GSuite-as-identity-Provider-IdP-for-Office-365-or-Azure-Active-Directory icon indicating copy to clipboard operation
GSuite-as-identity-Provider-IdP-for-Office-365-or-Azure-Active-Directory copied to clipboard

Published 20 hours ago verified publisher icon IAmFrench

Metadata

Finally manage to sync GSuite account with azure active directory!!!

GSuite-as-identity-Provider-IdP-for-Office-365-or-Azure-Active-Directory

Sync G Suite accounts with Azure active directory!

Google Admin requirements

Set up SAML app (choose Microsoft Office 365)

GSuite Admin SAML Apps Link

GSuite SAML Apps

Note:

ACS URL: https://login.microsoftonline.com/login.srf

Entity ID: urn:federation:MicrosoftOnline

GSuite Office 365 Settings

Configure Provisioning

Ensure that you are using an administrator Azure Active Directory account that is not already linked to your existing Google account.

GSuite Office 365 Provisioning settings Link

GSuite Office 365 settings

Azure Active Directory requirements (this is a pain in the a**)

Validate your domain on Azure: https://portal.azure.com/?l=en.en-us#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Domains

And DON'T set this domain as Primary:

Download the GoogleIDPMetadata-{your-domain}.xml file:

GoogleIDPMetadata-{your-domain}.xml sample file

Then install all required tools (powershell tools)

Required PowerShell tools https://www.microsoft.com/en-us/download/details.aspx?id=41950

And start a powershell console: Install-Module MSOnline Enter your MS credentials.

Import-Module MSOnline
$Msolcred = Get-credential
Connect-MsolService -Credential $MsolCred

Now edit my sample dfs-pf-samlp.xml file with your Google Ids:

  • GOOGLESAMLID and
  • copy paste your certificate (from GoogleIDPMetadata-{your-domain}.xml file)

Then import the config into powershell:

$wsfed = Import-Clixml dfs-pf-samlp.xml

And Set the domain as federated:

Set-MsolDomainAuthentication -DomainName "{your-domain}" -FederationBrandName $wsfed.FederationBrandName -Authentication Federated -PassiveLogOnUri $wsfed.PassiveLogOnUri -ActiveLogOnUri $wsfed.ActiveLogonUri -SigningCertificate $wsfed.SigningCertificate -IssuerUri $wsfed.IssuerUri -LogOffUri $wsfed.LogOffUri -PreferredAuthenticationProtocol "SAMLP"

And use this command to export your domain settings:

Get-MsolDomainFederationSettings -DomainName "{your-domain}" | Export-Clixml dfs-pf-samlp.xml

The command to view the config is:

Get-MsolDomainFederationSettings -DomainName "{your-domain}" | Format-List *

Next you have to assign a license to all your users and to set azure self service password reset to off:

https://portal.azure.com/?l=en.en-us#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/PasswordReset

Test the link with incognito mode or invite mode:

  1. From Office 365: https://www.office.com/
  2. From App launcher (Google App)

Google App launcher

Troubleshooting

  1. Delete the user from the Azure side.
  2. Wait a few hours for G Suite Auto Provisioning to work.

Metadata

36
Stars
12
Forks
Watchers

Owner

verified publisher icon IAmFrench

Metadata

Finally manage to sync GSuite account with azure active directory!!!

Back