Add Google as an identity provider

By setting up federation with Google, you can allow customers to sign in to your applications with their own Gmail accounts. After you've added Google as one of your application's sign-in options, on the sign-in page, customers can sign in to Azure AD for customers with a Google account. (Learn more about authentication methods and identity providers for customers.)

Create a Google application

To enable sign-in for customers with a Google account, you need to create an application in Google Developers Console. For more information, see Setting up OAuth 2.0. If you don't already have a Google account, you can sign up at https://accounts.google.com/signup.

1. Sign in to the Google Developers Console with your Google account credentials.
2. Accept the terms of service if you're prompted to do so.
3. In the upper-left corner of the page, select the project list, and then select New Project.
4. Enter a Project Name, select Create.
5. Make sure you're using the new project by selecting the project drop-down in the top-left of the screen. Select your project by name, then select Open.
6. Under the Quick access, or in the left menu, select APIs & services and then OAuth consent screen.
7. For the User Type, select External and then select Create.
8. On the OAuth consent screen, under App information
   1. Enter a Name for your application.
   2. Select a User support email address.
9. Under the Authorized domains section, select Add domain, and then add ciamlogin.com and microsoftonline.com.
10. In the Developer contact information section, enter comma separated emails for Google to notify you about any changes to your project.
11. Select Save and Continue.
12. From the left menu, select Credentials
13. Select Create credentials, and then OAuth client ID.
14. Under Application type, select Web application.
    1. Enter a suitable Name for your application, such as "Azure AD for customers."
    2. In Valid OAuth redirect URIs, enter the following URIs, replacing <tenant-ID> with your customer tenant ID and <tenant-name> with your customer tenant name:
    • https://login.microsoftonline.com
    • https://login.microsoftonline.com/te/<tenant-ID>/oauth2/authresp
    • https://login.microsoftonline.com/te/<tenant-name>.onmicrosoft.com/oauth2/authresp
    • https://<tenant-ID>.ciamlogin.com/<tenant-ID>/federation/oidc/accounts.google.com
    • https://<tenant-ID>.ciamlogin.com/<tenant-name>.onmicrosoft.com/federation/oidc/accounts.google.com
    • https://<tenant-ID>.ciamlogin.com/<tenant-ID>/federation/oauth2
    • https://<tenant-ID>.ciamlogin.com/<tenant-name>.onmicrosoft.com/federation/oauth2

    Note

    To find your customer tenant ID, go to the Microsoft Entra admin center. Under Azure Active Directory, select Overview. Then select the Overview tab and copy the Tenant ID.

15. Select Create.
16. Copy the values of Client ID and Client secret. You need both values to configure Google as an identity provider in your tenant. Client secret is an important security credential.

Note

In some cases, your app might require verification by Google (for example, if you update the application logo). For more information, check out the Google's verification status guid.

Configure Google federation in Azure AD for customers

After you create the Google application, in this step you set the Google client ID and client secret in Azure AD. You can use the Microsoft Entra admin center or PowerShell to do so. To configure Google federation in the Microsoft Entra admin center, follow these steps:

1. Sign in to the Microsoft Entra admin center as the global administrator of your customer tenant.

2. Go to Azure Active Directory > External Identities > All identity providers.

3. Select + Google.

4. Enter a Name. For example, Google.

5. For the Client ID, enter the Client ID of the Google application that you created earlier.

6. For the Client secret, enter the Client Secret that you recorded.

7. Select Save.

To configure Google federation by using PowerShell, follow these steps:

1. Install the latest version of the Azure AD PowerShell for Graph module (AzureADPreview).

2. Run the following command: Connect-AzureAD

3. At the sign-in prompt, sign in with the managed Global Administrator account.

4. Run the following command:

   New-AzureADMSIdentityProvider -Type Google -Name Google -ClientId <client ID> -ClientSecret <client secret>

   Use the client ID and client secret from the app you created in Create a Google application step.

Add Google identity provider to a user flow

At this point, the Google identity provider has been set up in your Azure AD, but it's not yet available in any of the sign-in pages. To add the Google identity provider to a user flow:

1. In your customer tenant, go to Azure Active Directory > External Identities > User flows.

2. Select the user flow where you want to add the Facebook identity provider.

3. Under Settings, select Identity providers

4. Under Other Identity Providers, select Google.

5. Select Save.

Next steps

• Add Facebook as an identity provider
• Customize the branding for customer sign-in experiences