Share via

Google Identity Sync

Google Identity Sync provides a one‑way synchronization of user and group identities from Google Workspace to Microsoft 365. It helps reduce the administrative effort of manually provisioning Microsoft Entra ID users and groups, and prepares identities for a smoother migration of other workloads such as Gmail, Google Drive, and other Google content.

To start with Google Identity Sync

  1. Sign in Microsoft 365 Admin Center, navigate to Setup > Migration and Imports

  2. Select Google Workspace to open the Google Workspace migration home page.

  3. Choose Sync users and groups to launch the Google Identity Sync experience

Set up the connection

On the Identity Sync page, select Connect to Google. Follow the guided setup to sign in to Google Workspace as an administrator, install the required migration app in Google Workspace, and then complete the authentication flow by signing in again.

Discover users and groups

After the connection is established, Google Identity Sync automatically scans Google Workspace and displays the total number of discovered users and groups in the Discover card.

You can select Re-discover at any time to refresh the inventory and reflect the latest changes in Google Workspace.

Configure domain mapping

Domain mapping allows you to map Google Workspace domains to Microsoft 365 domains. This step is required before you can proceed with user synchronization.

After discovery is complete, the number of detected domains is displayed on the Domain mapping card. Select Map domains to open the domain mapping page. Once you complete the mappings, select Finalize domain mapping to lock them in.

After domain mappings are finalized, they can't be edited.

Sync Google Workspace users

After domain mappings are finalized, select Sync users on the Sync Users card to start the synchronization process. The duration of the sync depends on the number of users being processed. Only Google Workspace users whose email addresses belong to the mapped domains are synchronized to Microsoft Entra ID. Each Google Workspace user is synced to an Entra user with the same email alias in the mapped domain.

User status is handled as follows:

  • Active Google Workspace users are created as enabled users in Entra ID.

  • Suspended Google Workspace users are created as disabled users in Entra ID.

  • Archived Google Workspace users are not included in the synchronization process.

If an Entra user with the same email alias already exists before synchronization, no new Entra user is created and the existing user isn't overwritten.

Google Workspace user attributes are mapped to Microsoft Entra user attributes according to the following mapping table:

Source Google Workspace user Destination Microsoft Entra ID user Notes
primaryEmail userPrincipalName Used as the primary identity
suspended accountEnabled true if suspended is false; otherwise set to false
name.fullName displayName
name.familyName surname
name.givenName givenName
phones[].value (where phones[].type = "work") telephoneNumber Only work phone numbers are mapped
organizations[0]['department'] department First organization entry only
organizations[0][‘title’] jobTitle First organization entry only

Note

For synchronized Microsoft Entra ID users with assigned administrative roles, telephoneNumber attribute is not updated during sync due to security restrictions.

User sync report

After the synchronization completes, you can download the user sync report by selecting Download report. The report provides detailed results for each processed Google Workspace user, including:

  • Google ID – Unique identifier of the Google Workspace user

  • Google Email – Primary email address of the Google Workspace user

  • M365 ID – Unique identifier of the corresponding Microsoft Entra ID user

  • M365 Email – Email address of the Microsoft Entra ID user

  • Sync Status – Result of the synchronization operation: Created, Updated, AlreadySynced, Skipped, or Failed

  • Message – Descriptive error or status message. This field is empty for Created, Updated, and AlreadySynced results.

User re-sync

If changes are made to users in Google Workspace after an initial synchronization, you can select Re-sync users to apply those updates to Microsoft Entra ID.

During a re-sync:

  • A new Google Workspace user is synced to a new Microsoft Entra ID user.

  • If a previously synced Google Workspace user previously updated attributes, those changes are applied to the corresponding Entra ID user.

  • If a previously synced Google Workspace user is suspended, the corresponding Entra ID user is set to Disabled.

  • If a previously synced Google Workspace user is deleted, the corresponding Entra ID user isn't modified.

Note

Once user synchronization is complete and verified, assign the required licenses to the synced users before starting the Gmail and Google Drive migration.

Sync Google Workspace groups

After the user synchronization process completes, select Sync groups in the Sync Groups card to start group synchronization. The sync duration depends on the number of Google Workspace groups being processed.

For each Google Workspace group:

  • If a corresponding Microsoft 365 group doesn't exist, a new Microsoft 365 group is created.

  • If a matching Microsoft 365 group already exists, no changes are made.

Only Google Workspace groups whose email addresses belong to the mapped domains are synchronized. Each source Google Workspace group is mapped to a Microsoft 365 unified group, using the default Microsoft 365 domain for the group email address.

Group mapping details

Source Google Workspace group

  • name

  • description

  • email = emailalias@domain

  • labels = Mailing and/or Security

Destination Microsoft 365 group

  • displayName = Google Workspace group name

  • description = Google Workspace group description

  • mail = emailalias@default-domain

  • mailEnabled = true

  • securityEnabled = false

  • groupTypes = Unified

  • visibility = Private

Members sync

The group synchronization process also synchronizes members of Google Workspace groups.

During member sync, only users that were successfully synchronized through Sync users are eligible to be added as members of the corresponding Microsoft 365 groups. Group membership synchronization doesn't create new users in Microsoft Entra ID.

Member synchronization behavior

  • If a destination owner or member doesn't exist in the Microsoft 365 group, the user is added with the appropriate role (Owner or Member).

  • If the destination owner or member already exists with the same role, no action is taken.

  • If the destination owner or member exists with a different role, the user’s role is updated to match the source group role.

  • External users and custom-permission members are not synchronized.

Role mapping

  • Google Workspace group members with the Owner or Manager role are mapped to the Owner role in the corresponding Microsoft 365 group.

  • Google Workspace group members with the Member role are mapped to the Member role in the Microsoft 365 group.

Sync report

After the synchronization process completes, you can download the sync report by selecting Download report.

The group sync report provides detailed results for each processed Google Workspace group and includes the following fields:

  • Google ID – Unique identifier of the Google Workspace group

  • Google Email – Email address of the Google Workspace group

  • M365 ID – Unique identifier of the corresponding Microsoft 365 group

  • M365 Email – Email address of the Microsoft 365 group

  • Sync Status – Result of the synchronization operation: Created, Updated, Skipped, or Failed

  • Message – Descriptive error message, if applicable

The member sync report provides synchronization details for group members and includes the following fields:

  • Google ID – Unique identifier of the Google Workspace user

  • Google Email – Email address of the Google Workspace user

  • Google Group Email – Email address of the Google Workspace group

  • M365 ID – Unique identifier of the corresponding Microsoft Entra ID user

  • M365 Email – Email address of the Microsoft Entra ID user

  • M365 Group Email – Email address of the Microsoft 365 group the user is synchronized to

  • Sync Status – Result of the synchronization operation: Created, Updated, Skipped, or Failed

  • Message – Descriptive error message, if applicable

Group re-sync

If there are updates to Google Workspace groups or group membership after the initial synchronization, select Re-sync groups to apply the changes to Microsoft 365.

Group behavior

  • A newly created Google Workspace group is synchronized as a new Microsoft 365 group.

  • If a previously synchronized Google Workspace group previously updated attributes, the corresponding Microsoft 365 group attributes are updated.

  • If a synchronized Google Workspace group is deleted in Google Workspace, the corresponding Microsoft 365 group isn't modified.

Member behavior

  • If a destination group owner or member doesn't exist, the corresponding Entra user is added with the appropriate role (Owner or Member).

  • If the destination owner or member already exists with the same role, no action is taken.

  • If the destination owner or member exists with a different role, the role is updated to match the source group.

  • If a synchronized Google Workspace group member is deleted, the corresponding Microsoft 365 group membership isn't updated.

  • Last updated on