Integration between Azure and Google - SSO and User Provisioning from Google to Azure

Question

Hello,

Scenario:
We have G Suite as an identity provider in our company. Some of users also use Azure and Office 365. We want to be able to login by using Google account to Azure Ad and later have this account in AD and assign roles and groups in AD and whole Azure. We want to change passwords in Google etc.

1) How to setup SSO from Google to Azure?

2) Is that possible to user provisioning from Google to Azure?

Answer 1

You need to integrate Google Cloud (G Suite) Connector with Azure Active Directory.

To do this, you need:

• An Azure AD subscription.
• Google Cloud (G Suite) Connector single sign-on (SSO) enabled subscription.
• A Google Apps subscription or Google Cloud Platform subscription.

https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/google-apps-tutorial

You can provision users from Azure to Google but not the other way around.

https://cloud.google.com/solutions/federating-gcp-with-azure-ad-configuring-provisioning-and-single-sign-on

Answer 2

Hello,

Thanks for your response.

Mentioned by you tutorial describes the integration process in another way. From Azure to Google. As below:

• Control in Azure AD who has access to Google Cloud (G Suite) Connector.
• Enable your users to be automatically signed-in to Google Cloud (G Suite) Connector with their Azure AD accounts.
• Manage your accounts in one central location - the Azure portal.

I'm looking for a solution in another way - from Google (this is an identity provider) to Azure. Can you help with this?

Answer 3

As you would like to use G Suite as IDP you need to follow this article. This article talks about how you configure Office 365 for SAML IDP.
https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-saml-idp

This should help you get this integration working.

Thanks,

Jeevan Desarda

Answer 4

Although Microsoft obviously wants you to do SSO from Azure to Google, the fact is that Azure AD is a flat-file mess while Google supports organizational units in their directory to separate users into distinct categories.

I am much happier managing users from the Google side so that I can utilize organizational units to manage user accounts.

Microsoft Active Directory supported organizational units for the last 30 years, but Microsoft dropped support for them when they started this new cloud based platform about a decade ago.

School District user account management:

OU: 0-Admin Accounts
OU: 1-Special Purpose Accounts
OU: Board of Education
OU: Community Learning Center
OU: Staff-Aides
OU: Staff-Coaches
OU: Staff-Custodians
OU: Staff-Foodservice
OU: Staff-Guidance
OU: Staff-Nurse
OU: Staff-Office Administration
OU: Staff-Psychologist
OU: Staff-Retired
OU: Staff-Speech Language
OU: Staff-Substitutes
OU: Staff-Teachers Elementary
OU: Staff-Teachers Middle School
OU: Staff-Teachers High School
OU: Staff-Teachers SPED-EL
OU: Staff-Teachers SPED-MS
OU: Staff-Teachers SPED-HS
OU: Students-2023-12
OU: Students-2024-11
OU: Students-2025-10
OU: Students-2026-09
OU: Students-2027-08
OU: Students-2028-07
OU: Students-2029-06
OU: Students-2030-05
OU: Students-2031-04
OU: Students-2032-03
OU: Students-2033-02
OU: Students-2034-01
OU: Students-2035-K
OU: Students-2036-PK

No way do I want to have to primarily manage school district user accounts in Microsoft's flat file mess, sorted exclusively alphabetically by Common Name.

(Oh and Azure AD can't handle loading the entire user list all at once, lol. Click "Load More" a hundred times. Horrible web user interface.)

What were you thinking Microsoft, removing the ability to use Organizational Units in Azure AD / Office 365 ???