Share via

Can't provision users anymore to Google Workspace through Entra

Jonathan Posey 0 Reputation points
2025-05-01T18:30:20.13+00:00

I've been able to provision users to Google successfully for a while using Entra. Right now, I can provision Zoom accounts just fine.

When I provision Google accounts right now manually, I get the 4 green checks to signal everything went well, the google account was created and looks good, but in gmail my user doesn't get redirected to Entra. It asks for a password for Google, which works if I use the Google password, and I can get into the google account.

One strange thing is if I retry the provisioning I again get the 4 green checks in the log as if it succeeded again. In the past if I retried a successful provisioning, I'd get three green and then skipped on the 'action' part of provisioning(redundant export), because there's nothing to do. This just started happening today.

Other users already provisioned still redirect to Entra when they go to gmail. It's only new provisioning that's not working.

EDIT:

It's working now and I'm not sure why. It's like provisioning broke just for a while and only for Google.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
24,494 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jyotishree Moharana 950 Reputation points Microsoft External Staff Moderator
    2025-05-06T10:59:39.9766667+00:00

    Hello @Jonathan Posey,

    Based on your description the account creation completed with 4 green checks without any error but when performing login the user was not getting redirected to Entra ID. Account login worked with google password and re-provisioning didn't skip the action check which should have been skipped as there was no change. As the issue resolved on its own indicates a temporary glitch.

    The issue you experienced could have been caused by a few different factors.

    First, there might have been a delay or issue with Google's SSO enforcement or sync latency, as sometimes there can be a lag in the application of these settings for new users, causing them to default using their local Google password instead of Entra SSO.

    Another possibility is that there was a temporary issue with the SCIM connector between Entra and Google, where provisioning succeeded in creating the account but didn’t properly enforce SSO settings or may have skipped the step, which is why when retrying the provisioning it didn't skip the action step.

    It could also have been a propagation or caching delay where Google’s systems didn’t immediately apply the necessary changes to enforce SSO for newly provisioned users for a small window.

    It's likely that the issue was resolved when the settings caught up on Google’s side or when Entra’s provisioning engine re-evaluated and corrected the configuration.

    To prevent similar issues, you could audit the affected users in the Google Admin Console to verify SSO enforcement settings or also compare the attributes of newly provisioned users (affected but now working) with older, working ones for any discrepancies.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.