So, maybe you’re like me.

You’ve got a 100 or so user’s mailboxes you need to migrate from Microsoft 365 to Google Workspace.

You’ve completed your setups; the impersonation rights are set on your global admin in M365, and, you’ve assigned full control rights over all target mailboxes.

You strike up Workspace and start the Data Migration Service, successfully authenticate, and start adding users, but it won’t let you. You’ve got a GRAY START BUTTON like this.

And it’s frustrating the hell out of you because, hey, you’re a good tech, you did your planning, etc.

Well, I found a solution.

What’s happening here is that you’ve authenticated this process under another domain and not the domain you think you’re targetting. The oAuth token isn’t being saved under the right account or domain.

For me, I was in my Google Reseller console trying to kick this off, and the damn thing was trying to target my own domain rather than the tenant’s domain.

So, kill the data migration.

Login to the admin console under a Super Admin for your domain under an incognito window and set up the Data Migration Service parameters again.

You should now be able to target a user by typing … it matches, you can press start.

There’s nothing like this in the docs, of course, but hey, I just pulled my hair out for an hour … maybe I can help save yours :)

R

Phishing attacks are emails that attempt to trick the user to click on a hyperlink to access a system they shouldn’t. In order to convince the user to click, hackers will often include the business logos of trusted brands to bestow a feeling of legitimacy and importance.

On July 21, 2020, Google announced a new security feature that’ll be rolled-out to G-Suite users to help protect them from these kinds of attacks.

The feature implements an emergent email standard called Brand Indicators for Message Identification (BIMI) and its function is to uniquely verify the use of corporate logos using the DMARC system - the same system that’s used to validate the authenticity of an email sender.

Emails delivered to Google’s mail system are scanned for fraud and abuse. Under BIMI, a registered brand logo will be validated and presented to the G-Suite end user in the round avatar slot aside an email. It’s a visual cue that both re-affirms brand-trust and indicates safety to the end user.

Messages that fail validation for the use of a corporate logo are filtered from the end user.

The technical side of BIMI requires email senders to:

• use SPF and DKIM, and to publish a specific DMARK enforcement policy for the domain of either “p=quarantine” or “p=reject”.

• publish a SVG logomark;

• register their logo with the BIMI working group and publish a BIMI record;

• acquire a Verified Mark Certificate for their logo (a Google-specific requirement currently offered by only Entrust, DataCard, and DigiCert).

All of these controls benefit the G-Suite user as fraudulent use of corporate logos would potentially be filtered, making their use within spam and phishing attacks useless.

Google intends to implement this feature (and many others related to mail safety) over the next year.

So yah - how does File Stream know to use your Google Drive?

Well, when it runs for the first time, Google Drive File Stream asks a G-Suite user to sign in.

The act of signing-in is the process by which File Stream is then authorized to access to the user’s Google Drive.

Once authenticated, File Stream will present a redirected drive with a My Drive folder labeled G: in Windows; it’ll be represented as a device within the Mac O/S.

The My Drive folder is the root of the user’s Google Drive and - generally - the content placed in My Drive is private to the user.

Where G-Suite Basic users will only see their own My Drive folder, G-Suite Business users would see their My Drive folder and their G-Suite domain’s Shared Drives (formerly known as Team Drives). Only the G-Suite Business license has access to Shared Drives.

When File Stream is active, it creates a runtime stub that appears in the system tray of a Windows computer; a small white and gray triangle near the computer’s clock displayed in the lower right side of the screen. On a Mac, File Stream’s runtime stub appears in the upper toolbar towards the right.

In both cases, the stub will look grayed-out if the user needs to sign in. Clicking on the stub will produce a login challenge that will re-authenticate File Stream. If the stub is blue then the user is currently logged-in.

The user’s credential is cached in the form of an oAuth token and is active for a period of time or until the token is revoked. Then the user would have to sign back in again. If the user rotates their G-Suite password, they would need to sign-in again to create a new oAuth token.

While logged in, the computer user has access to the Google Drive of the signed-in G-Suite user.

Hopefully they’re the same person! The person using the computer is using their account with File Stream and that login information is stored behind the Windows or Mac user account.

If not, the user will notice that the File Stream stub has an option to “switch user” or “disconnect” to reconnect File Stream under another user account.

File Stream cannot connect to multiple user accounts or Google Drives at one time.