• Main
  • Security blog
  • Setup Google Federation for Azure AD - Login to Azure AD using Google Identities
12/10/2023

Setup Google Federation for Azure AD - Login to Azure AD using Google Identities

This article describes the steps required to configure Google Workspace as an identity provider (IdP) for Azure AD. Once configured, users will be able to sign in to Azure AD with their Google Workspace credentials.

Azure Active Directory (Azure AD) allows for the integration of various identity providers, including Google identities, to enable users to log in to Azure AD-connected applications using their Google credentials. This is achieved through a process called "federation," where Azure AD trusts the identity provider (in this case, Google) to authenticate users. This article describes the steps required to configure Google Workspace as an identity provider (IdP) for Azure AD.
Once configured, users will be able to sign in to Azure AD with their Google Workspace credentials.

Prerequisites

  • Access to a Global Administrator role account in an Azure AD tenant, with one or multiple custom DNS domains (that is, domains that aren't in the format *.onmicrosoft.com).
  • Access to Google Workspace with an account with super admin privileges.

Configure Google Workspace as an IdP for Azure AD

Sign in to the Google Workspace Admin Console with an account with super admin privileges.

  1. Go to Apps >> Web and Mobile Apps
  2. Click on add apps and search for Microsoft
  3. In the list shown, please select Microsoft Office 365 SAML application
  4. Check on Signed Response
  5. In the Attributes section, select Primary Email to map to IDPEmail*. AAD will use this email as UPN (or user principal name)
  6. Turn on the user access for everyone or specific groups so that users can see this SAML app. Please note that it takes up to few minutes for users to start seeing this app.

Add the domain that needs to be federated from Google workspace to AAD.

  1. Go to admin.microsoft.com > Settings > Domains on the left panel
  2. Click on add domain
  3. Enter your domain which you want to federate from Google workspace to AAD. For example, if you want to federate users with @contoso.com in Google workspace, you need to specify contoso.com as your domain.
  4. If it's a GoDaddy domain or a Google workspace domain, you will be asked sign into
  5. GoDaddy or google workspace to verify the domain.
    1. AAD might also ask you to add some custom TXT records in your domain settings.
    2. Selecting using exchange is optional. Its recommended not to select it if the domain is Google managed as DNS records addition might cause some issues.
    3. Once the addition is successful, you should be able to see the newly added domain.
    4. If the newly added domain is a default domain, please set some other domain as the default domain.
    5. 3P federated domains ideally should not be default domains.
    6. Please wait for few minutes so that the domain information is propagated. It takes up to 3-10 minutes for it to propagate.

Configure auto provisioning in Google

  1. Go back to the Google Workspace SAML app created in step 1. Click on configure auto provisioning.
  2. Authorize using the google workspace admin email.
  3. If the authorization returns Oauth2 error, please try the following - Sign into the AAD account created in 1. in the same browser session. If it still doesn't work, reach out to Microsoft support.
  4. Go to attribute mapping step and configure the following:
    1. onPremisesImmutableId* should be set to Email > Value
    2. UserPrincipalName* should be set to Email > Value
    3. mailNickname* should be set to Additional Details > Alias name
  5. Specify group(s) from which the users should be provisioned. If you don't specify one, then everyone who has access to this SAML application will be provisioned
  6. Select Deprovisioning settings
    1. Select the option of Hard deleting a user from O365 if the user is deleted from Google workspace. This will save effort to manage user deletion in both the IDPs.
    2. Rest of the option could be selected by you based on convenience.
    3. Turn on user provisioning.
    4. It takes 15-20 minutes for user provisioning to kick in and is controlled by Google workspace.
    5. Any updates to users should also be triggered in a similar amount of time.
  7. Download the SAML metadata and store it somewhere locally in your machine.

In order to setup federated authentication via AAD, modify the $DomainName variable to match your environment, run the following commands in PowerShell from a windows device as an administrator

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser -Force
Install-Module Microsoft.Graph -Scope CurrentUser
Import-Module Microsoft.Graph

$domainId = ""

$xml = [Xml](Get-Content GoogleIDPMetadata.xml)

$cert = -join $xml.EntityDescriptor.IDPSSODescriptor.KeyDescriptor.KeyInfo.X509Data.X509Certificate.Split()
$issuerUri = $xml.EntityDescriptor.entityID
$signinUri = $xml.EntityDescriptor.IDPSSODescriptor.SingleSignOnService | ? { $_.Binding.Contains('Redirect') } | % { $_.Location }
$signoutUri = "https://accounts.google.com/logout"
$displayName = "Google Workspace Identity"
Connect-MGGraph -Scopes "Domain.ReadWrite.All", "Directory.AccessAsUser.All"

$domainAuthParams = @{
  DomainId = $domainId
  IssuerUri = $issuerUri
  DisplayName = $displayName
  ActiveSignInUri = $signinUri
  PassiveSignInUri = $signinUri
  SignOutUri = $signoutUri
  SigningCertificate = $cert
  PreferredAuthenticationProtocol = "saml"
  federatedIdpMfaBehavior = "acceptIfMfaDoneByFederatedIdp"
}

New-MgDomainFederationConfiguration @domainAuthParams

To verify that the confiation is correct, you can use the following PowerShell command:
Get-MgDomainFederationConfiguration -DomainId $domainId |fl

Verify federated authentication between Google Workspace and Azure AD

You can test if the setup is working fine or not by hitting https://portal.azure.com and using your google workspace email to authenticate. You will be redirected to the tenant not allowed page but that's fine. The next step will ensure that you have access to the Viva Goals application.
From a private browser session, navigate to https://portal.azure.com and sign in with a Google Workspace account:

  1. As username, use the email as defined in Google Workspace
  2. The user will be redirected to Google Workspace to sign in
  3. After Google Workspace authentication, the user will be redirected back to Azure AD and signed in

 

Anh Luu and Nhan Pham

More articles

See all
Choose language