Hello @Murilo Melo ,
Thanks for reaching out.
If you created a custom attribute to add the Office 365 Immutable ID to your Google users' profiles (as per these Steps), then did you select the custom attribute as Name ID as shown below? default Name ID configuration would be Basic Information > Primary email.
User's ImmutableID value must match with custom attribute that you were created and assigned to users in Google Workspace. You can use below PowerShell cmdlet to get user's ImmutableID which is assigned for non working user.
Get-MsolUser -UserPrincipalName ******@yourdomain.com | select ImmutableID, UserPrinciPalName
if you see any discrepancy then use following cmdlet to update ImmutableID Set-MsolUser -UserPrincipalName ******@yourdomain.com -ImmutableId ******@yourdomain.com
If you wish to take a deep dive into and see what NameID value being sent in SAML token from GSuite to Office 365, then use HTTP SAML tracker for troubleshooting plugin in chrome/firefox and capture trace while reproducing the issue so you could figure out actual NameID value sent in response as shown below, this value must match on Gsuite as well on Office 365 for given user sceanrio.
Here are some example from my Lab:
- Created custom attribute in Gsuite:
- Configured custom attribute as Name ID in Gsuite:
- Added unique value (example: ******@thewebapp.in) to custom attribute for the user in GSuite and verified that same values (which is ******@thewebapp.in) updated for respective user object in Office 365 which match exactly.
- I was able to login successfully.
- In case if Gsuite sent incorrect NameID values which doesn't match with any of user object's Immutable ID then O365 gives below error same as you get above:
To learn more, refer : https://support.google.com/a/answer/6363817#ID&zippy=%2Cstep-configure-immutableid
Hope this helps.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.