I wanted to thank you for making this video I have been trying for over a month to get my Google certificate updated in Azure. I have contacted support with no luck after finding your video I pasted my information into the provide Google Sheet and used the update certificate command it provided and instantly my SSO stated working. Thanks again keep up the good work.
Hi, I'm trying to map Google Groups to Microsoft I don't know what to insert in the App attribute side I tried MemberOf / groups but none of them worked
Is it possible to set this up for only an subset of our users? Like for only a certain OU? We have a main group of users that this would apply to but we want to leave our contractors authenticating via their own Microsoft accounts since they are invted as guests in our Microsoft platform.
Once a domain is federated in Entra ID, all sign in requests for users on that domain will be directed to identity provider (Google). If the guests in your Microsoft tenants are using their own credentials, they should not be affected.
you would probably have to do that on Entra ID tenant side for a user, or entire tenant. There is a flag in PowerShell to indicate that the IdP supports MFA, but it doesn't seem to work when Google is the IdP.
Yes, we need both SSO and something similar to 'domain trust' between GCP federated domain and an existing Azure domain. Setting up External users in Azure, allowing the External GCP users is very restricted and does not allow full group mapping/trust.
I am confused about the immutable IDs. Are they required? It sounds i would need to set them up manually (or semi manually) for all my users before they could use the integration? Can I set it up in a way that I only need to do this once and it would just work for all future Users I create?
they are required, yes. for most M365 customers this value would be blank, (unless coming from hybrid/on-prem) so it needs to be set. For most SAML apps, username in Google would simply need to match the username in the applications, however, that is not the case for M365. Whatever value (can be anything) that Google sends needs to match the ImmutableID in AzureAD. If you set up automatic provisioning from Google to M365, this should be done automatically, I believe. -Brian
@@WorkspaceAdmins Thanks for the quick answer Brian! I found a good video which goes more into detail about the provisioning th-cam.com/video/C46djGWiaDA/w-d-xo.html
After federating the domain I cant add new users in MS to that domain. How do I create new user? Is turning on autoprovisioning in GWS required? or is there some other way of pushing new users to MS?
Thanks for this. Got it all working but I'm trying to map custom user fields in Google to Azure AD now. For example, Each user has a "nickname" field in Google that we want to map to a custom field in Azure AD. Any idea how? I can see the ability to map fields but no idea how to choose the field to map the data to in Azure AD?
Can I use these SSO provisioned Accounts for singing into Windows devices (for example during the OOBE aka Windows Setup) or does it only work in the browser ?
Forgot what the technical term is but Microsoft has a limitation where you cannot use a third part IdP on Windows login screen unfortunately. If you are a Google shop, you can consider using Google Credential Provider for Windows.
Thanks a lot for the video. Now the certificate is about to be expired. Could you please guide on how to renew the certificate on office 365 side? Thank you in advance🙏
Thanks. I have few users in Azure AD and I can create Immutable I'd in Google and update that value from Azure / Microsoft. May I know whether we need to provide value for Immutable I'd every time when we create new user Google (Auto provisionig)?
Great question. I haven't tried it personally but I've heard from others from community that setting up provisioning will set immutable IDs. Otherwise it will be a combination of GAM with PowerShell. - Brian
Hi I am getting a lot of these errors after the provisioning is setup (download list) Error Code 45003 - StatusCode: 400 : Bad Request : { error :{ code : Request_BadRequest message : Invalid value specified for property 'mobilePhone' of resource 'User'. details :[{ code : InvalidLength message : The mobilePhone should be between 1 and 64 characters. target : mobilePhone }] innerError :{ date : 2023-10-12T01:19:35 request-id : client-request-id : }}} Not sure why as mobile phone is not a required field. It is the same with the jobtitle field as well. Why is it saying the mobileField should be between 1 and 64 characters?
![🔴 ฟุตบอลแชมป์กีฬา 7HD แชมเปียน คัพ 2024 [รอบรองชนะเลิศ]](http://i.ytimg.com/vi/zPm8ClLVhoE/mqdefault.jpg)
I wanted to thank you for making this video I have been trying for over a month to get my Google certificate updated in Azure. I have contacted support with no luck after finding your video I pasted my information into the provide Google Sheet and used the update certificate command it provided and instantly my SSO stated working. Thanks again keep up the good work.
Hi,
I'm trying to map Google Groups to Microsoft I don't know what to insert in the App attribute side
I tried MemberOf / groups
but none of them worked
How do i revert these changes again? i need to make Azure the IDP again.
quick question
did you verified your domain before using it for sso implementation
Is it possible to set this up for only an subset of our users? Like for only a certain OU? We have a main group of users that this would apply to but we want to leave our contractors authenticating via their own Microsoft accounts since they are invted as guests in our Microsoft platform.
Once a domain is federated in Entra ID, all sign in requests for users on that domain will be directed to identity provider (Google). If the guests in your Microsoft tenants are using their own credentials, they should not be affected.
Is there a way to disable Microsoft Authenticator now that SAML SSO is working with Google?
you would probably have to do that on Entra ID tenant side for a user, or entire tenant. There is a flag in PowerShell to indicate that the IdP supports MFA, but it doesn't seem to work when Google is the IdP.
Got it working thanks to your video. But hit a brick wall trying to add other domains we have in out Google Workspace.
Yes, we need both SSO and something similar to 'domain trust' between GCP federated domain and an existing Azure domain. Setting up External users in Azure, allowing the External GCP users is very restricted and does not allow full group mapping/trust.
is there a way to force auto-provision users in MS when user login from workspace?
I am confused about the immutable IDs. Are they required? It sounds i would need to set them up manually (or semi manually) for all my users before they could use the integration? Can I set it up in a way that I only need to do this once and it would just work for all future Users I create?
they are required, yes. for most M365 customers this value would be blank, (unless coming from hybrid/on-prem) so it needs to be set. For most SAML apps, username in Google would simply need to match the username in the applications, however, that is not the case for M365. Whatever value (can be anything) that Google sends needs to match the ImmutableID in AzureAD.
If you set up automatic provisioning from Google to M365, this should be done automatically, I believe.
-Brian
@@WorkspaceAdmins Thanks for the quick answer Brian! I found a good video which goes more into detail about the provisioning th-cam.com/video/C46djGWiaDA/w-d-xo.html
Fantastic, Brian!
Thanks Dan!
After federating the domain I cant add new users in MS to that domain. How do I create new user? Is turning on autoprovisioning in GWS required? or is there some other way of pushing new users to MS?
Thanks for this. Got it all working but I'm trying to map custom user fields in Google to Azure AD now. For example, Each user has a "nickname" field in Google that we want to map to a custom field in Azure AD. Any idea how?
I can see the ability to map fields but no idea how to choose the field to map the data to in Azure AD?
How to you deal with new users being added to Google. I cannot add ImmutableID once the domain is federated?
you can try to rollback first
command Set-MsolDomainAuthentication -DomainName -Authentication managed
Do you have a video on how to do the SYNC of the users between AZURE and GSUITE?
He has one from about 9 months ago
Can I use these SSO provisioned Accounts for singing into Windows devices (for example during the OOBE aka Windows Setup) or does it only work in the browser ?
Forgot what the technical term is but Microsoft has a limitation where you cannot use a third part IdP on Windows login screen unfortunately. If you are a Google shop, you can consider using Google Credential Provider for Windows.
Thanks a lot for the video. Now the certificate is about to be expired. Could you please guide on how to renew the certificate on office 365 side?
Thank you in advance🙏
Thanks. I have few users in Azure AD and I can create Immutable I'd in Google and update that value from Azure / Microsoft.
May I know whether we need to provide value for Immutable I'd every time when we create new user Google (Auto provisionig)?
Great question. I haven't tried it personally but I've heard from others from community that setting up provisioning will set immutable IDs. Otherwise it will be a combination of GAM with PowerShell. - Brian
Once you have auto provisioning, it will set immutable IDs automatically
Hi I am getting a lot of these errors after the provisioning is setup (download list) Error Code 45003 - StatusCode: 400 : Bad Request : { error :{ code : Request_BadRequest message : Invalid value specified for property 'mobilePhone' of resource 'User'. details :[{ code : InvalidLength message : The mobilePhone should be between 1 and 64 characters. target : mobilePhone }] innerError :{ date : 2023-10-12T01:19:35 request-id : client-request-id : }}} Not sure why as mobile phone is not a required field. It is the same with the jobtitle field as well. Why is it saying the mobileField should be between 1 and 64 characters?
Is this work with Outlook? in my case its not working with outlook
first impression - screen size too small, difficult on eyes. I'm watching on 24" screen. Need to zoom in more.