How to Migrate From Microsoft 365 to Google Workspace (w/Examples) + FAQs

Migrating from Microsoft 365 to Google Workspace is a structured, multi-phase project that moves your mail, files, calendars, contacts, chats, and identity from Microsoft’s Exchange Online, SharePoint, OneDrive, and Entra ID stack into Google’s Gmail, Drive, Calendar, Chat, and Cloud Identity stack, typically using Google’s Data Migration Service, Google Workspace Migrate, or a third-party tool like BitTitan MigrationWiz.

The core problem is that Microsoft’s formats, permissions, and identity tokens do not natively speak Google’s protocols, and a rushed cutover can trigger HIPAA breach notifications, FINRA Rule 4511 recordkeeping failures, SEC Rule 17a-4 retention violations, or SOX Section 802 e-discovery sanctions, each of which can end in civil penalties and personal liability for officers.

According to Gartner’s 2025 Digital Workplace Survey, roughly 18% of enterprise IT leaders evaluated a move off Microsoft 365 during the prior 12 months, and Google reported in its Q4 2025 earnings call that Workspace crossed 12 million paying businesses, a figure that keeps climbing as AI-driven Gemini for Workspace adoption accelerates.

Here is what you will learn in this guide:

• 🧭 A step-by-step migration playbook from discovery through post-cutover cleanup, built for U.S. organizations of any size
• 🔐 The exact U.S. statutes, agency rules, and retention obligations that govern your data during and after the move
• 🛠️ How to pick between Data Migration Service, Workspace Migrate, and third-party tools with real pricing and throughput numbers
• ⚠️ The most common mistakes, misconceptions, and hidden costs that derail migrations, with named examples
• 📊 Scenario tables, do’s and don’ts, pros and cons, and 12 FAQs that answer the questions your CFO and auditor will ask

Deconstructing a Microsoft 365 to Google Workspace Migration

A Microsoft 365 to Google Workspace migration is not one project; it is a bundle of linked sub-projects that each touch a different data store, protocol, and user habit. The headline workloads are email (Exchange Online to Gmail), files (OneDrive and SharePoint to Google Drive and Shared Drives), calendars and contacts, instant messaging and meetings (Teams to Google Chat and Google Meet), and identity (Entra ID to Cloud Identity). Each workload has its own cutover rules, retention implications, and failure modes, so treating them as one big switch is the fastest path to a broken Monday morning.

The governing frameworks that shape every step are federal, not state-first. The Federal Trade Commission Act Section 5 punishes deceptive data-handling practices, the HIPAA Security Rule demands that a Business Associate Agreement remain intact across providers, and the Sarbanes-Oxley Act forces public companies to preserve electronic records in a way that a migration must not break. Ignoring any one of these statutes during a migration can trigger enforcement that dwarfs the cost of the project itself.

The plain-English version is that you are copying data from one landlord’s building to another, but the lease still requires you to keep every document retrievable, unaltered, and auditable during the move. The consequence of violating these rules is not only a fine; it is a loss of safe-harbor defenses in later litigation. A real-world example is the Morgan Stanley Smith Barney matter, where poor recordkeeping controls produced a $35 million SEC settlement. A common misconception is that the new vendor “takes care of compliance” once data lands in Google, but the covered entity or registered firm remains primarily liable under U.S. law.

Mapping Microsoft Workloads to Google Workspace Equivalents

Before you touch a migration tool, you need a one-to-one map between the Microsoft service you are leaving and the Google service you are landing on. Exchange Online mailboxes land in Gmail, OneDrive for Business lands in each user’s My Drive, SharePoint sites land in Shared Drives, Teams channels translate to Google Chat Spaces, and Entra ID identities sync into Cloud Identity through Google Cloud Directory Sync.

The “why” behind the mapping matters because the features are not identical. SharePoint’s granular item-level permissions do not have a native Shared Drive equivalent, so you often must restructure folder hierarchies; skipping this restructuring is the single biggest cause of post-migration access tickets. Teams private channels do not map cleanly to Spaces, which means Sarah, a compliance officer at a Chicago broker-dealer, must decide whether to export private-channel chats to a separate archive to keep her FINRA Rule 3110 supervision obligations intact.

A common misconception is that OneNote notebooks “just convert” to Google Docs, but complex notebooks with embedded Excel or inked content lose fidelity. The consequence of ignoring this is that Marcus, an architect at a Denver firm, loses hand-drawn site notes when his notebooks silently flatten. The plain-English rule is: assume nothing migrates perfectly, and pilot every content type before you commit.

The U.S. Legal Overlay That Governs Every Migration

Federal law sits on top of every migration step, and it does not pause while you copy data. The Gramm-Leach-Bliley Act Safeguards Rule forces financial institutions to keep written information-security controls active during vendor transitions, and the FTC’s 2024 amendments added a 30-day breach-notification trigger that a bungled migration can easily set off.

Healthcare entities live under the HIPAA Breach Notification Rule, which treats an unauthorized disclosure during migration exactly the same as a hack. The consequence of a breach during a project is the HHS OCR penalty tier system, which reaches $2.13 million per violation category per year in 2025 adjusted amounts. A real-world example is the Anthem settlement, which showed that even indirect exposure costs eight figures.

Public companies must satisfy SEC Rule 17a-4(f), which as amended in 2023 allows either write-once-read-many storage or an audit-trail alternative; Google Vault qualifies under the audit-trail path when configured properly. Education providers fall under FERPA, which treats student records as protected and requires that any vendor act as a “school official” under a written agreement. A common misconception is that FedRAMP authorization is automatic; in reality, only Google Workspace for Government meets FedRAMP High, so federal agencies must choose that SKU before migration begins.

Step-by-Step Migration Playbook

The migration is most reliable when you run it in six phases: discover, design, pilot, bulk copy, cutover, and decommission. Each phase has distinct deliverables, and skipping one is where most projects fail. The plain-English rule is to make decisions in writing before you touch data, because every undocumented choice becomes a midnight support ticket later.

The consequence of skipping discovery is that you underestimate mailbox sizes, over-pay for migration licenses, and blow past your change-window. A real example is a 400-seat Atlanta law firm that discovered mid-migration that 60 custodians had mailboxes over 75 GB, forcing a re-architecture that added six weeks and $34,000 in BitTitan overage licenses. The common misconception is that “the tool will figure it out,” but the tool only automates what you have already designed.

Phase 1 — Discovery and Assessment

Discovery is a two-week effort that inventories every mailbox, OneDrive, SharePoint site, Team, shared mailbox, distribution list, resource calendar, and public folder. Google’s free Transfer tool for unmanaged users can scan some of this, but most teams pair Microsoft Purview reports with a third-party assessment from BitTitan or Quadrotech Nova. The deliverable is a signed workload inventory that lists size, owner, retention class, and regulatory tag for every object.

The “why” is that pricing, timeline, and compliance all flow from this inventory. The consequence of an incomplete inventory is silent data loss; a real example is Priya, a CIO at a Boston biotech, who learned after cutover that 14 shared mailboxes never made the list and therefore never migrated, costing her team a week of forensic recovery. A common misconception is that you can “just look at the admin center,” but shared mailboxes, guest accounts, and archive mailboxes often hide in different panes.

The output of discovery must include a legal-hold register. Any mailbox or site under Federal Rule of Civil Procedure 37(e) litigation-hold obligations must be preserved in its original Microsoft environment until the hold lifts, because deleting held data during migration triggers spoliation sanctions.

Phase 2 — Design and Licensing

Design is where you pick your Workspace SKU, your identity model, and your tooling. The four SKUs are Business Starter at $7, Business Standard at $14, Business Plus at $22, and Enterprise at custom pricing, and only Business Plus and Enterprise include Google Vault for retention and e-discovery.

The consequence of choosing the wrong SKU is that you cannot satisfy SEC 17a-4 or HIPAA audit requirements, which forces a mid-project upgrade that breaks license math. A real-world example is a 220-seat wealth-management firm that bought Business Standard, then had to re-license to Enterprise Standard two months in, costing an extra $38 per user per month retroactively applied through the reseller. The plain-English version is buy the SKU your auditor needs, not the one your CFO wants.

Identity design decides whether you run Google Cloud Directory Sync one-way from Entra ID, federate with SAML SSO, or cut fully to Google as the identity provider. Most mid-market shops start with GCDS plus SAML, then migrate identity last, because users can keep logging in with their Microsoft credentials until the final cutover. A common misconception is that you must pick identity on day one; in reality, staged identity migration is the safer path.

Phase 3 — Pilot Migration

A pilot moves 5 to 25 representative users covering every persona: executive, heavy file user, shared-mailbox owner, external-collaborator, and compliance officer. You run the same tools you will use in production, measure throughput, and have each pilot user sign off on mail fidelity, calendar invites, and file permissions. The deliverable is a “go/no-go” memo that documents defects and workarounds.

The consequence of skipping the pilot is discovering at scale that calendar invites duplicate, that shared-mailbox permissions flatten, or that Outlook rules do not translate. A real example is Jamal, an operations lead at a 900-seat logistics company in Dallas, who caught a timezone-shift bug in calendar migration during a 20-user pilot and avoided moving 8,000 recurring meetings to the wrong hour.

A common misconception is that the pilot validates performance; in practice, pilots mostly validate fidelity. Throughput testing needs a separate load test that saturates your migration tool’s API quota, because Microsoft Graph throttling and Google’s per-user API limits do not show up at small scale.

Phase 4 — Bulk Data Migration

Bulk migration is the long phase, usually four to twelve weeks depending on data volume. You run Google Workspace Migrate for SharePoint and OneDrive, the Data Migration Service for Exchange mail, and a tool like BitTitan MigrationWiz or CloudFuze when you need chat history, Teams, or cross-tenant fidelity. Delta syncs run nightly so that when you cut over, only the last 24 hours of changes need a final pass.

The consequence of a poorly paced bulk phase is throttling; the Microsoft Graph throttling documentation makes clear that aggressive tools get 429-rate-limited, which stretches your timeline. A real example is a 1,400-seat insurance carrier that hit Graph throttling limits and extended migration by three weeks, adding $71,000 in extended license costs.

The plain-English rule is to stagger by department, not by user, because department-level migration preserves working relationships, shared inboxes, and calendar chains. A common misconception is that “more parallel threads equals faster migration,” but API quotas cap true throughput, and excess threads simply trigger backoff.

Phase 5 — MX Cutover and User Training

Cutover is the 24-to-72-hour window when you change MX records to point at Google, disable Exchange mail flow, and run a final delta sync. You schedule it for a Friday evening in most U.S. time zones so that the first business day on Workspace is Monday with a full support desk staffed.

The consequence of a rushed cutover is bounced mail from external partners whose DNS caches have not refreshed, so you must set your old MX TTL to 300 seconds at least 48 hours in advance. A real example is Elena, an IT director at a Phoenix nonprofit, who forgot to shorten TTL and had mail delivery gaps for 14 hours when a major donor’s mail server cached the old record for a full day.

Training must go live the same day. Google’s free Workspace Learning Center plus internal one-pagers covering “where did Outlook rules go,” “how to share a file,” and “how to find chat history” reduce ticket volume by roughly 60 percent based on Google’s 2025 change-management case studies.

Phase 6 — Decommission and Archive

Decommissioning is not the same as canceling your Microsoft subscription. Retention law requires that you keep the source data accessible for the full retention window, which under IRS Publication 583 is at least three years for general business records and up to seven for tax-related documents. Regulated industries often require longer under SEC Rule 17a-4 or HIPAA’s six-year rule.

The consequence of canceling Microsoft 365 too early is that you lose retrievable access to legal-hold data, which in litigation is treated as spoliation. A real example is the Zubulake v. UBS Warburg line of cases, which set the modern e-discovery standard and imposed adverse-inference sanctions for lost electronic records.

The plain-English rule is to keep a read-only Microsoft 365 Archive SKU for at least the retention window, or export to an immutable archive like Google Vault with litigation holds mirrored. A common misconception is that Google Vault captures everything retroactively; it only captures what lands in Workspace after migration, so source-side archives must be preserved separately.

Three Most Common Migration Scenarios

Every migration looks slightly different, but three patterns cover the majority of U.S. mid-market and enterprise projects. Each carries distinct legal and operational consequences that shape tool choice and timeline.

Concrete Named Examples

Real names and real stakes help abstract rules click. These three mini-scenarios illustrate how the federal overlay interacts with tool choice.

Example 1 — Dr. Rachel Nguyen, a dentist in Austin with 12 staff, moves from Microsoft 365 Business Standard to Google Workspace Business Plus. Her goal is HIPAA continuity. She executes a Google Workspace Business Associate Agreement before migration starts, uses Data Migration Service for email, and keeps her Microsoft 365 subscription active in read-only mode for six years under HIPAA’s recordkeeping rule, satisfying 45 CFR 164.316.

Example 2 — Miguel Torres, CIO at a 650-seat regional bank in Minneapolis, migrates under a Gramm-Leach-Bliley Safeguards Rule program. He selects Enterprise Standard for Vault, runs BitTitan for mail and Workspace Migrate for SharePoint, and files a vendor-change notice with his state banking regulator. His MX cutover happens on a holiday weekend, and he maintains a 90-day parallel-run period so examiners can audit both environments.

Example 3 — Aisha Patel, director of IT at a K-12 district of 4,200 staff and 38,000 students in suburban Philadelphia, moves under FERPA and Pennsylvania’s Act 168 of 2024 school-data-privacy rules. She uses Google Workspace for Education Plus, runs the free School Data Sync tool, and keeps parental-consent documentation aligned to Google’s school-official designation.

Mistakes to Avoid

Migrations fail in predictable ways, and each mistake carries a specific negative outcome. Learning these in advance is cheaper than learning them in production.

• Skipping a written workload inventory leads to forgotten shared mailboxes and rooms that never migrate, triggering FRCP 37(e) spoliation risk
• Canceling Microsoft 365 the day after cutover destroys retrievable records and violates IRS Publication 583 retention, inviting audit findings
• Choosing Business Standard when you need Vault forces a mid-project SKU upgrade and leaves a retention gap that your auditor will flag
• Leaving MX TTL at one day creates mail-delivery gaps for up to 24 hours after cutover, causing missed client communications and lost deals
• Migrating Teams private channels without export breaks FINRA 3110 supervision obligations for broker-dealers
• Ignoring SharePoint item-level permissions flattens access controls and exposes confidential documents to the wrong internal audiences
• Skipping the pilot causes fidelity defects to appear at scale, inflating support tickets by 300 percent in the first post-cutover week
• Running migration without a BAA for healthcare data creates an impermissible disclosure under 45 CFR 164.504(e) the moment PHI touches Google
• Overlooking shared calendar resources leaves conference rooms and equipment calendars unbookable, and causes double-booking across the organization
• Using personal Gmail accounts during pilot blurs the line between personal and corporate data, which later triggers Stored Communications Act exposure concerns

Tool Comparison Table

Choosing a migration tool drives cost, timeline, and fidelity. These are the three dominant options in the U.S. market in 2026.

Do’s and Don’ts

Each of these rules comes from hard-won project experience and maps to a specific consequence.

• Do sign the Google Workspace BAA before any PHI touches the tenant, because post-hoc signing does not cure a prior disclosure
• Do shorten MX TTL to 300 seconds at least 48 hours before cutover, because external mail servers cache old records and delay delivery
• Do run delta syncs nightly during bulk phase, because large one-shot final syncs miss the 24-hour cutover window
• Do keep the source Microsoft tenant in read-only mode for the full retention period, because early cancellation destroys legal-hold evidence
• Do train users the same day as cutover, because un-trained users flood the help desk and drive executive frustration
• Don’t migrate personal accounts or consumer Gmail into Workspace, because that mixes ownership under the Stored Communications Act
• Don’t rely on Google’s free tools for Teams chat history, because neither DMS nor Workspace Migrate captures Teams conversations
• Don’t migrate during fiscal close, quarter-end, or tax-filing weeks, because any disruption will collide with SOX or IRS deadlines
• Don’t let end-users self-migrate OneDrive, because they will move personal content into corporate Drive and create discovery problems
• Don’t skip the BAA, DPA, or state-specific education addenda, because each missing document is an audit finding in its own right

Pros and Cons of Moving to Google Workspace

This section frames the decision honestly so executives can weigh it against staying on Microsoft 365.

• Pro: Gemini for Workspace is deeply integrated across Gmail, Docs, Sheets, and Meet at $0 to $30 per user depending on SKU, reducing AI-licensing complexity
• Pro: Shared Drives simplify content ownership so that departing employees do not take files with them, reducing off-boarding risk
• Pro: Browser-first architecture reduces endpoint management overhead and pairs naturally with ChromeOS fleets
• Pro: Google Vault under Business Plus or Enterprise offers strong retention and e-discovery at a lower marginal cost than comparable Microsoft add-ons
• Pro: Pricing is transparent and published, making budget forecasting easier than enterprise-agreement-only Microsoft pricing
• Con: Desktop Office apps do not have a native Google equivalent, so heavy Excel macro or Access users face real migration pain
• Con: SharePoint’s granular permissions and custom site designs often require hand-rebuilding in Shared Drives, adding labor hours
• Con: Teams voice and PSTN calling do not port; you must either run Google Voice or keep a separate telephony vendor
• Con: Power Platform, Power BI, and Dataverse have no one-to-one Google equivalent, which can strip capability from line-of-business apps
• Con: Organizations in federal-contracting workflows often need FedRAMP High, which means Workspace for Government, a more limited SKU

Processes, Forms, and Technical Steps

The technical work sits inside the Google admin console and the Microsoft 365 admin center, and every click has downstream effects.

The first form is the Workspace signup flow, which asks for your domain, admin email, and billing country; choosing the wrong country locks your tenant to a data region that you cannot change later, so U.S. organizations must pick United States to keep data residency aligned with HIPAA and CJIS expectations. The second is the domain verification TXT record, which proves ownership and must stay in DNS forever; removing it after verification causes intermittent SAML and DKIM failures.

The third is the SPF, DKIM, and DMARC setup, and each record has distinct consequences. SPF tells receiving servers which hosts may send for your domain; missing SPF causes mail to land in spam. DKIM signs outgoing mail cryptographically; missing DKIM breaks alignment for DMARC. DMARC enforces the policy; setting it to p=reject too early can quarantine legitimate mail from your marketing platforms.

The fourth is Cloud Identity directory sync, which pulls users and groups from Entra ID into Google. The fifth is SAML SSO configuration, which hands authentication to Microsoft, or Okta, or Google itself. The sixth is the Data Migration Service job setup, where you pick source protocol, credentials, and date ranges; choosing the wrong date range silently skips older mail.

Key Entities You Will Deal With

Knowing who controls what keeps escalations short and accurate.

• Google Workspace is the destination suite, owned by Google LLC, governed by its Data Processing Amendment
• Microsoft 365 is the source suite, owned by Microsoft Corporation, governed by the Microsoft Product Terms
• HHS Office for Civil Rights enforces HIPAA and is the agency to call for breach notifications
• Securities and Exchange Commission enforces Rule 17a-4 and SOX 802 for broker-dealers and public companies
• Federal Trade Commission enforces the Safeguards Rule and FTC Act Section 5 against deceptive data practices
• Department of Education administers FERPA and publishes Student Privacy 101 guidance
• FedRAMP PMO authorizes cloud services for federal-agency use, and Workspace for Government holds FedRAMP High
• BitTitan and CloudFuze are the dominant third-party migration ISVs for U.S. mid-market and enterprise moves

Recap of Relevant Rulings and Enforcement

Court rulings and agency actions shape how careful you must be during migration. Each of these cases ties directly to a decision you will make in your project plan.

Zubulake v. UBS Warburg set the modern duty to preserve electronic evidence and introduced adverse-inference sanctions, making early destruction of the Microsoft tenant dangerous. In re Morgan Stanley Smith Barney LLC showed that recordkeeping failures cost tens of millions even when no customer harm is proven. Anthem Inc. HIPAA Settlement confirms that breach-notification violations can exceed $16 million per incident category.

The FTC v. Drizly enforcement action in 2023 established officer-level personal liability for data-security lapses, which means a CISO who rubber-stamps a rushed migration can be named individually. The SEC 2023 amendments to Rule 17a-4 replaced the old WORM-only requirement with an audit-trail alternative, which is the provision that makes Google Vault viable for broker-dealers when configured correctly.

Cost Calculator Framework

A defensible budget has six line items, and each has a sensitivity range.

The first is destination licensing, at $7 to $30 per user per month depending on SKU; the second is migration tooling, at $0 for DMS up to $28 per user for BitTitan plus chat modules. The third is professional services, typically 15 to 30 percent of total tooling for mid-market and higher for enterprise. The fourth is parallel-run licensing, because you keep Microsoft 365 live for 30 to 365 days post-cutover, and that line item often surprises CFOs.

The fifth is training and change management, roughly $30 to $80 per user for structured programs through partners like Promevo or SADA. The sixth is archive and retention, because legal holds and audit trails live in Google Vault and possibly a Microsoft 365 Archive SKU in parallel. A plain-English rule is that total first-year cost for a 500-seat mid-market migration usually lands between $180,000 and $420,000 fully loaded, which many CFOs underestimate by half.

When Not to Migrate

Not every organization should move. If your users live in Excel with complex macros, if you are mid-merger, if you have fewer than 60 days until a SOX reporting deadline, or if you depend on Power Platform for line-of-business apps, the short-term cost of migration will exceed the long-term benefit.

A real example is a 300-seat accounting firm in Tampa that paused a planned move after discovering that 40 percent of its client-deliverable workflows ran on Excel Power Query and Power BI, with no clean Google equivalent. The plain-English test is to score your top 20 workflows for Microsoft-dependency before signing anything, because a “no” today can be a “yes” in 18 months when Gemini and Sheets catch up to specific features.

FAQs

Is Google Workspace HIPAA compliant?

Yes. Google supports HIPAA compliance when you execute its Business Associate Agreement and configure core services correctly, but the covered entity stays liable for safeguards under 45 CFR Part 164.

Can I migrate Microsoft Teams chat history to Google Chat?

No. Neither Google’s Data Migration Service nor Workspace Migrate moves Teams chat history natively; you need a third-party tool like BitTitan or CloudFuze, or export chats to an archive.

Do I have to cancel Microsoft 365 right after cutover?

No. You should keep Microsoft 365 active in a read-only or archive posture for the full retention window, which ranges from three to seven years under IRS Publication 583 and longer under HIPAA or SEC rules.

Will my Outlook rules, signatures, and categories migrate?

No. Outlook client-side rules, signatures, and categories do not transfer; users must recreate them in Gmail using filters, signatures, and labels respectively.

Is Google Workspace cheaper than Microsoft 365?

Yes. At the Business Standard tier, Google’s $14 per user is usually lower than comparable Microsoft 365 Business Standard when you add AI and archive add-ons, though enterprise pricing depends on negotiated discounts.

Can I keep my existing email addresses and domain?

Yes. You keep your domain and addresses by updating MX records and verifying domain ownership in the Google admin console before cutover.

Does Google Vault satisfy SEC Rule 17a-4?

Yes. Google Vault meets the audit-trail alternative added in the 2023 SEC amendments to Rule 17a-4, provided you enable required retention, legal hold, and review controls.

Can users run Microsoft Office alongside Google Workspace?

Yes. Office desktop apps work side by side with Google Workspace, and Google Drive for desktop lets users edit Office files stored in Drive without conversion.

How long does a typical migration take?

Yes, there is a typical range: 2–4 weeks for small businesses, 8–16 weeks for mid-market full-stack moves, and 4–9 months for regulated enterprise migrations including training and decommissioning.

Do I need a BAA before migrating healthcare data?

Yes. You must execute the Google Workspace BAA before any PHI lands in the tenant, because unauthorized PHI disclosure under 45 CFR 164.502 is actionable the moment data is transferred.

Will SharePoint permissions map perfectly to Shared Drives?

No. SharePoint’s item-level and granular permissions flatten during migration, so you must redesign folder hierarchies and group memberships to approximate the original access controls.

Can federal agencies use Google Workspace?

Yes. Google Workspace for Government holds FedRAMP High authorization and is the required SKU for federal-agency workloads and most regulated federal contractors.