How to Federate Google Workspace with Microsoft Entra ID

Introduction

Hello! Have you ever thought about provisioning user accounts and groups from Microsoft Entra ID to Google Workspace or Cloud Identity? It’s easy. It’s indeed possible, and I’ve even discussed a similar approach in one of my articles. In that instance, I utilised Google Cloud Directory Sync software and established Federation between Google Workspace and Active Directory.

Today, I’m going to demonstrate how to set up Federation between Google Workspace or Cloud Identity and Microsoft Entra ID. If you’re new here and missed my earlier article on Federating Google Workspace with Active Directory, just follow this link to catch up. I’d love to hear your thoughts on it!

Benefits

Federating Google Workspace with Entra ID unveils several key advantages; let’s examine them.

1. By integrating Google Cloud with Entra ID, employees can use a single credential set. This allows them to access both Entra and Google Workspace applications.
2. Organisations can automatically provision or synchronise users and groups from Entra ID to Google Identity or Google Workspace.
3. One of the key benefits of this integration is the flexibility it offers. Organizations can manage Google Cloud application access directly through Entra ID. This gives them full control over their applications. It also enhances their operational efficiency.
4. Security is a top priority, and the Entra Multifactor Authentication solution ensures this. It’s available with Google Cloud and provides a secure environment for your organisation’s data.
5. It is not necessary to synchronize user account passwords between on-premise systems and Google Cloud in any way or form.
6. Entra ID can provide identity services for Google Cloud applications, even if an organisation’s environment uses Hybrid AD.
7. By utilising Entra ID as the identity provider, organisations can offer a seamless Single Sign-On experience. Active Directory serves as the authoritative source. Employees can access applications from on-premises, through Entra, and on Google Cloud.

Practical Example

Imagine,MyForest1, is a global logistics firm based in Seattle. It has integrated its Active Directory with an Entra ID Tenant using Entra Connect Sync. Their entire user base utilizes Microsoft 365 services such as Teams, email, OneDrive, and SharePoint Online.

In line with business needs, access to Google Workspace services will be provided to the sales department members. This suite encompasses Gmail, Google Drive, Google Docs, Google Sheets, Google Slides, Google Meet, and Google Forms, among others.

 Outlined below are the critical business requirements.

1. Onboard a new domain, “sales.myforest1.com”, for the sales department members.
2. Automatically provision or sync only sales department members to Google Workspace or Cloud Identity.
3. Sales department members should use the Microsoft Entra Multifactor Authentication solution before accessing Google Workspace application.
4. An email address serves as a Google Identity for accessing Google Workspace applications.
5. Enable Entra ID Single Sign-On features for all of them.

Before we Begin

The Hybrid Entra ID environment has been configured to support this demonstration. Furthermore, a Google Workspace account has been set up, and the domains myforest1.com and sales.myforest1.com have been registered. The Gmail service has been activated for the domain sales.myforest1.com.

The below figure shows the current high-level architecture of the actual environment.

The figure below shows the desired high-level architecture.

Implementation Steps

Step 1: Onboarding a New Domain

Initially, we need to register the domain sales.myforest1.com with Microsoft 365. And then, sign in to the Google Admin Console using your Super Admin account and add the domain sales.myforest1.com.

Step 2: Create an User Account for Automatic Provisioning

Next, create a user account in Cloud Identity and assign it a Super Admin role. We will use this account for synchronisation or automatic provisioning. It is always beneficial to place this account in a separate organizational unit (OU). This will prevent the default SSO policy from affecting this service account. Subsequently, enable two-step verification to safeguard this account from credential theft and malicious usage. The details of the service account are as follows.

• Service Account Name : entraid-provisioning@myforest1.com
• Organisational Unit Name : MyforestOne-Automation [Disable Single Sign-On to this OU)
• Assigned Role : Super Admin

Create a custom role with administrative API privileges and include the service account as a member.

Step 3: Deploy Google Cloud app for User Provisioning

It’s time to deploy the Google Cloud Application for provisioning user accounts and groups from Entra ID to Google Workspace.

Ensure that the configuration settings comply with the instructions provided in the video as outlined below.

• Name of the App: Sync Entra ID to Google Cloud
• Manage->Properties
  • Enabled for users to sign-in : No
  • User assignment required : No
  • Visible to users : No
• Manage->Provisioning->Gets Started
  • Change the provisioning mode from Manual to Automatic
  • Click Admin Credentials -> Authorize->Sign-in with SuperAdmin Account->Accept the Google Terms of Service and privacy policy-> I understand->Allow->Click Test Connection->Save

Step 4: Map User and Group by email address

We have deployed Google app for user provisioning. The next step is to map users by their email addresses. We must ensure each is unique within the Microsoft Entra ID tenant.

To configure user mapping by email address, Navigate to Provisioning->Mappings->Provision Microsoft Entra ID Users->Attribute Mapping

• Select the row:-
  • userPrincipalName->Edit->set Source Attribute to mail.
  • surname and set Default value if null to _.
  • givenName and set Default value if null to _.
• Click ok->Save

We’ll utilise email addresses for group mapping, so please retain the default settings. However, if preferred, you can opt to map using the DisplayName.

Step 5: Configure Microsoft Entra ID to automatically provision users to Cloud Identity or Google Workspace

Activating automatic user provisioning synchronises Entra ID user accounts with Google Cloud. New users in Entra ID are automatically added to Google Cloud. This process consists of three steps.

Step 5.1 : Define the Scope for User Synchronisation

Navigate to Manage->Users and groups->Add User/Group-> Select the group name created for Sales department members, “Sales-MyforestOne“.->Click Assign.

Step 5.2 : Activate Automatic Provisioning

Go to Manage->Provisioning->Settings

1. Enable “Send an email notification when a failure occurs“.
2. Enable “Prevent accidental deletion” and set the value 200, to help avoid accidental deletions. This measure guarantees that users are not disabled or deleted unexpectedly. Any action that exceeds the set threshold will necessitate explicit authorization from an admin before the deletions can proceed.
3. Under Scope->Sync only assigned users and groups.
4. Set the Provisioning Status : On->Click Save

Step 5.3 : Verify the synchronisation

After saving the configuration, the application will start the initial synchronisation process. Subsequently, it will perform periodic synchronisations every 40 minutes to update from Entra ID to Google Cloud. You can keep track of the synchronisation status by referring to the figure below.

I’ve made a brief video for you to review the synchronisation logs.

Step 6: Configure Single Sign-On

Users who have Microsoft Entra ID can now get Cloud Identity or Google Workspace automatically. However, they cannot use these to sign in yet. To allow them to sign in, you still need to set up “single sign-on”. This section involves several tasks.

Step 6.1: Deploy the Google Cloud application for Single Sign-On in Microsoft Entra ID

Deploy the Google Cloud application again. This time, I will name it as “Google Cloud -SSO.” I will enable the settings as shown below.

• Manage -> Properties
  • Set Enabled for users to sign-in to Yes
  • Set User assignment required to Yes ->Click Save.

Step 6.2: Allow users to Sign-In in Microsoft Entra ID

You can limit the number of users who can sign in to Google Cloud. Do this by assigning the enterprise application to specific users or user groups. As per our requirement we should allow Sales department members.

To do that, first navigate to Manage->Users and groups. Then go to Add User/Group. Select the group name created for Sales department members, “Sales-MyforestOne” to sign in. Finally, click Assign.

Step 6.3: Configure SAML Settings in Microsoft Entra ID

To enable Cloud Identity for use with Microsoft Entra ID authentication, follow these steps.

• Manage-> Single sign-on->SAML box->Basic SAML Configuration->Edit->enter the following settings.
  • Identifier (Entity ID) : google.com
  • Reply URL (Assertion Consumer Service URL) : https://www.google.com/
  • Sign on URL : https://www.google.com/a/myforest1.com/ServiceLogin?continue=https://console.cloud.google.com/ – Here I have used myforest1.com because this is configured as the PRIMARY DOMAIN name in my Cloud Identity or Google Workspace account. You can replace myforest1.com with your primary domain.
  • Click Save and X button.
• On the SAML Signing Certificate box ->Certificate (Base64)->Download the certificate.
• On the “Set up Sync Entra ID to Google Cloud” box, record the “Login URL”.

Step 6.4: Map users by email address for Single Sign-On

On the Attributes & Claims box ->Edit->Unique User Identifier (Name ID)->Change Source attribute to user.mail ->Save->Delete all claims listed under Additional claims.

Step 6.5: Enable Single Sign-On in Cloud Identity or Google Workspace

After successfully setting up Microsoft Entra ID for single sign-on, the next step is to enable single sign-on. Do this in your Cloud Identity or Google Workspace account. When single sign-on is enabled, users can access all their applications and services with one set of login credentials. This eliminates the need to remember multiple usernames and passwords.

To complete the configuration, follow the steps provided below.

• Login into Google Admin Console with SuperAdmin user->Show More->Security->Authentication–>SSO with third-party IdP->Set
  • Setup SSO with third party identity provider : Enabled
  • Sign-in page URL : https://login.microsoftonline.com/a16ebdfd-1eeb-4f85-a3ec-30607c2dd1bc/saml2
  • Sign-out page URL : https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0
  • Change password URL:https://account.activedirectory.windowsazure.com/changepassword.aspx
  • Verification certificate->Upload Certificate->Upload the token signing certificate that was downloaded from the SAML Certificates Box.
  • Click Save

Step 6.6: Testing single sign-on

Complete the single sign-on configuration in Microsoft Entra ID and Cloud Identity or Google Workspace. Then, you should verify the functionality. Execute the test given below to confirm it works properly.

• Select a test user account from the Sales Department Group. Ensure it is provisioned to Cloud Identity or Google Workspace. Confirm it is registered with Entra MFA.
• Open a new browser window and go to https://mail.google.com/
• Enter the user’s email address on the Google Sign-In page and click Next.
• You will be redirected to the Entra ID login page.
• Enter the user’s email address on the Entra ID login page and password.
• You may be prompted to register security information or enroll in Multi-Factor Authentication (MFA).
• Once completed, Click Yes or No based on your preference on the next page.
• Accept the Google Terms and Conditions
• Now you are redirected to the Gmail mailbox
• At the upper left, click the avatar icon and click Sign out. You will then be redirected to an Entra ID page confirming that you’ve been successfully signed out.

Conclusion

We successfully set up Cloud Identity or Google Workspace with Microsoft Entra ID—how awesome is that?! We even tackled the practical example section.

With Entra ID and Google Cloud integration, you can access both platforms using a single set of credentials, making application management seamless.

Configuring user and group provisioning was an exciting challenge. Setting up single sign-on helped me explore Entra Cloud Sync and Google Cloud Directory Sync, and I also created a relying party trust in ADFS.

Having experience with Entra Connect Sync makes this process smoother, and knowledge of ADFS further simplifies configuration. It’s a great way to optimize workflows and enhance efficiency.

Thank you for reading! I hope this article was helpful. Feel free to reach out with any questions or comments