Google Workspace federation in Entra ID by info.odysseyx@gmail.com September 13, 2024 written by info.odysseyx@gmail.com September 13, 2024 0 comment 8 views 8 Entra ID Federation Google Workspace Google Workspace Federation lets you manage user identities in your Entra ID tenant and authenticate those users through Google. This can be useful if your company wants to use a single identity source across multiple cloud platforms. This article describes the scenario where your domain has already been added and verified to Entra ID. Requirements To use Google Workspace federation, you must ensure that federated users are created in your Entra ID directory. This can be done through a variety of methods, such as automatic provisioning or using the Graph API. Please keep the following in mind: Google’s default federation only works with personal gmail.com accounts.. to unite For work accounts managed in Google Workspace, you must configure SAML IDP federation.. Configuring SAML federation on the Google Workspace side To configure SAML federation in Google Workspace, follow these steps: 1. Create a web application in your Google admin panel: Go to https://admin.google.com/ move App -> Web and mobile apps Clicking sound Add App -> Search Apps Search for “Microsoft Office 365” and install it. 2. Download metadata: After installing the app, go to App Details and download the metadata. Save the IdP metadata file (GoogleIDPMetadata.xml) as it will be used later to set up your Microsoft Entra ID. 3. Enable automatic provisioning: Enable automatic provisioning within the “Microsoft Office 365” app. 4. Configure Service Provider Details: On the Service Provider Details page: Select an option Signed response. Please check Name ID Format was set to persistent. In SAML Attribute Mapping, select: Basic information And the map Primary Email to IDPEmail. 5. Activate apps for users in Google Workspace: move App -> Web and mobile apps -> Microsoft Office 365 -> User Access. Choose ON for everyone Save your changes. Add Federation for SAML Provider in Entra ID Use the IdP metadata XML file you downloaded from Google Workspace to modify the following: $DomainName Add the variables in the following script to match your environment, then run it in a PowerShell session. Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser -Force Install-Module Microsoft.Graph -Scope CurrentUser Import-Module Microsoft.Graph $domainId = "" $xml = [Xml](Get-Content GoogleIDPMetadata.xml) $cert = -join $xml.EntityDescriptor.IDPSSODescriptor.KeyDescriptor.KeyInfo.X509Data.X509Certificate.Split() $issuerUri = $xml.EntityDescriptor.entityID $signinUri = $xml.EntityDescriptor.IDPSSODescriptor.SingleSignOnService | ? { $_.Binding.Contains('Redirect') } | % { $_.Location } $signoutUri = "https://accounts.google.com/logout" $displayName = "Google Workspace Identity" Connect-MGGraph -Scopes "Domain.ReadWrite.All", "Directory.AccessAsUser.All" $domainAuthParams = @{ DomainId = $domainId IssuerUri = $issuerUri DisplayName = $displayName ActiveSignInUri = $signinUri PassiveSignInUri = $signinUri SignOutUri = $signoutUri SigningCertificate = $cert PreferredAuthenticationProtocol = "saml" federatedIdpMfaBehavior = "acceptIfMfaDoneByFederatedIdp" } New-MgDomainFederationConfiguration @domainAuthParams To verify that your configuration is correct, you can use the following PowerShell command: Get-MgDomainFederationConfiguration -DomainId $domainId |fl Federal Testing To test your alliance, go to: https://portal.azure.com Sign in with your Google Workspace account. Use the email address defined in Google Workspace as the username. The user will be redirected to Google Workspace and log in. After authenticating to Google Workspace, users are redirected back to their Microsoft Entra ID and signed in. Troubleshooting If you have formed a federation ~ after If a user is created from Entra ID, the user may receive an AADSTS51004 error. AADSTS51004: User account XXX is not in directory YYY. You must add the account to the directory to log in to this application. This error is most likely caused by properties. Immutable ID You are wrong. For Google Workspace Federation Immutable ID It should be set as the user’s primary email address. To update your ImmutableID, follow these steps: Convert federated users to cloud-only users (update UPN to non-federated domain) ImmutableId update Convert user back to federated user Here is a PowerShell example that updates the ImmutableId of a federated user. Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser -Force Install-Module Microsoft.Graph -Scope CurrentUser Import-Module Microsoft.Graph Connect-MgGraph -Scopes 'User.Read.All', 'User.ReadWrite.All' #1. Convert the user from federated to cloud-only Update-MgUser -UserId test@example.com -UserPrincipalName test@example.onmicrosoft.com #2. Convert the user back to federated, while setting the immutableId Update-MgUser -UserId test@example.onmicrosoft.com -UserPrincipalName test@example.com -OnPremisesImmutableId 'test@example.com' conclusion In summary, federation between Entra ID and Google Workspace enables seamless user identity management and authentication across multiple cloud platforms. If this helped you, please let me know in the comments! Source link Share 0 FacebookTwitterPinterestEmail info.odysseyx@gmail.com previous post Call for applications: Music-French Project (Canada) next post Learn about a AXImprove’s Microsoft 365 partner solution in Microsoft AppSource You may also like A New Dawn of Software Defined Networking (SDN) in Windows Server 2025 November 5, 2024 Get AI ready: Empowering developers in the era of AI November 5, 2024 Announcing the General Availability of Windows Server IoT 2025! November 5, 2024 America’s Partner Blog | Partners Make More Possible: Education November 4, 2024 Turn Microsoft Copilot into a personal assistant with Scheduled Prompts November 4, 2024 Sync identities from Rippling to Microsoft Entra ID November 4, 2024 Leave a Comment Cancel Reply Save my name, email, and website in this browser for the next time I comment.