Troubleshoot the data migration service

There are 2 types of issues when using the data migration service—blocking and non-blocking.

Blocking issues

Blocking issues prevent the migration of user accounts. They usually occur if you specify an incorrect username or password when you set up migrations from IMAP environments. Or, you might get them if your Microsoft Exchange administrator account lacks certain privileges.

Non-blocking issues

Non-blocking issues prevent some, but not all, messages from migrating. You might have message-level errors (where a single message hasn't migrated correctly) or folder-level errors (where an entire folder hasn't migrated).

How to address blocking issues

Migrating from an Exchange Web Services environment (Exchange 2007 and later)

If you encounter problems when migrating from a Microsoft Exchange Web Services (EWS) environment, verify:

  1. EWS—Select the Synchronization, Notification, Availability, and Automatic Replies option on the Exchange Server tab in the Microsoft Remote Connectivity Analyzer tool to verify that servers can reach and, through the Autodiscover service, recognize EWS.
  2. The logs show the data migration service can communicate with Exchange—Check the Exchange server Internet Information Services (IIS) logs for the SyncFolderItems call with response code 200.
  3. AD Conditional Access—Check whether you’re using Conditional Access policies on your Microsoft Active Directory. If so, turn off the policies and try migrating again. For more information, consult your Microsoft documentation.
  4. Impersonation—For more information, consult your Microsoft documentation on how to set up Exchange impersonation.
  5. TLS certificates—Verify your TLS certificates are signed and valid. For details, go to Set up your TLS certificate.
  6. Exchange user account—Verify the Exchange user account is a valid account and the mailbox is turned on. Also, check the Exchange mailbox isn't corrupt.
  7. Migration client ID—Verify the following service account client ID appears in the list of clients that have access to mail and migration APIs:

    955661971872-ie97v0ns6ndb19rbr9nlpkahpmfk9ugf.apps.googleusercontent.com

    To check the client ID:

    1. Sign in to your Google Admin console.

      Sign in using an account with super administrator privileges (does not end in @gmail.com).

    2. From the Admin console Home page, go to "" and then Security and then API controls.
    3. Under Domain wide delegation, click Manage Domain Wide Delegation.

      The client ID should be listed under API clients.

    If the client ID doesn't appear:

    1. On the Manage domain wide delegation page, click Add new.
    2. Under Client ID, enter your service account's client ID.

      You can find the service account client ID in the JSON file you downloaded when you created the G Suite service account. Alternatively, you can find the client ID in the Google Cloud Platform Console. Click IAM & Adminand thenService accounts, then select your service account.

    3. In the OAuth scopes field, copy and paste the following comma-delimited list of scopes:

      https://mail.google.com/,
      https://www.googleapis.com/auth/email.migration,
      https://www.googleapis.com/auth/gmail.insert,
      https://www.googleapis.com/auth/gmail.labels

    4. Click Authorize.
    5. To make sure every scope appears, select the new client ID and click View details.

      If they don't, click Edit, enter the missing scopes, and click Authorize. Note that you can't edit the client ID.

  8. The relevant Google service—Check that you turned on the target Google service (Gmail, Contacts, or Calendar). For details, go to Turn a service on or off for G Suite users.
  9. The super administrator—Check that a super administrator is assigned to the G Suite domain.
  10. Your server gets connections from G Suite mail servers—For details, go to Google IP address ranges for outbound SMTP.
Migrating from IMAP, Gmail, or a G Suite account

Blocking issues when migrating from an IMAP server, Gmail, or a G Suite account might indicate an obstacle accessing the mailbox. Try to access the mailbox using an IMAP email client such as Mozilla Thunderbird, Apple Mail, or Microsoft Outlook. This ensures the mailbox has IMAP access and that you have the correct username and password.

If you still have issues, confirm the following:

  1. Migration client ID—Verify the following service account client ID appears in the list of clients that have access to mail and migration APIs:

    955661971872-ie97v0ns6ndb19rbr9nlpkahpmfk9ugf.apps.googleusercontent.com

    To check the client ID:

    1. Sign in to your Google Admin console.

      Sign in using an account with super administrator privileges (does not end in @gmail.com).

    2. From the Admin console Home page, go to "" and then Security and then API controls.
    3. Under Domain wide delegation, click Manage Domain Wide Delegation.

      The client ID should be listed under API clients.

    If the client ID doesn't appear:

    1. On the Manage domain wide delegation page, click Add new.
    2. Under Client ID, enter your service account's client ID.

      You can find the service account client ID in the JSON file you downloaded when you created the G Suite service account. Alternatively, you can find the client ID in the Google Cloud Platform Console. Click IAM & Adminand thenService accounts, then select your service account.

    3. In the OAuth scopes field, copy and paste the following comma-delimited list of scopes:

      https://mail.google.com/,
      https://www.googleapis.com/auth/email.migration,
      https://www.googleapis.com/auth/gmail.insert,
      https://www.googleapis.com/auth/gmail.labels

    4. Click Authorize.
    5. To make sure every scope appears, select the new client ID and click View details.

      If they don't, click Edit, enter the missing scopes, and click Authorize. Note that you can't edit the client ID.

  2. The relevant Google service—Check that you turned on the target Google service (Gmail, Contacts, or Calendar). For details, go to Turn a service on or off for G Suite users.
  3. The super administrator—Check that a super administrator is assigned to the G Suite domain.
  4. Your server gets connections from G Suite mail servers—For details, go to Google IP address ranges for outbound SMTP.

How to address non-blocking issues

If non-blocking issues or errors occur, request a domain migration and item error report. For details on migration reports, go to Monitoring a data move. Then, try troubleshooting non-blocking issues.

Troubleshoot missing messages

Step 1: Check your setup steps

If you have a blocking issue, check that you completed all the steps to Prepare your legacy environment and try the migration again. Then, if the problem persists, use the blocking issues steps above to troubleshoot.

Step 2: Check for the email header

If some email messages seem to disappear after a migration, perform the following search to make sure the email isn't mislabeled:

  1. Get the Message-ID of the email from the legacy account. The Message-ID of an email is found in the message header. Learn more
  2. Search for the Message-ID header in the new G Suite account using the rfc822msgid: Gmail search operator. For details, go to Search operators you can use with Gmail.

Step 3: Additional checks

If you still can't find the email, perform the following checks:

Troubleshoot missing email folders

If you have an email folder missing after a migration, contact your legacy email service provider for help with resolving the issue with the folder.

If the issue can’t be resolved, you could delete the folder and run the migration again. Any email messages contained within the folder are also deleted, however.

Related topics

Google, G Suite, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?
How can we improve it?