Certainly! Here’s the rewritten content with the HTML tags preserved:
Typically, my work with Google Workspace revolves around helping clients transition from Google Workspace to Microsoft 365. Recently, however, I encountered a client already utilizing the complete M365 suite who needed to establish a Google Workspace tenant to manage Google Workspace IDs. While this isn’t a frequent scenario, it can be sensible in specific contexts. For instance, organizations collaborating with vendors or other entities using Google Workspace might require a Google account for effective teamwork and access to certain Google Workspace applications. It’s crucial that our employees do not create personal Google accounts for work-related tasks, especially when linked to our organization’s domain.
We also prefer not to manage two distinct identity platforms. In this case, we can set Entra as the primary identity provider, allowing Google Workspace to synchronize users from Entra while employing Entra as both the IDP and SSO provider. While there’s existing documentation from Google and Microsoft, I’ve noticed it often lacks organization or essential details—particularly regarding user provisioning from the Google Workspace perspective. This post will guide you through setting up SSO and enabling automatic sync for user provisioning and deprovisioning. We’ll first configure SSO, then delve into automatic user provisioning.
Configure Entra as the IDP and SSO for Google Workspace
In Entra, go to Enterprise apps, create a new application, search for and select the Google Cloud / G Suite Connector by Microsoft:
After adding the application, we need to configure SSO. Go to the enterprise app we just added (Google Cloud / G Suite Connector by Microsoft) and choose Set up Single sign on:
Next, select SAML:
Edit the Basic SAML information:
Fill this out similar to this for Gmail/Google Workspace, ensuring your domain follows the “/a/” path.
According to the Documentation, the sign-on URL should be formatted as “https://www.google.com/a/yourdomain.com/ServiceLogin?continue=https://mail.google.com”. If you’re using Gmail as your email provider and Entra for authentication, this is valid. However, if Gmail is disabled in Google Workspace (and it should be if you’re using M365), users attempting to sign in via SSO may encounter this screen:
If Gmail isn’t in use, modify your Sign on URL to https://www.google.com/a//ServiceLogin?continue=https://workspace.google.com/dashboard as shown in the screenshot below:
Using the URL ending in workspace.google.com/dashboard will direct users to the apps dashboard:
Now, back to our configuration. There’s no need to adjust anything in the attributes & claims section. Next, in the SAML certificates area, download the Base64 certificate:
Copy the Login URL and Microsoft Entra Identifier from step 4 (as shown below). Avoid copying the logout URL; instead, use https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0 for the logout URL.
Next, if you wish to test before going live with production users, create a test user and add them to the enterprise application’s Users and Groups.
Now, log into your Google Workspace Admin center and navigate to Security > Authentication > SSO with third party IdP:
Click Add SAML profile under third-party SSO profiles:
Give your profile a name and enter the following IDP details, many of which were copied from Entra earlier. The Login URL and IDP Entry ID should reflect the previous step:
For the change password URL: https://mysignins.microsoft.com/security-info/password/change
For the sign-out page URL: https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0
Ensure you upload the certificate downloaded earlier during the Enterprise App setup in Entra.
We also need to integrate the Entity ID and ACS URL from the Google SAML SSO profile into the SAML configuration in Entra. This information isn’t present in the Microsoft documentation. See below:
Once completed, you should see a status of Complete for your entry under Third Party SSO profiles:
Provisioning Users in Google Workspace
Now that we’re geared up for testing, synchronizing or auto-provisioning users from Entra to Google Workspace is necessary since Entra serves as the IDP. You can opt for either Automatic User Provisioning or Directory Sync. I strongly recommend Directory Sync; however, we will explore both methods. If you choose Automatic User Provisioning via the Entra App, users won’t be disabled or deleted in Google Workspace if they are removed from Entra. To put it briefly, stick with Directory Sync unless you prefer not to automatically disable users in Google Workspace when they are deactivated or deleted in Entra.
Enable Automatic User Provisioning (not recommended)
We will demonstrate this using the test user created earlier (googlessotest) in Entra. To enable automatic user provisioning, navigate to Google Workspace Admin center, then go to Security > Access and data control > API control:
Select Settings:
Make sure the box is checked to trust internal apps:
Now return to the enterprise app in Entra and select provisioning:
Adjust the user provisioning mode to Automatic. If you’re unable to save changes and a banner appears indicating that Authorization is only supported from portal.azure.com, click this banner to be redirected to the appropriate URL.
Ensure you possess an authorized admin account in Gsuite for all Admin API privileges. I created a dedicated admin service account for this purpose, though a super admin account from Google Workspace can also suffice. Click the Authorize button:
Grant access when prompted after logging in:
If successful, the provisioning mode should switch to automatic, with testing the connection resulting in success:
The default mappings will typically suffice, but if you wish to assess or modify them, refer to this resource – Tutorial: Configure G Suite for Automatic User Provisioning with Microsoft Entra ID – Microsoft Entra ID | Microsoft Learn.
Finally, ensure you turn provisioning ON. Navigate back to the enterprise app, select Provisioning, and click Edit provisioning:
Switch provisioning ON and click Save.
This will initiate the first provisioning cycle. Your test user should soon appear in Google Workspace. If you haven’t added a user’s first and last names, the provisioning will fail. You can also execute a provision on-demand to confirm. If many users lack First or Last name attributes, consider adjusting the mapping attribute for surname and given name to an underscore or another character:
Provision on demand can be found from the options under the ellipses if it’s not visible on the top banner:
Returning to the Google Workspace Admin center, we can confirm that our user has been provisioned:
Lastly, we must verify that the SSO profile is assigned in Google Workspace. Go back to Security > SSO with third-party IDPs. To test this out, you can create a security group and include users assigned to the Enterprise App. It’s also possible to exclude users and groups from SSO. Remember, super admins cannot use SSO with a third-party IDP to prevent being completely locked out of your Workspace tenant if the IDP encounters issues or the SSO configuration fails. In the screenshots below, we can see that a local admin roles group is excluded. You’ll want to select your test group and assign the Entra-ID SAML SSO profile:
When testing is complete, aim to target additional users with your enterprise app, then extend the Google Workspace configuration to the corresponding group on that side. In this instance, it will reside at the top-level OU:
Configure directory sync (recommended)
Directory sync functions just as the name implies, and the Microsoft documentation does not reference it. This omission likely stems from it being a Google App, but it’s certainly a superior method for user provisioning compared to the automatic user provisioning method we just covered. Directory Sync is endorsed as the best practice, and should be your choice for provisioning and syncing users to Google Workspace rather than the automatic user provisioning approach in the Enterprise App. The Google documentation outlines this clearly:
Google’s instructions are straightforward and can be accessed here. We will detail the process with screenshots below.
From the Google Workspace Admin center, navigate to Directory > Directory Sync:
Select Add Azure Active Directory:
Proceed by clicking Continue on the prerequisites window.
Add a Name and then click Authorize and Save. You’ll be prompted to log into Entra and provide consent for the required permissions. A Global Admin or Cloud Application Administrator identity is needed to complete the sign-in:
Accept the permission request:
Returning to Entra, you’ll see a new enterprise app named “Google Directory Sync” has been established:
Next, we can configure user sync. Back in Google Workspace Admin center > Directory > Directory Sync, select the External Directory we just created and click set up user sync:
Select the M365 user group(s) you wish to sync. After entering your groups, click Verify, then continue. For those just starting and wanting to test with a limited group of pilot users, create a pilot group in Entra.
Choose the OU where you want users to be synced in Google Workspace:
Adjust the User Attribute mappings (if necessary) or click set default to use the standard mappings. First Name, Last Name, and Primary email address are compulsory fields in Google Workspace. Decide whether to send users an activation email, then click continue. Existing users in Google Workspace won’t be duplicated if the UPN in Entra aligns with the Primary Email in Google Workspace.
Define the action for user de-provisioning and click continue. The default action is Suspend, which equates to disabling a user in Entra.
Continue to execute the simulated sync:
Upon closing the simulated sync, if it’s successful, you’ll be asked whether you want to activate and initiate sync. If you opt not to activate and sync immediately, you can return to the sync directory to activate it under sync status:
Once your sync concludes, all your intended users should be added into Google Workspace:
We also need to ensure the SSO enterprise application in Entra targets the same group that our Directory Sync is utilizing. This group should align with the sync group we selected in step 7.
If automatic user provisioning was previously configured on the Enterprise App or tested, change the provisioning status to disabled since this will now be managed by directory sync:
Finally, return to the Google Admin center under Single Sign-on with Third-party IDPs. Select your SSO Profile, then scope it to the organizational level or a wider group, encompassing all users we just synced and those assigned to the SSO enterprise app in Entra.
User Experience and Sign-in Logs
When users attempt to authenticate with Google Workspace, they will be directed to complete SSO through Entra:
In the Entra Sign-in logs, we can monitor the authentication against the Google Cloud / G Suite Connector application:
Feel free to let me know if you need any further modifications!
