If someone is surprised why the video became longer, I reuploaded it because I missed a piece of a video about powershell in my previous upload attempt.
You are a genius! Thank you soo much for this. Instructions worked Verbatim. For companies that started off with GSuite but want to later use Microsoft for Power BI or other services, this is the best way to configure.
Thanks, thats a nice information, why we assign the license E5 to the user on microsoft side. while the user already has emails on workspace, does it mean user may want to access other office365 application or its required for sync process.
THANKS FOR THE VIDEO. One question: If we activate authentication with Google, is it activated for all Tenant users or can we activate it by groups or users? THANKS
First of all thank you for this tutorial, it's great! We have all of our users in Google Workspace and now would like to develop Power App applications for our employees. Would these steps be ok for our users to login and use Power App applications without manually recreating every user on Azure AD?
Thanks for this video very helpful! Do you know if it's possible to federate two domains? We have two domains in our g suite instance and would like to allow sign in to M365 as well.
This is really helpful and thanks for this instruction video. I have configured the same and I am able to use the google credentials for logging in to Microsoft services on browser and applications. However, I am facing an issue now with domain managed devices(windows laptops). Users are not able to sign in to windows systems using either google or Microsoft credentials. Can you please help with some troubleshooting tips?
Hi Denis, thank for your video, after this steps is possible to login in computer with users from gsuite? I have only azure AD + Intune and after this step is impossible to login in machines with email sincronized from gsuite to azure?!
@@ddogg10000 In the project I was in it was only authenticating the pc's with the google email. The next step would be to put the active synchronization but I have not finished.
@@ppiquet Thank Paulo, let me know if you ever figure it out. In my case, since federation any enrolled device does not accept either credentials. Only way around it is during the autopilot, it forces create PIN from hello business. That is how we are logging in. However, if you would do self enroll, like from access work or school, you're out of luck.
@@ddogg10000 My Steps that I do: My enviroment computers without active direcory with local users and not all users with an office 365 license 1 - To use Intune I create a user on microsoft to add the all machines to intune. 2 - Install the package Google Credential Providers for Windows to users be able to autenticate on windows. 3 - Login in company portal with the same user for all machines. 4 - Create the connection (SAML) between google to microsoft to sincronize the users passwords to microsoft (Not Complete)
@@ppiquet Very interesting... yeah, i just recently learned and tried the GCPW.. then realized that Intune wasn't technically managing it and i wouldn't get all the Apps or policies from Intune
If I want this to apply to only specific users from Google do I use groups or organizational units? Tried both with no luck. Works like a charm for all users and they are added automatically to Azure
Answering what I think is the answer: I don't think you can, at this juncture. You can do some PowerShell or use 3rd party tools to accomplish similar goals.
A very great video Denis, your video has been very helpful to my my setup as well, thank you - just wondering if it's possible to use existing OU structure from GSuite to allocate different licenses per OU on office 365?
Hi Denis, I have already configured this scenario for my company, is there a way to use now Active Directory so users log into their computers with the same credentials? I've successfully joined a device into AD, but when I try to log in it doesn't work. Would you be able to help us with a paid consulting call?
Hi I ran into some problems and hope for some advice. What options do we have if we have successfully federated but mistakenly deleted the SAML cert from Google? The situation now is that none of the google-email User-IDs can sign into M365. Can we "hard reset" or revoke the broken SAML settings from M365's end?
This was wonderful. Thank you so much for this. I have 1 question, how do I sync groups as well to the o365 ? This would help me assign appropriate permissions automatically.
I am not aware of a "group" replication, do you mean matching GSuite groups to groups in AzureAD? I don't think there's a direct answer. HOWEVER if your license for AzureAD supports "dynamic membership" group feature, you could put users synced from GSuite into appropriate O365 group based on one of properties unique to a group in GSuite (i.e. group name as a custom attribute). Which license type for AzureAD do you use? docs.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-dynamic-membership
This is amazing. Just what I was looking for. Is there any way to do the Federation without PowerShell (i.e. on a Mac?) If I have to use PowerShell, do I need to be logged into that Windows machine with the MS account I'm doing the Federation on? Or can it be any Windows PC? Thanks again!
Hello Murilo! This is a good question, I am currently unaware of this specific but you could try the following. I know that when you match users between Local AD and Azure AD, the match is done using ImmutableID property in Azure AD. You could try: 1) provision a new user, check the ImmutableID of the newly created user. 2) delete the new user (make sure to remove it from deleted users as well) 3) update immutableid of the old user to the one that new user had. I am not sure if this will work, as i currently don't have a G-Suite active sub so I cannot test. But it sounds like it would work, I know it works for AD-Connect and standard Federation/migration from Onprem to Cloud. Let me know how it goes.
Just FYI if you haven't tried Denis' suggestion yet, I recently did it on my tenant and it worked out great! One thing to keep in mind, though, is that if you had any password recovery methods set up before as well, I recommend turning them off since you won't be using password with those accounts anymore and this can give you some weird errors.
I really appreciate this video. I was able to get my users provisioned into Microsoft 365 successfully. Is there a way to sync the password between Microsoft 365 and Workspace so users can log into Windows computer setup through Autopilot?
When I create the SAML app in Workspace there's also a Certificate PEM file which I believe has to be uploaded to Microsoft. It's not addressed in this video and I'm not sure where to upload it. Workspace says the certificate will expire in 30 days.
I sort of figured out what happened. The Certificate was very old and coincidently was set to expire next month. I uninstalled federation and will redo. However, I would like to know the process for updating the Certificate in 5 years when it's set to expire again.
Hey Denis, I am creating a website of own, And I want to have Google as IDP, So, How can use Fedration in that scenorio, Also I have created the saml app on google admin account but when i click button for test SAML login it wont redirect back to my website, Why is this happening I have no clue, Could you please guide in this ?
How to slove this problem :AADSTS5000811: Unable to verify token signature. The signing key identifier does not match any valid registered keys. When I try to configure Google Workspace authentication into Office 365 (SAML)!
Hi again Denis, how are u doing? I need to change my certificate, so I did the configuration again, but now I get this error: "Unable to verify token signature. The signing key identifier does not match any valid registered keys." Any idea on how to update-it? I'm using cloud-based Office, without any on-premises Azure AD, also tried to do it manually using AzureAD module, but it doesn't let me put a context using my domain :/
@@michaelarndt602 Hi Michael, I did figure out what is happening, the signing token from Azure is incompatible with the new certificate, I've actioned Microsoft Support 2 weeks ago, and we're doing a troubleshoot on this problem, we didn't find any solution about how to make this work, but I'm going to comment it here and do a Medium post about it.
@@murilomelo5175 I was having a similar issue and just followed the code to undo the federation and redo it with a new cert. Have you tried that? I was setting up a new instance of AAD so I'm not sure if our issues are similar or not.
Thanks for the video! This was easy to follow and worked great for me except for one small issue. My accounts that are created in M365 do not have a "usage location" assigned. This causes me to be unable to assign licenses to these accounts until I manually set them to "United States". Does anyone know of a way to automate this?
@@VirtualDenis спрошу тут) В общем комикс по boatmurdered который ты рисовал пропал из интернетов. Меня как модератора группы Dwarf Fortress вконтакте спрашивали где его найти, я только смог выйти на тебя. Может сохранились исходники чтобы хотя бы в нашу группу выложить?
Thanks for a great video. Hope you can help with my question. I already have the same domain (domain.co.uk) setup in both Google workspace and office 365. I notice in your video you say the domain in office 365 can't be the default domain. Is that correct? Do I need to add a new domain to office 365 somehow? Thanks for your time 👍
Another thing that would be good to add at the end of the video is how users (who are used to logging in to the GMail) can now log in to Office 365.
If someone is surprised why the video became longer, I reuploaded it because I missed a piece of a video about powershell in my previous upload attempt.
I was wondering why the video went unavailable when I was watching it 😂
You are a genius! Thank you soo much for this. Instructions worked Verbatim. For companies that started off with GSuite but want to later use Microsoft for Power BI or other services, this is the best way to configure.
Thanks, thats a nice information, why we assign the license E5 to the user on microsoft side. while the user already has emails on workspace, does it mean user may want to access other office365 application or its required for sync process.
This is wonderful..but how can we sync an existing AzureAD domain with 1,300 existing users with our Google Workspace domain with the same users?
THANKS FOR THE VIDEO.
One question:
If we activate authentication with Google, is it activated for all Tenant users or can we activate it by groups or users?
THANKS
First of all thank you for this tutorial, it's great! We have all of our users in Google Workspace and now would like to develop Power App applications for our employees. Would these steps be ok for our users to login and use Power App applications without manually recreating every user on Azure AD?
Thanks for this video very helpful! Do you know if it's possible to federate two domains? We have two domains in our g suite instance and would like to allow sign in to M365 as well.
This is really helpful and thanks for this instruction video. I have configured the same and I am able to use the google credentials for logging in to Microsoft services on browser and applications.
However, I am facing an issue now with domain managed devices(windows laptops). Users are not able to sign in to windows systems using either google or Microsoft credentials. Can you please help with some troubleshooting tips?
Great video Denis!
Great video:
A question: can i use this scenario if i have Azure Ad Connect on mi local AD?
THANKS
Hi Denis, thank for your video, after this steps is possible to login in computer with users from gsuite? I have only azure AD + Intune and after this step is impossible to login in machines with email sincronized from gsuite to azure?!
Hi Paulo, did you figure this one out? I too have this problem.
@@ddogg10000 In the project I was in it was only authenticating the pc's with the google email.
The next step would be to put the active synchronization but I have not finished.
@@ppiquet Thank Paulo, let me know if you ever figure it out. In my case, since federation any enrolled device does not accept either credentials. Only way around it is during the autopilot, it forces create PIN from hello business. That is how we are logging in. However, if you would do self enroll, like from access work or school, you're out of luck.
@@ddogg10000
My Steps that I do:
My enviroment computers without active direcory with local users and not all users with an office 365 license
1 - To use Intune I create a user on microsoft to add the all machines to intune.
2 - Install the package Google Credential Providers for Windows to users be able to autenticate on windows.
3 - Login in company portal with the same user for all machines.
4 - Create the connection (SAML) between google to microsoft to sincronize the users passwords to microsoft (Not Complete)
@@ppiquet Very interesting... yeah, i just recently learned and tried the GCPW.. then realized that Intune wasn't technically managing it and i wouldn't get all the Apps or policies from Intune
If I want this to apply to only specific users from Google do I use groups or organizational units? Tried both with no luck. Works like a charm for all users and they are added automatically to Azure
Any chance you can show how to send over groups via the SAML provisioning?
Answering what I think is the answer: I don't think you can, at this juncture. You can do some PowerShell or use 3rd party tools to accomplish similar goals.
A very great video Denis, your video has been very helpful to my my setup as well, thank you - just wondering if it's possible to use existing OU structure from GSuite to allocate different licenses per OU on office 365?
Thank you. This is an excellent video. ❤
Hi Denis, I have already configured this scenario for my company, is there a way to use now Active Directory so users log into their computers with the same credentials? I've successfully joined a device into AD, but when I try to log in it doesn't work. Would you be able to help us with a paid consulting call?
U can use GCPW to assign SSO using Gsuite
Hello Denis,
А что делать если некоторые пользователи уже есть в Azure AD с такой же почтой как и в G-suite?
Firstly thank you. I have a question. How to add multiple domains?
Hi I ran into some problems and hope for some advice. What options do we have if we have successfully federated but mistakenly deleted the SAML cert from Google? The situation now is that none of the google-email User-IDs can sign into M365. Can we "hard reset" or revoke the broken SAML settings from M365's end?
This was wonderful. Thank you so much for this.
I have 1 question, how do I sync groups as well to the o365 ? This would help me assign appropriate permissions automatically.
I am not aware of a "group" replication, do you mean matching GSuite groups to groups in AzureAD? I don't think there's a direct answer.
HOWEVER if your license for AzureAD supports "dynamic membership" group feature, you could put users synced from GSuite into appropriate O365 group based on one of properties unique to a group in GSuite (i.e. group name as a custom attribute).
Which license type for AzureAD do you use?
docs.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-dynamic-membership
@@VirtualDenis Thanks for the reply. I think I use Azure AD Premium P2 license (require reconfirmation)
@@varunchandak7280 Then you are good. The dynamic membership rules require P1 premium license.
This is amazing. Just what I was looking for. Is there any way to do the Federation without PowerShell (i.e. on a Mac?) If I have to use PowerShell, do I need to be logged into that Windows machine with the MS account I'm doing the Federation on? Or can it be any Windows PC? Thanks again!
Idk if this can be done on Mac, but it will work on any Windows PC. When you use the connect command that's where you enter you MS account info.
THANKS A LOT for this BEST VÍDEO, solutioned my great problem....
I'm glad I could help. Thank you for watching!
So, how can I update users that already have an Office365 account before the automatic provision?
Hello Murilo! This is a good question, I am currently unaware of this specific but you could try the following. I know that when you match users between Local AD and Azure AD, the match is done using ImmutableID property in Azure AD. You could try:
1) provision a new user, check the ImmutableID of the newly created user.
2) delete the new user (make sure to remove it from deleted users as well)
3) update immutableid of the old user to the one that new user had.
I am not sure if this will work, as i currently don't have a G-Suite active sub so I cannot test. But it sounds like it would work, I know it works for AD-Connect and standard Federation/migration from Onprem to Cloud. Let me know how it goes.
Just FYI if you haven't tried Denis' suggestion yet, I recently did it on my tenant and it worked out great! One thing to keep in mind, though, is that if you had any password recovery methods set up before as well, I recommend turning them off since you won't be using password with those accounts anymore and this can give you some weird errors.
@@guilhermehyppolito7158 @Virtual Denis I did it and it works :D Just forgot to mention this
Does this then allow the Provisioned users from 365 to login to another service/provider, using their Google Workspace account?
I really appreciate this video. I was able to get my users provisioned into Microsoft 365 successfully. Is there a way to sync the password between Microsoft 365 and Workspace so users can log into Windows computer setup through Autopilot?
@Virtual Denis, I need help with this. I can't assign role to a Google federated account. What do I do?
Meanwhile, this video is great!
When I create the SAML app in Workspace there's also a Certificate PEM file which I believe has to be uploaded to Microsoft. It's not addressed in this video and I'm not sure where to upload it. Workspace says the certificate will expire in 30 days.
I sort of figured out what happened. The Certificate was very old and coincidently was set to expire next month. I uninstalled federation and will redo. However, I would like to know the process for updating the Certificate in 5 years when it's set to expire again.
Hey Denis,
I am creating a website of own,
And I want to have Google as IDP,
So, How can use Fedration in that scenorio,
Also I have created the saml app on google admin account but when i click button for test SAML login it wont redirect back to my website, Why is this happening I have no clue,
Could you please guide in this ?
Great video 👍🏼
How to slove this problem :AADSTS5000811: Unable to verify token signature. The signing key identifier does not match any valid registered keys.
When I try to configure Google Workspace authentication into Office 365 (SAML)!
Hi again Denis, how are u doing?
I need to change my certificate, so I did the configuration again, but now I get this error:
"Unable to verify token signature. The signing key identifier does not match any valid registered keys."
Any idea on how to update-it? I'm using cloud-based Office, without any on-premises Azure AD, also tried to do it manually using AzureAD module, but it doesn't let me put a context using my domain :/
Did you ever figure this out?
@@michaelarndt602 Hi Michael, I did figure out what is happening, the signing token from Azure is incompatible with the new certificate, I've actioned Microsoft Support 2 weeks ago, and we're doing a troubleshoot on this problem, we didn't find any solution about how to make this work, but I'm going to comment it here and do a Medium post about it.
@@murilomelo5175 I was having a similar issue and just followed the code to undo the federation and redo it with a new cert. Have you tried that? I was setting up a new instance of AAD so I'm not sure if our issues are similar or not.
@@murilomelo5175 Isn't the signing certification from Workspace?
@@michaelarndt602 Already tried this, but didn't work for me
thank you it's work for us.
Thanks for the video! This was easy to follow and worked great for me except for one small issue. My accounts that are created in M365 do not have a "usage location" assigned. This causes me to be unable to assign licenses to these accounts until I manually set them to "United States". Does anyone know of a way to automate this?
Привет, не в тему, но это вы Deon, который делал моды для дварф фортресс? Я к вам ВК заявку кинул, есть вопрос.
Привет, прости за долгий ответ, был в долгосрочном путешествии. Он самый.
@@VirtualDenis спрошу тут) В общем комикс по boatmurdered который ты рисовал пропал из интернетов. Меня как модератора группы Dwarf Fortress вконтакте спрашивали где его найти, я только смог выйти на тебя. Может сохранились исходники чтобы хотя бы в нашу группу выложить?
thank you very much!!!
Script not available to download
it's a simple script, u can easily write it
The link pastebin.com/buTh1mcm seems to work still, it's in description
@@VirtualDenis Not working in Pakistan due to country restrictions. I used VPN to open it.
Thanks, you are win a subscriber more.
This is gold
You just save my job!!
What about adding the custom domain into Azure? Also what about the migration of Gmail to Outlook?
GX40 Official is a very trusted provider of scam tools.
Thanks for a great video. Hope you can help with my question. I already have the same domain (domain.co.uk) setup in both Google workspace and office 365. I notice in your video you say the domain in office 365 can't be the default domain. Is that correct? Do I need to add a new domain to office 365 somehow? Thanks for your time 👍