Fix Google to Office 365 Migration Error Service Account Key

Article

Introduction

Migrating from Google Workspace to Microsoft 365 is a common task for organizations looking to streamline their productivity tools. However, one roadblock you might encounter is the inability to create a Google Cloud service account key due to your organization’s security policies. Specifically, the iam.disableServiceAccountKeyCreation constraint can prevent you from generating the keys necessary for migration.

In this guide, we’ll walk you through why this happens, how to resolve it, and the steps to successfully migrate your data from Google Workspace to Office 365.

Understanding the Issue

When attempting to create a service account key, you might encounter the following error:

"Service account key creation is disabled. Your organization has enforced a policy that prevents new service account keys from being created."

This error occurs because your Google Cloud organization has enabled the iam.disableServiceAccountKeyCreation policy, which restricts the creation of new service account keys.

Why istThis policy enabled?

Organizations often enable this policy to:

Enhance security: Prevent unauthorized key creation.
Reduce risks: Minimize the chances of leaked or misused service account keys.
Ensure compliance: Meet security frameworks and industry standards.

To successfully migrate away from using service account keys, you need to prevent new keys from being created. During the deployment phase, you enforce the iam.disableServiceAccountKeyCreation organization policy constraint to prevent the creation of new service account keys.

While this is a good security practice, it can block essential tasks like Google Workspace to Office 365 migration, which requires a service account key.

Steps to Resolve the Issue

Step 1. Identify Policy Restrictions

Before making any changes, verify if the iam.disableServiceAccountKeyCreation policy is active in your Google Cloud Console.

Sign in to Google Cloud Console (console.cloud.google.com).
Navigate to IAM & Admin > Organization Policies.
Search for "Disable Service Account Key Creation" (iam.disableServiceAccountKeyCreation).
If the policy is enforced, you’ll need administrator approval to modify it.

Step 2. Modify the Organization's Policy

To allow service account key creation, update the organization policy:

In Google Cloud Console, go to IAM & Admin > Organization Policies.
Locate Disable Service Account Key Creation (iam.disableServiceAccountKeyCreation).
Click Edit.
Change the policy to Not Enforced.
Click Save.

Once the policy is updated, you should be able to create service account keys.

Step 3. Create a Service Account and Key

With the policy updated, proceed to create a service account and generate a key:

Navigate to IAM & Admin > Service Accounts.
Click Create Service Account.
Enter a name and description.
Assign the necessary roles for migration (e.g., Super Admin or G Suite Data Migration Admin).
Click Create and Continue.
Under Keys, click Add Key > Create New Key.
Select JSON format and click Create.
Download the JSON key file for use in the Office 365 migration tool.

Step 4. Use the Key for Office 365 Migration

Now that you have the service account JSON key use it in your migration tool:

Open Microsoft 365 Admin Center.
Go to Setup > Data Migration.
Select Google Workspace as the source.
Upload the service account JSON key.
Follow the migration setup wizard.

This should allow your Google Workspace data to be transferred to Microsoft 365 successfully.

Conclusion

Disabling service account key creation is a security best practice, but it can block essential tasks like Google Workspace to Office 365 migration. By temporarily modifying the organization policy and creating a service account key, you can proceed with the migration smoothly. Once the migration is complete, consider reenabling the policy to maintain security.

Pro Tip: Always document changes to organization policies and ensure they align with your organization’s security guidelines.

Additional Resources

For further details, refer to: