Share via

Entra: Login doesnt redirect to Google

Wilfred L. Cervantes 5 Reputation points
2025-09-30T18:32:53.14+00:00

Hello!

Our customer’s setup is as follows: they use Google Workspace (GW) as their Identity Provider with a primary domain (let’s call it primary.com) and a secondary domain (secondary.com). GW is integrated with their Microsoft 365 tenant via SAML. They have users with both @primary.com and @secondary.com accounts, and GW is also their productivity suite and email provider.

Our company developed an AI Agent for them that runs inside Teams. To enable this, we purchased Teams Enterprise licenses and assigned them to some users.

Here’s the behavior:

  • @primary.com users → When they sign in to Teams, they enter their email, get redirected to Google login, provide credentials, and successfully sign in.
  • @secondary.com users → After entering their email, they are not redirected to Google. Instead, they only see a “Choose a way to sign in” prompt with a back button. This happens across all Microsoft 365 sign-in attempts, not just Teams.

From my research, it appears the issue is due to the lack of a Federation Configuration for secondary.com. Since the old MSOLService module is deprecated, I attempted to configure federation using Microsoft Graph in PowerShell.

Here’s the problem:

  • When I try to create a new Federation Configuration for secondary.com, I get: “Resource already exists.”
  • When I try to retrieve the configuration, I get: “‘federationConfiguration’ does not exist.”
  • When I try to delete, the command fails because it requires the InternalDomainFederationId, which can only be retrieved from the configuration that I cannot access.

I’ve since learned that this phantom configuration likely needs to be removed on the backend by Microsoft Support. However, even though I’ve had a ticket open for over a week, they haven’t confirmed whether they can do this. Instead, they’ve just suggested PowerShell commands I’ve already tried.

I also tried deleting secondary.com from the tenant entirely. But I discovered that removing the domain does not remove the backend Federation Configuration. So, when I re-added the domain, the issue persisted.

At this point, I’m stuck. I may be missing something in my approach or using the wrong commands. Ultimately, I just need secondary.com users to be able to sign in to Microsoft 365 the same way as primary.com users.

Below are the commands I’ve used along with the errors I encountered.

New-MgDomainFederationConfiguration

Get-MgDomainFederationConfiguration

This is were they get stuck logging in:
error

TIA!

Microsoft 365 and Office | Other

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. JimmySalian-2011 45,236 Reputation points Volunteer Moderator
    2025-09-30T20:46:04.4633333+00:00

    Hi,

    I think your requirement is "I just need secondary.com users to be able to sign in to Microsoft 365 the same way as primary.com users." If it is correct you will need to transform the SAML attributes in the Entra tenant to accept users sending auth request from @secondary.com address . Before that did you tried adding multiple domain in the GW Portal? - https://support.google.com/a/answer/7502379

    Also check this - https://support.google.com/a/answer/175747?hl=en#zippy=%2Cwhat-are-multiple-domains%2Ccan-we-use-multiple-domains-with-single-sign-on-sso

    This is transformation tip if you want to use it for sending primary domain for secondary domain users - https://learn.microsoft.com/en-us/entra/identity-platform/saml-claims-customization

    Hope this helps.

    JS

    ==

    Please Accept the answer if the information helped you. This will help us and others in the community as well.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.