TSA Google Workspace separation is the work of moving the Newco off the seller's shared Google tenant and into a Workspace primary domain the Newco owns. The platform feels lighter than the Microsoft stack but the carve-out has its own peculiarities. The TSA exit strategy needs to treat Workspace as a first class workstream rather than a quick afterthought. The buyer that frames it that way moves out cleanly. The buyer that assumes Google migrations are easy ends up extending the TSA to fix what should have been done at Day One.
A Google Workspace tenant is anchored to a primary domain. Every user account, every shared drive, every group, and every Workspace setting hangs off that anchor. The Newco inherits a subset of users in the seller's tenant. Their mailboxes, Drive content, Calendar history, Meet recordings, Chat history, Groups membership, and shared content all live under the seller's domain. Migration is not a checkbox. It is a structured move of each artefact type to the Newco's own primary domain.
The complication that surprises new buyers is the entanglement of shared content. A document in a seller's shared drive that the Newco depends on cannot simply be exported. Ownership has to be transferred or the document has to be copied with permissions reset. Multiplied across thousands of files, this is the single largest operational workload in Workspace separation.
An accurate inventory of users, shared drives, groups, and integrations is the first deliverable. Without it the cutover schedule is a guess. The pattern overlaps with the broader carve-out email and domain migration playbook.
When the Newco changes domain, every external sender who has the seller's address pattern in a contact list will continue to send to the old address for months. Internal automation, marketing platforms, customer portals, and partner systems all hold references that have to be updated. Few of them are entirely under the Newco's control. A poorly designed domain transition loses email continuity for the most senior people in the business.
The standard mitigation is a dual delivery period during which the seller's tenant forwards mail addressed to the carved-out users on to the Newco's tenant. The forward runs for six to twelve months. The buyer measures the residual traffic monthly and turns the forward off when volumes drop below an agreed threshold. The TSA needs to commit the seller to this support, including a service level for forward integrity and a clear cost basis.
Out of office replies, signature blocks, and customer facing form fields all need a coordinated update. A simple all employee instruction is rarely enough. A short formal change request through governance for every external system that needs an address update keeps the work organised.
Google Drive content moves through one of three patterns. The first is shared drives where ownership rests with the organisation rather than the individual user. Migration tooling can copy these wholesale into Newco shared drives. The second is My Drive content owned by individual users. Each user has to be migrated and the share permissions on each document have to be replayed in the new tenant. The third is shared content where ownership sits with users who do not transfer to the Newco. Those documents have to be reassigned before migration or they will be left behind.
Volumes vary by organisation. A mid-market Newco of fifteen hundred users commonly has between thirty and two hundred terabytes of Drive content. The migration tooling, whether Google's own Workspace migration product or a third-party tool, has to be sized for the volume and the timeline. Sequential migration of all users is not feasible. The cutover is organised by department or geography, with named owners on both sides for each wave.
Documents shared externally with customers and partners present their own challenge. The link the external party holds points to a file in the seller's tenant. After migration the link breaks. Communication and a controlled redirect strategy mitigate this. The pattern overlaps with the broader carve-out data warehouse separation playbook for the larger data sets.
Workspace is often the identity provider for the third-party applications the Newco uses through Sign in with Google. Each application has to be re-federated to the Newco tenant. The application owners need to coordinate the change with the application vendor. A surprising number of vendor support teams require a paid ticket to repoint the identity provider. The cutover plan has to account for this lead time.
Where the seller uses a third-party identity provider in front of Workspace, the cutover has an extra layer. The Newco may stand up its own identity provider and federate Workspace to it, or use Workspace native sign in. The choice is rarely operationally trivial. Larger Newcos generally federate to an external identity provider on Day One to preserve flexibility. Smaller Newcos often start with Workspace native sign in and federate later.
The pattern overlaps with the broader Okta identity separation playbook for federated environments. The choice has long term implications for cost, audit posture, and operational complexity.
During the TSA the seller invoices the Newco for the Newco's share of Workspace consumption. The methodology is typically a pass-through of Google's per user license cost with a modest administrative mark-up. Storage overages, Vault eDiscovery, and security add ons are billed separately. Buyers that do not validate the SKU mix on the invoice routinely pay for licenses or add ons that no longer match the Newco's footprint.
The Newco's own Workspace contract is procured through a Google reseller or direct. Lead times are short relative to other vendors, often a few weeks from contract to provisioned tenant. The choice of reseller affects support quality and pricing. The Newco should compare at least two resellers before signing. The procurement timeline has to land well before the cutover wave begins.
When migration completes the seller's invoice should drop to residual amounts for any bridge users and then zero. A buyer that continues to see a flat invoice has identified shadow billing. The pattern overlaps with the broader TSA shadow billing playbook.
A clean Workspace exit closes three records. The seller's tenant retains no Newco mail traffic, no Newco shared drive content, and no Newco user accounts. The Newco tenant holds the full record under its own primary domain. The forward of legacy mail is turned off on the agreed date and any retained mail under legal hold is documented and handed over per the data processing agreement.
The exit is documented in a cutover report signed by both parties. The report supports the broader TSA exit certificate and feeds into the Newco's audit trail. Any open items, such as a long tail of external links to migrated documents, are tracked under a short post-close services agreement with a hard end date.
Specialist support across the Workspace cutover is part of the TSA Exit Acceleration service when the milestone is at risk. The work coordinates with the buyer's IT lead, the seller's Workspace administrators, and any Google partner involved in the migration.
How buyers carve out mailboxes, Teams, and SharePoint from a Microsoft 365 tenant.
Read the article →How buyers carve out tenants, migrate identities, and exit Entra ID under a TSA.
Read the article →How buyers move mail and the primary domain at Newco Day One.
Read the article →The 90-day governance, IT, finance, HR and procurement separation plan we run on live carve-outs. Get the playbook plus the bi-weekly Day One Letter — short, signal-heavy, buyer-side.
No spam. Unsubscribe in one click. · Read the overview first →

Fixed-fee proposal in 48 hours. Senior team on day one. The first conversation is always free.
Seven buyer-side moves to exit a Transition Services Agreement on time and below budget. The mark-up, the extension-fee curve, exit sequencing, and the 11-month calendar.
One tactic, one benchmark, or one pattern from a recent buyer-side engagement. Short. Signal heavy. Free.
Subscribe to The Day One Letter →Treat the email-domain and tenant split as a project, not a switch. Rushed cutovers lose mail, files and identity links you cannot get back.