Thank you for this clear video. I used it to configure SSO from M365 and it works for loggin in. For loggin out of GMail, it generates an error: "AADSTS750054: SAMLRequest or SAMLResponse must be present as query string parameters in HTTP request for SAML Redirect binding." When looking to the login and logout url's that have to be copied to the settings in the google admin console, they're both equal according to the url's that I have to copy from the azure portal. So both login and logout urls are equal. In your video, they differ.
Great guide! What would happen if your Gsuite is already fleshed out with Users accounts and groups? (Almost identical to Azure) Are they reprovisioned or are existing accounts just guided to Office 365 for sign in?
Short answer is yes, you can have existing accounts in Google Workspace (GWS) and Azure and link them together. The full answer gets into some of the details of the way Azure knows that an account in Google is the same user in Azure (mapping users between Azure AD & GWS). Here's a couple of links from Google's documentation that explains this. cloud.google.com/architecture/identity/federating-gcp-with-azure-active-directory#mapping_users cloud.google.com/architecture/identity/federating-gcp-with-azure-ad-configuring-provisioning-and-single-sign-on
Sorry about not replying earlier. Emails are a completely different issue and beyond the scope of this video. The short answer is that email delivery is configured via the MX record. Whichever system you configure this way will receive all emails for the domain. If you enable the relevant mail app (either by enabling or licensing for users), your users will be able to open and use that particular app, even if no emails are delivered to it. I won't go into this anymore here as it is a whole different topic.
Hi . We use multiple domains in our azure tenant. Can we set up SSO using different domains for different groups of azure users as long as they use the same domain in google or do we have to nominate a single domain for all users across azure and google?
Thank you for a great tutorial. I like how you use a dedicated admin account, *Azure Provisioning* , and am wondering if that user has to also exist in Azure AD after you flip its role back from *Super Admin* to the custom *Azure AD Provisioning* role? I implemented SSO , like explained in the first part of the tutorial, and I understand how the authentication step into G Suite will work during configuration (because of the temporary *Super Admin* role authenticating locally), but after I flip it to the custom role, won't it try to use SSO & authenticate back to Azure AD with every sync?
You're welcome - glad it's been helpful for you! When you go through the authorisation process for Azure to connect, it configures OAuth rather than a password login. This means SSO is never used after that point when Azure provisions users in G Suite. That's why you don't need the same account in AAD or for it to be a Superadmin in G Suite after the initial authorisation.
I dont mean to be so offtopic but does someone know a method to get back into an instagram account?? I was stupid lost my account password. I would appreciate any assistance you can offer me
@Brett Reuben I really appreciate your reply. I found the site through google and im trying it out now. I see it takes quite some time so I will reply here later when my account password hopefully is recovered.
Hi, thank you for the video. My super admin account is also getting redirected for SSO, but ideally, super admins should bypass SSO. I cross checked and the user is a super admin in my cloud identity. Any idea why is this happening?
When Superadmin users login, they login directly to Google (bypass SSO). See this page for the exact details. support.google.com/a/answer/6341409 If you are seeing other behaviour, I would recommend that you contact Google's support from within the admin console as I don't have access to your system to help troubleshoot it.
Great video tutorial. How can we achieve setting up SSO if there is already a large amount of Users in an Active GSuite Account. We will like to transition to SSO but do not want to effect their current GSuite Data. We are running both Platforms with 2 separate Domain Accounts.
You definitely can do that. Just so long as the email address is the same on both systems, it will be able to match the both accounts up (keeping any data in accounts!) when you do the initial sync.
@@Utb Thanks for your prompt reply and information. The email addresses are not entirely the same because we are using 2 different domain extensions. For example our Office 365 emails are .org and our Google emails are .info. In our On-Premise AD we fill out the "Office" Field for each User Account with their Google .info email address. This is the field I configured Google Password Sync to look at, so Password Changes in AD or Office 365 sync to their Google accounts. Can I somehow use that Field to Provision the Users and keep all data in tact for them? Thanks again for any information given and have a great weekend!
@@MysteryUnboxing did you solve this? I think if you adjust the SAML claims then you can identify the google mail claim to be the AD.Office attribute? We're in the same situation as you: we have an existing google domain that we want to migration to Azure SSO. All our AD users have an AD.userprincipalname (eg. domain.org) and a google mail (domain.info) and this username@domain.info is stored in the AD.Office attribute. I don't want to create 2x the users in AD (one with a .org and another with a .info)
@@craigdebbo686 This is a project i'm planning to do sometime in the Summer. Just trying to get as much info as possible before making the change. But yeah, we have pretty much the same exact setup. Good luck to you and if you happen to make this change first, please let us know how it went. I will do the same. Take care.
Hey I want to setup my gsuite users to sign in to Office 365 / Microsft teams website using their gsuite credentials ? Is it possible ? DO I need to have azure AD?
What you're talking about doing is the reverse, where O365 uses G Suite as the IdP (Identity Provider) - in this tutorial Azure Active Directory is used as the IdP. Microsoft are developing a solution for the education sector that will use G Suite as the IdP. It's called "Simpler Sign-on" and Microsoft's announcement can be seen at bit.ly/3d80Y7G however it's not fully released yet. Some schools have been working with Microsoft testing Simpler Sign-on, but until it's fully released the best option is the solution in this video.
I have problem with email delivery from o365 user to o365 user. Email is delivered internaly to outlook inbox - not in g-suite (mx is for gsuite). For example any MS Teams email invitations is not delivered to gmail inbox - only to outlook on the web. Any idea? Thanks.
Hi Peter - you can set up a connector in O365 that will deliver these internal emails to G Suite. Microsoft's documentation can be found at bit.ly/3dcKkUo
Thanks for such a neat explanations, follow this, i have configured SSO successfully, one more doubt for me - user will try to login on web application then it needs to redirects to gsuite and then to azure IDP, then the successful redirection to my web application, is this possible?
Thank you for your response. I wants to use Azure AD as the IDP, Gsuite is intermediate service provider between user web application portal and Azure AD. In this how can i implement the service requests to gsuite from users portal, and i need to get the reply responses to users portal
@@charulathasuryakumar5569 I've never tried to do it so I can't confirm what will happen, so I suggest you try and see if it works or not. In theory I think it should work but since there are so many variables I can't say more than that!
@@charulathasuryakumar5569 I'm afraid there's way too many ways it could work depending on the end-to-end system - TH-cam comments aren't really a great way to do the analysis and design for this problem. 😀 Our website (I’ve added it to the description for this video) has a contact form if you do need consulting support.
Hi, my Azure AD has no users When doing the configuration process in GSuite automatically users are created in Azure AD, should I not proceed? Thank you very much
G Suite/Workspace users must have an Azure AD account to login if you follow the set up in this video since they must login using their Azure AD account. If you don't have any users in Azure AD and configure SSO as described in this video, none of your users will be able to login (Superadmin accounts don't use SSO to login or else they could get locked out). Before following the instructions in this video you will need to create accounts in Azure AD for all your G Suite users. These should have the same email address as their account in G Suite. They will use this account to access G Suite, hence why these accounts are required.
@@andreluizmv You will need to manually create them in AAD/365. If you want to do this in bulk, you can export all your users from the Workspace admin console and then bulk upload them in 365. Until you link the systems as per this video, both of them are independent so this will have no impact on the password until you have completed all the steps. The instructions to download users from Workspace is at support.google.com/a/answer/7348070 and Microsoft's instructions for bulk creating of accounts is at docs.microsoft.com/en-us/microsoft-365/enterprise/add-several-users-at-the-same-time
Unfortunately it's not possible to do this. There is an option in the SAML protocol to pass the email address (this is the "subject" in SAML) from the service provider (G Suite) to the IdP (Azure Active Directory) however it is rarely used and Azure Active Directory does not support it. In fact AAD will give an error if it is included in the request - see bit.ly/2M5IfOd
As @@charulathasuryakumar5569 has said, you do need to sign up for both G Suite and O365. You will also need admin rights in both of them to be able to make these changes.
Hi Ryan, thanks for your question! Yes, AAD users will be able to log into Chromebooks as long as their accounts are synced to G Suite (you must have a Google account to log in to a Chromebook). If some accounts are not provisioned in G Suite then they won't be able to log in on a Chromebook since they don't have a Google account (in that case they only have the Microsoft account).
Using Technology Better I got this working and your response is accurate. There are two things you might consider adding: 1. When setting the basic SAML configuration, you MUST use the primary domain in G-Suite. 2. You need to enable third party idp not only for users, but also on managed devices - and you need to allow SAML session cookies during the login. Thanks for the video - couldn’t have done it without your help. Ps: provisioning and scoping can be much simpler by not requiring specific assignment - I’ve got less than 100 users and wince we are moving from GSuite, they already have google accounts. If you don’t enable it for all users, pre-existing users won’t be allowed to log in unless they’re assigned.
@@martialazam Yes, I believe it is now possible but we haven't made a video on it yet. However , you can check out these instructions in the meantime. support.google.com/a/answer/6363817
Quick question, We have an on premise established windows Domain that is set up as Hybrid for Office 365, we wish to keep using our office 365 stuff but only need to set up the Gsuite stuff to sign into chromebooks (we have been given 200 of them for our school), what domain do I need to set up my Gsuite as? does it need to match my office365? we do not wish to use Gmail for email ( sticking with office 365 exchange)
Yes, you do need to use the same email domain for your users (your users need the same username on both O365 & G Suite - they only have the one account). However, you don't need to set up Gmail at all. When you configure G Suite you can turn off any apps such as Gmail that you don't need to use.
this video was so useful , thanks
Glad it was helpful!
Thank you for this clear video. I used it to configure SSO from M365 and it works for loggin in. For loggin out of GMail, it generates an error: "AADSTS750054: SAMLRequest or SAMLResponse must be present as query string parameters in HTTP request for SAML Redirect binding." When looking to the login and logout url's that have to be copied to the settings in the google admin console, they're both equal according to the url's that I have to copy from the azure portal. So both login and logout urls are equal. In your video, they differ.
Great guide! What would happen if your Gsuite is already fleshed out with Users accounts and groups? (Almost identical to Azure) Are they reprovisioned or are existing accounts just guided to Office 365 for sign in?
Short answer is yes, you can have existing accounts in Google Workspace (GWS) and Azure and link them together. The full answer gets into some of the details of the way Azure knows that an account in Google is the same user in Azure (mapping users between Azure AD & GWS). Here's a couple of links from Google's documentation that explains this.
cloud.google.com/architecture/identity/federating-gcp-with-azure-active-directory#mapping_users
cloud.google.com/architecture/identity/federating-gcp-with-azure-ad-configuring-provisioning-and-single-sign-on
Great tutorial
What's not clear to me is.. How're managed the emails if both account have mailbox? Unified?
Sorry about not replying earlier. Emails are a completely different issue and beyond the scope of this video. The short answer is that email delivery is configured via the MX record. Whichever system you configure this way will receive all emails for the domain. If you enable the relevant mail app (either by enabling or licensing for users), your users will be able to open and use that particular app, even if no emails are delivered to it. I won't go into this anymore here as it is a whole different topic.
Hi . We use multiple domains in our azure tenant. Can we set up SSO using different domains for different groups of azure users as long as they use the same domain in google or do we have to nominate a single domain for all users across azure and google?
same question here....
I am trying to setup SAML attributes in Azure, but didnt work.
Thank you for a great tutorial.
I like how you use a dedicated admin account, *Azure Provisioning* , and am wondering if that user has to also exist in Azure AD after you flip its role back from *Super Admin* to the custom *Azure AD Provisioning* role? I implemented SSO , like explained in the first part of the tutorial, and I understand how the authentication step into G Suite will work during configuration (because of the temporary *Super Admin* role authenticating locally), but after I flip it to the custom role, won't it try to use SSO & authenticate back to Azure AD with every sync?
You're welcome - glad it's been helpful for you!
When you go through the authorisation process for Azure to connect, it configures OAuth rather than a password login. This means SSO is never used after that point when Azure provisions users in G Suite. That's why you don't need the same account in AAD or for it to be a Superadmin in G Suite after the initial authorisation.
I dont mean to be so offtopic but does someone know a method to get back into an instagram account??
I was stupid lost my account password. I would appreciate any assistance you can offer me
@Arturo Alfredo instablaster :)
@Brett Reuben I really appreciate your reply. I found the site through google and im trying it out now.
I see it takes quite some time so I will reply here later when my account password hopefully is recovered.
@Brett Reuben it worked and I actually got access to my account again. Im so happy!
Thank you so much, you saved my ass!
Hi, thank you for the video. My super admin account is also getting redirected for SSO, but ideally, super admins should bypass SSO. I cross checked and the user is a super admin in my cloud identity. Any idea why is this happening?
When Superadmin users login, they login directly to Google (bypass SSO). See this page for the exact details. support.google.com/a/answer/6341409
If you are seeing other behaviour, I would recommend that you contact Google's support from within the admin console as I don't have access to your system to help troubleshoot it.
Great video tutorial. How can we achieve setting up SSO if there is already a large amount of Users in an Active GSuite Account. We will like to transition to SSO but do not want to effect their current GSuite Data. We are running both Platforms with 2 separate Domain Accounts.
You definitely can do that. Just so long as the email address is the same on both systems, it will be able to match the both accounts up (keeping any data in accounts!) when you do the initial sync.
@@Utb Thanks for your prompt reply and information. The email addresses are not entirely the same because we are using 2 different domain extensions. For example our Office 365 emails are .org and our Google emails are .info. In our On-Premise AD we fill out the "Office" Field for each User Account with their Google .info email address. This is the field I configured Google Password Sync to look at, so Password Changes in AD or Office 365 sync to their Google accounts. Can I somehow use that Field to Provision the Users and keep all data in tact for them? Thanks again for any information given and have a great weekend!
@@MysteryUnboxing did you solve this? I think if you adjust the SAML claims then you can identify the google mail claim to be the AD.Office attribute? We're in the same situation as you: we have an existing google domain that we want to migration to Azure SSO. All our AD users have an AD.userprincipalname (eg. domain.org) and a google mail (domain.info) and this username@domain.info is stored in the AD.Office attribute. I don't want to create 2x the users in AD (one with a .org and another with a .info)
@@craigdebbo686 This is a project i'm planning to do sometime in the Summer. Just trying to get as much info as possible before making the change. But yeah, we have pretty much the same exact setup. Good luck to you and if you happen to make this change first, please let us know how it went. I will do the same. Take care.
@@johnkrussaniotakis7886 Did u resolve this meanwhile? I am searching for options for the same scenario.
Hi, from where can I get the Sign-In Page URL information while doing the SSO setup. please help.
Hi Atul. You need to use the "Login URL" from Azure (you can see it at 2:30 in the video).
Hey I want to setup my gsuite users to sign in to Office 365 / Microsft teams website using their gsuite credentials ? Is it possible ? DO I need to have azure AD?
What you're talking about doing is the reverse, where O365 uses G Suite as the IdP (Identity Provider) - in this tutorial Azure Active Directory is used as the IdP. Microsoft are developing a solution for the education sector that will use G Suite as the IdP. It's called "Simpler Sign-on" and Microsoft's announcement can be seen at bit.ly/3d80Y7G however it's not fully released yet. Some schools have been working with Microsoft testing Simpler Sign-on, but until it's fully released the best option is the solution in this video.
I have problem with email delivery from o365 user to o365 user. Email is delivered internaly to outlook inbox - not in g-suite (mx is for gsuite). For example any MS Teams email invitations is not delivered to gmail inbox - only to outlook on the web. Any idea? Thanks.
Hi Peter - you can set up a connector in O365 that will deliver these internal emails to G Suite. Microsoft's documentation can be found at bit.ly/3dcKkUo
Thanks for such a neat explanations, follow this, i have configured SSO successfully, one more doubt for me - user will try to login on web application then it needs to redirects to gsuite and then to azure IDP, then the successful redirection to my web application, is this possible?
Are you saying you want your web application to use G Suite as the IDP? Any reason not to have it use AAD as the IDP?
Thank you for your response. I wants to use Azure AD as the IDP, Gsuite is intermediate service provider between user web application portal and Azure AD. In this how can i implement the service requests to gsuite from users portal, and i need to get the reply responses to users portal
@@charulathasuryakumar5569 I've never tried to do it so I can't confirm what will happen, so I suggest you try and see if it works or not. In theory I think it should work but since there are so many variables I can't say more than that!
Thanks for your reply. if you have the theory links please send the same, I will make a try
@@charulathasuryakumar5569 I'm afraid there's way too many ways it could work depending on the end-to-end system - TH-cam comments aren't really a great way to do the analysis and design for this problem. 😀
Our website (I’ve added it to the description for this video) has a contact form if you do need consulting support.
Hi, my Azure AD has no users
When doing the configuration process in GSuite automatically users are created in Azure AD, should I not proceed? Thank you very much
G Suite/Workspace users must have an Azure AD account to login if you follow the set up in this video since they must login using their Azure AD account. If you don't have any users in Azure AD and configure SSO as described in this video, none of your users will be able to login (Superadmin accounts don't use SSO to login or else they could get locked out).
Before following the instructions in this video you will need to create accounts in Azure AD for all your G Suite users. These should have the same email address as their account in G Suite. They will use this account to access G Suite, hence why these accounts are required.
@@Utb Thank you very much for your feedback. Do you know a way to bring these accounts to Azure AD? That has no impact on the password.
@@andreluizmv You will need to manually create them in AAD/365. If you want to do this in bulk, you can export all your users from the Workspace admin console and then bulk upload them in 365. Until you link the systems as per this video, both of them are independent so this will have no impact on the password until you have completed all the steps.
The instructions to download users from Workspace is at support.google.com/a/answer/7348070 and Microsoft's instructions for bulk creating of accounts is at docs.microsoft.com/en-us/microsoft-365/enterprise/add-several-users-at-the-same-time
Is there a way for the username/email address to be forwarded to the MS/Azure login page so the user doesn't have to enter it twice?
Unfortunately it's not possible to do this. There is an option in the SAML protocol to pass the email address (this is the "subject" in SAML) from the service provider (G Suite) to the IdP (Azure Active Directory) however it is rarely used and Azure Active Directory does not support it. In fact AAD will give an error if it is included in the request - see bit.ly/2M5IfOd
@@Utb Thanks for the info!
the gsuite option is not coming in search when I serached G Suite it showed me google platform
Yes, you may see it called "Google Cloud / G Suite Connector by Microsoft" now but this is the same application.
do we need to sign up to both gsuite & office365
yes
As @@charulathasuryakumar5569 has said, you do need to sign up for both G Suite and O365. You will also need admin rights in both of them to be able to make these changes.
Will this allow Azure AD users to log into chrome books?
Hi Ryan, thanks for your question! Yes, AAD users will be able to log into Chromebooks as long as their accounts are synced to G Suite (you must have a Google account to log in to a Chromebook). If some accounts are not provisioned in G Suite then they won't be able to log in on a Chromebook since they don't have a Google account (in that case they only have the Microsoft account).
Using Technology Better I got this working and your response is accurate. There are two things you might consider adding:
1. When setting the basic SAML configuration, you MUST use the primary domain in G-Suite.
2. You need to enable third party idp not only for users, but also on managed devices - and you need to allow SAML session cookies during the login.
Thanks for the video - couldn’t have done it without your help.
Ps: provisioning and scoping can be much simpler by not requiring specific assignment - I’ve got less than 100 users and wince we are moving from GSuite, they already have google accounts. If you don’t enable it for all users, pre-existing users won’t be allowed to log in unless they’re assigned.
I wand to Single Sign on from G Suite/Google Workspace into O365. Can you help me with that?
Do you mean the reverse of what this video covers where G Suite/Workspace is the identity provider?
@@Utb Yes
@@Utb Yes, That's Exactly what I want. Can you do it?
@@martialazam Yes, I believe it is now possible but we haven't made a video on it yet. However
, you can check out these instructions in the meantime. support.google.com/a/answer/6363817
@@Utb Many of us would love to see an instructional video where O365 uses Google Workspace as the identity provider.
Quick question, We have an on premise established windows Domain that is set up as Hybrid for Office 365, we wish to keep using our office 365 stuff but only need to set up the Gsuite stuff to sign into chromebooks (we have been given 200 of them for our school), what domain do I need to set up my Gsuite as? does it need to match my office365? we do not wish to use Gmail for email ( sticking with office 365 exchange)
Yes, you do need to use the same email domain for your users (your users need the same username on both O365 & G Suite - they only have the one account). However, you don't need to set up Gmail at all. When you configure G Suite you can turn off any apps such as Gmail that you don't need to use.