AAD - Google Cloud User Provisioning by UPN AND Alternate (alias) email

Question

We are planning to use the Google Cloud/G Suite Connector by Microsoft to provision Azure AD users into a new Google Cloud Instance.

For consistency reasons, we plan to map users by UPN so that they can seamlessly log into Google Cloud using their same Azure UPN.

However, their Azure AD UPN is non-routable, so can't be used as a day-to-day business email. So we also plan to provision each user with an alias email, which will be used for sending any needed Google Cloud notifications and emails.

Planned configuration:
Azure AD
UPN: ******@nonroutabledomain.com
Email: employee@keyman .com

Google Cloud
Primary Email (ID): ******@nonroutabledomain.com
Alternate Email (Alias): employee@keyman .com
Google Cloud will be configured with both nonroutabledomain.com and domain.com as verified primary and secondary domains.

By looking at the documentation and tutorials about the Google Cloud/G Suite Connector by Microsoft, it's not clear if it's possible to map the AAD Email field directly into the Google Cloud Alternate Email (Alias).

Do you know if this is supported by the app, or what would be the other possible options to achieve that?

Thanks!

Answer 1

We've got a tutorial document that includes a list of attributes in the integration: https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/g-suite-provisioning-tutorial

I see primaryEmails and also two other attributes, emails.[type eq "home"].address and emails.[type eq "other"].address - I'm not intimately familiar with how each of those is consumed by Google and what the target on the API equates to in their UI/UX, but I'd suggest testing and seeing if those three attributes represent the different locations that you would need to populate data into.