Add Google as an identity provider

By setting up federation with Google, you allow customers to sign in to your applications with their own Google accounts. After you add Google as one of your user flow's sign-in options, customers can sign up and sign in to your application with a Google account. (Learn more about authentication methods and identity providers for customers.)

Tip

Try it now

To try out this feature, go to the Woodgrove Groceries demo and start the “Sign-in with a social account” use case.

Prerequisites

Create a Google application

To enable sign-in for customers with a Google account, you need to create an application in Google Developers Console. For more information, see Setting up OAuth 2.0. If you don't already have a Google account, you can sign up at https://accounts.google.com/signup.

  1. Sign in to the Google Developers Console with your Google account credentials.

  2. Accept the terms of service if you're prompted to do so.

  3. In the upper-left corner of the page, select the project list, and then select New Project.

  4. Enter a Project Name, select Create.

  5. Make sure you're using the new project by selecting the project drop-down in the top-left of the screen. Select your project by name, then select Open.

  6. Under the Quick access, or in the left menu, select APIs & services and then OAuth consent screen.

  7. For the User Type, select External and then select Create.

  8. On the OAuth consent screen, under App information

    1. Enter a Name for your application.
    2. Select a User support email address.
  9. Under the Authorized domains section, select Add domain, and then add ciamlogin.com and microsoftonline.com.

  10. In the Developer contact information section, enter comma separated emails for Google to notify you about any changes to your project.

  11. Select Save and Continue.

  12. From the left menu, select Credentials

  13. Select Create credentials, and then OAuth client ID.

  14. Under Application type, select Web application.

    1. Enter a suitable Name for your application, such as "Microsoft Entra ID for customers."
    2. In Valid OAuth redirect URIs, enter the following URIs. Replace <tenant-ID> with your customer Directory (tenant) ID and <tenant-subdomain> with your customer Directory (tenant) subdomain. If you don't have your tenant name, learn how to read your tenant details.
    • https://login.microsoftonline.com
    • https://login.microsoftonline.com/te/<tenant-ID>/oauth2/authresp
    • https://login.microsoftonline.com/te/<tenant-subdomain>.onmicrosoft.com/oauth2/authresp
    • https://<tenant-ID>.ciamlogin.com/<tenant-ID>/federation/oidc/accounts.google.com
    • https://<tenant-ID>.ciamlogin.com/<tenant-subdomain>.onmicrosoft.com/federation/oidc/accounts.google.com
    • https://<tenant-ID>.ciamlogin.com/<tenant-ID>/federation/oauth2
    • https://<tenant-ID>.ciamlogin.com/<tenant-subdomain>.onmicrosoft.com/federation/oauth2
  15. Select Create.

  16. Record the values of Client ID and Client secret. You need both values to configure Google as an identity provider in your tenant.

Note

In some cases, your app might require verification by Google (for example, if you update the application logo). For more information, check out the Google's verification status guid.

Configure Google federation in Microsoft Entra ID for customers

After you create the Google application, in this step you set the Google client ID and client secret in Microsoft Entra ID. You can use the Microsoft Entra admin center or PowerShell to do so. To configure Google federation in the Microsoft Entra admin center, follow these steps:

  1. Sign in to the Microsoft Entra admin center

  2. Browse to Identity > External Identities > All identity providers.

  3. Select + Google.

  4. Enter a Name. For example, Google.

  5. For the Client ID, enter the Client ID of the Google application that you created earlier.

  6. For the Client secret, enter the Client Secret that you recorded.

  7. Select Save.

To configure Google federation by using PowerShell, follow these steps:

  1. Install the latest version of the Azure AD PowerShell for Graph module (AzureADPreview).

  2. Run the following command: Connect-AzureAD

  3. At the sign-in prompt, sign in with the managed Global Administrator account.

  4. Run the following command:

    New-AzureADMSIdentityProvider -Type Google -Name Google -ClientId <client ID> -ClientSecret <client secret>

    Use the client ID and client secret from the app you created in Create a Google application step.

Add Google identity provider to a user flow

At this point, the Google identity provider has been set up in your Microsoft Entra ID, but it's not yet available in any of the sign-in pages. To add the Google identity provider to a user flow:

  1. In your customer tenant, browse to Identity > External Identities > User flows.

  2. Select the user flow where you want to add the Google identity provider.

  3. Under Settings, select Identity providers.

  4. Under Other Identity Providers, select Google.

  5. Select Save.

Next steps