026-06-25). Registrar Name.com (for NS only; MX lives in SiteGround zone). |
## Target (M365) mailbox inventory — known
**13 provisioned EXO mailboxes:** Alicia Meneely, Ashley Williams, Brandy Burgess, Christina Cox,
Julie Beck, Kristin Steen, Lastashia May, Mary Ster, Mindi Maher, Savanna Abron, Vicki Fountain,
plus `operations@` and `sysadmin@` (Computer Guru).
**2 enabled accounts WITHOUT a mailbox** (decide before migration): **Mei Mei Senthavy**
(`msenthavy@`), **Valerie VanEaton** (`vvaneaton@`) — enabled, no license/mailbox. If they're active
mail users on Google, they need a license + mailbox provisioned as migration targets.
**Disabled / former staff** (no migration): Ally Boutte, Anica Raso, Phim Nelson, Kaileigh Hoffman.
**Guests (external, not migrated):** `christyrogers@trainingumbrella.com`, `clients@calm-ops.com`.
## Source (Google) inventory — TODO (needs Google admin)
Once super-admin access is obtained, pull from the Google Admin console:
- Full user/mailbox list + **sizes** (drives migration time), and reconcile against the M365 target list.
- **Shared/delegated mailboxes**, **groups/distribution lists**, **aliases**, **calendars/resources**
recreate in M365 deliberately (don't assume they come across as user mailboxes).
- Who is actually active (esp. Mei Mei / Valerie).
- Any retention/legal need before Google decommission (no PHI noted, but confirm).
## Proposed method
**MS native "Migration from Google Workspace"** (free, mail + calendar + contacts, delta sync) — the
default per the runbook. Birth Biologic is a small org with target mailboxes already in place, so the
native path fits cleanly. Reuse the `acg-msp-access` SA by adding its client_id + the migration scopes
to Birth Biologic's domain-wide delegation (needs their Google super-admin), or create a per-job SA.
## Cutover sequence (planned)
1. Obtain Google super-admin; vault it (`clients/birth-biologic/google-workspace.sops.yaml`).
2. Enable Gmail/Calendar/Contacts/Directory APIs; add SA domain-wide delegation w/ migration scopes in Birth Biologic's Google Admin.
3. Provision/license any missing target mailboxes (Mei Mei, Valerie if active); recreate shared mailboxes/groups.
4. Confirm `birthbiologic.com` verified in M365 (no MX change yet).
5. EAC → migration batch (Google Workspace) → CSV of mailboxes → initial + incremental sync; validate.
6. Lower MX/autodiscover TTL in **SiteGround** DNS.
7. **Cutover:** flip MX → M365, update SPF (`include:spf.protection.outlook.com`), enable/publish DKIM (2 CNAMEs), autodiscover CNAME → `autodiscover.outlook.com`, review DMARC. Final delta sync. Finalize batch.
8. Reconfigure clients to M365; remove Google licenses; remove SA delegation; cancel Workspace.
## Open questions for Mike / client
- **Can we get Google super-admin** on Birth Biologic's Workspace tenant (from the client / Annise)? Without it the native + IMAP paths are blocked.
- Are **Mei Mei Senthavy** and **Valerie VanEaton** active mail users (need mailboxes), or dormant?
- Any **shared mailboxes / groups / aliases** on the Google side to recreate?
- Desired **cutover window** / acceptable brief mail-delivery delay during MX propagation.
- Migrate **calendar + contacts** too (native does), or **mail only**?