Share via

Google Cloud / G Suite Connector by Microsoft Groups Provisioning

AZGroup 1 Reputation point
2022-03-15T02:42:43.267+00:00

Hi all,

We're making use of the Google Cloud / G Suite Connector by Microsoft to provision users from Microsoft Azure Active Directory to Google Workspace.

We followed this handy guide - https://cloud.google.com/architecture/identity/federating-gcp-with-azure-ad-configuring-provisioning-and-single-sign-on - and overall the set up went really well.

We are able to successfully provision users and groups - and it works really well.

To further enhance this, the next modification we wanted to achieve was --> If a user is part of the group 'Google Provision', then provision them in Google Workspace. If they are not a member, don't provision the user.

To achieve this, under the provisioning settings we switched it from 'sync all users and groups' to 'sync only assigned users and groups'.

183027-screen-shot-2022-03-15-at-12245-pm.png

Once done, headed to the users and groups section of that application where we added the provision group:

183059-screen-shot-2022-03-15-at-12540-pm.png

Upon testing, we added a user and put them into that group - they provisioned. We also created another user who isn't in that group - they didn't provision. Works really well.

The main issue that we're facing is that now that it's set to only provision assigned users and groups, this means that groups aren't provisioned in Google Workspace.

While it makes sense why this is happening, we're not sure how to have all groups provisioning as normal.

I attempted to create a scoping filter in the hope that this would override things / take priority. Under groups, I created a displayName is not null (e.g. not empty):

183009-screen-shot-2022-03-15-at-13043-pm.png

Is there a way to have all groups provision as normal while having user provisioning restricted to users in specific groups?

Initially, I was thinking of using a scoping filter to achieve the "user is member of the group", but turns out that isMemberOf is not currently supported yet - according to this link.

Let me know if there are any workarounds. Thanks for your help.

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Danny Zollner 10,801 Reputation points Microsoft Employee Moderator
    2022-03-15T05:03:34.05+00:00

    Scoping filters apply after the filtering from assignments with Sync Assigned Users/Groups.

    I think you can achieve your end goal by creating a group (ideally dynamic..) and having all groups that you wish to provision be a first-level member of that group, and then assign the parent (hopefully dynamic) group to the application. The groups that are directly a member of the assigned group will be considered assigned/entitled for provisioning, but their members will not be entitled to provisioning. Only users that are direct members (rather than nested members) of an assigned group would be provisioned.

    1 person found this answer helpful.
    0 comments
  2. Siva-kumar-selvaraj 15,721 Reputation points
    2022-04-04T20:00:00.803+00:00

    In addition to what ZollnerD mentioned, I'd like to give more information on Dynamic groups in Azure Active Directory. I hope this was helpful.

    Create or update a dynamic group in Azure Active Directory: https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-create-rule
    Dynamic membership rules for groups in Azure Active Directory: https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-dynamic-membership

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.