Home NewsX Google Workspace federation in Entra ID

Google Workspace federation in Entra ID

by info.odysseyx@gmail.com
0 comment 8 views


Entra ID Federation Google Workspace

Google Workspace Federation lets you manage user identities in your Entra ID tenant and authenticate those users through Google. This can be useful if your company wants to use a single identity source across multiple cloud platforms.

This article describes the scenario where your domain has already been added and verified to Entra ID.

Requirements

To use Google Workspace federation, you must ensure that federated users are created in your Entra ID directory. This can be done through a variety of methods, such as automatic provisioning or using the Graph API.

Please keep the following in mind: Google’s default federation only works with personal gmail.com accounts.. to unite For work accounts managed in Google Workspace, you must configure SAML IDP federation..

Configuring SAML federation on the Google Workspace side

To configure SAML federation in Google Workspace, follow these steps:

1. Create a web application in your Google admin panel:

  • Go to https://admin.google.com/
  • move App -> Web and mobile apps
  • Clicking sound Add App -> Search Apps
  • Search for “Microsoft Office 365” and install it.

Irina_Kostina_1-1726218250221.png

2. Download metadata:

  • After installing the app, go to App Details and download the metadata.
  • Save the IdP metadata file (GoogleIDPMetadata.xml) as it will be used later to set up your Microsoft Entra ID.

Irina_Kostina_0-1726221636830.png

3. Enable automatic provisioning:

Enable automatic provisioning within the “Microsoft Office 365” app.

Irina_Kostina_1-1726222127322.png

4. Configure Service Provider Details:

On the Service Provider Details page:

  • Select an option Signed response.
  • Please check Name ID Format was set to persistent.
  • In SAML Attribute Mapping, select: Basic information And the map Primary Email to IDPEmail.

5. Activate apps for users in Google Workspace:

  • move App -> Web and mobile apps -> Microsoft Office 365 -> User Access.
  • Choose ON for everyone Save your changes.

Add Federation for SAML Provider in Entra ID

Use the IdP metadata XML file you downloaded from Google Workspace to modify the following: $DomainName Add the variables in the following script to match your environment, then run it in a PowerShell session.

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser -Force
Install-Module Microsoft.Graph -Scope CurrentUser
Import-Module Microsoft.Graph

$domainId = ""

$xml = [Xml](Get-Content GoogleIDPMetadata.xml)

$cert = -join $xml.EntityDescriptor.IDPSSODescriptor.KeyDescriptor.KeyInfo.X509Data.X509Certificate.Split()
$issuerUri = $xml.EntityDescriptor.entityID
$signinUri = $xml.EntityDescriptor.IDPSSODescriptor.SingleSignOnService | ? { $_.Binding.Contains('Redirect') } | % { $_.Location }
$signoutUri = "https://accounts.google.com/logout"
$displayName = "Google Workspace Identity"
Connect-MGGraph -Scopes "Domain.ReadWrite.All", "Directory.AccessAsUser.All"

$domainAuthParams = @{
  DomainId = $domainId
  IssuerUri = $issuerUri
  DisplayName = $displayName
  ActiveSignInUri = $signinUri
  PassiveSignInUri = $signinUri
  SignOutUri = $signoutUri
  SigningCertificate = $cert
  PreferredAuthenticationProtocol = "saml"
  federatedIdpMfaBehavior = "acceptIfMfaDoneByFederatedIdp"
}

New-MgDomainFederationConfiguration @domainAuthParams

To verify that your configuration is correct, you can use the following PowerShell command:

Get-MgDomainFederationConfiguration -DomainId $domainId |fl

Federal Testing

To test your alliance, go to: https://portal.azure.com Sign in with your Google Workspace account.

Use the email address defined in Google Workspace as the username. The user will be redirected to Google Workspace and log in.
After authenticating to Google Workspace, users are redirected back to their Microsoft Entra ID and signed in.

Troubleshooting

If you have formed a federation ~ after If a user is created from Entra ID, the user may receive an AADSTS51004 error.

AADSTS51004: User account XXX is not in directory YYY. You must add the account to the directory to log in to this application.

This error is most likely caused by properties. Immutable ID You are wrong.

For Google Workspace Federation Immutable ID It should be set as the user’s primary email address.

To update your ImmutableID, follow these steps:

  • Convert federated users to cloud-only users (update UPN to non-federated domain)
  • ImmutableId update
  • Convert user back to federated user

Here is a PowerShell example that updates the ImmutableId of a federated user.

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser -Force
Install-Module Microsoft.Graph -Scope CurrentUser
Import-Module Microsoft.Graph
Connect-MgGraph -Scopes 'User.Read.All', 'User.ReadWrite.All'

#1. Convert the user from federated to cloud-only
Update-MgUser -UserId test@example.com -UserPrincipalName test@example.onmicrosoft.com

#2. Convert the user back to federated, while setting the immutableId
Update-MgUser -UserId test@example.onmicrosoft.com -UserPrincipalName test@example.com -OnPremisesImmutableId 'test@example.com'

conclusion

In summary, federation between Entra ID and Google Workspace enables seamless user identity management and authentication across multiple cloud platforms.

If this helped you, please let me know in the comments!





Source link

You may also like

Leave a Comment

Our Company

Welcome to OdysseyX, your one-stop destination for the latest news and opportunities across various domains.

Newsletter

Subscribe my Newsletter for new blog posts, tips & new photos. Let's stay updated!

Laest News

@2024 – All Right Reserved. Designed and Developed by OdysseyX