This will help you set up a single sign-on flow from your Google Workspace account to Microsoft 365, thereby letting all your Workspace users to log in to Microsoft 365 without a password. Optionally, it will also mirror any user changes you do in Workspace to your Microsoft 365 instance – i.e., create, suspend and remove users in Microsoft 365 as you do in Google Workspace.
To achieve this, Google Workspace will be set up as a SAML identity provider (IdP) while Microsoft 365 will configured as a connected SAML identity service (IdS).
Workspace can be configured in the Admin Console. For Microsoft 365 configuration, we will need to use Windows PowerShell.
See also: https://learn.microsoft.com/education/windows/configure-aad-google-trust
First, configure Workspace as a SAML Identity Provider.
Add and configure a Microsoft 365 SAML app:
ACS URL: https://login.microsoftonline.com/login.srf
Entity ID: urn:federation:MicrosoftOnline
Signed response: [checked]
Name ID: Basic Information / Primary Email
Name ID format: PERSISTENT
Download GoogleIDPMetadata.xml
Set attribute mapping:
Basic Information
Primary email → IDPEmail
First name → GivenName
Last name → Surname
Contact Information
Phone
Phone number → MobilePhone
Address
Address → StreetAddress
Locality → City
Postal code → PostalCode
Region → State
Country → Country
Employee Details
Job Title → JobTitle
Department → Department
Configure provisioning as and if required. If you do, Google Workspace users will be mirrored in Microsoft 365 – esp. user creations, suspensions and deletions.
See also https://learn.microsoft.com/graph/api/domain-post-federationconfiguration
Make sure that the domain to be federated is not set as default domain in Entra.
Install PowerShell v. 7.x, e.g., from Microsoft Store
PowerShell versions below 6.x may not work reliably.
Similarly, you may bump into problems with v. 5.1.
You will need to increase limits:
$MaximumFunctionCount = 8192
$MaximumVariableCount = 8192
You may need to install modules:
Install-Module -Name Microsoft.Identity.Client
Even then there won't be any guarantee that this will work.
Set execution policy, then install and activate the Microsoft Graph module:
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser -Force
Install-Module Microsoft.Graph -Scope CurrentUser
Import-Module Microsoft.Graph
Authorise module's access:
Connect-MGGraph -Scopes "Domain.ReadWrite.All", "Directory.AccessAsUser.All"
Change the command prompt to the directory where GoogleIDPMetadata.xml has been downloaded.
Set variables:
$domainId = "[DOMAIN]"
$displayName = "Google Workspace"
$xml = [Xml](Get-Content GoogleIDPMetadata.xml)
$cert = -join $xml.EntityDescriptor.IDPSSODescriptor.KeyDescriptor.KeyInfo.X509Data.X509Certificate.Split()
$issuerUri = $xml.EntityDescriptor.entityID
$signinUri = $xml.EntityDescriptor.IDPSSODescriptor.SingleSignOnService | ? { $_.Binding.Contains('Redirect') } | % { $_.Location }
$signoutUri = "https://login.microsoftonline.com/logout.srf"
$domainAuthParams = @{
DomainId = $domainId
IssuerUri = $issuerUri
DisplayName = $displayName
ActiveSignInUri = $signinUri
PassiveSignInUri = $signinUri
SignOutUri = $signoutUri
SigningCertificate = $cert
PreferredAuthenticationProtocol = "saml"
federatedIdpMfaBehavior = "acceptIfMfaDoneByFederatedIdp"
PromptLoginBehavior = "disabled"
}
Notes:
$domainId – the domain you want to federate – replace [DOMAIN] with your actual domain
$displayName – the brand name of your choice for your federation; will be shown in Microsoft 365
$cert – certificate associated with your Workspace account (no spaces or line breaks)
$signoutUri – URL of a log-out service:
https://login.microsoftonline.com/logout.srf will log the user out of Microsoft 365 only
https://accounts.google.com/logout will log the user out of both Microsoft 365 and Google Workspace
Federate the domain:
New-MgDomainFederationConfiguration @domainAuthParams
Voilà!
You may need to wait from a few seconds to several hours for federation changes to take effect.
To log in, use the Microsoft 365 shortcut in the Google Workspace checkerboard menu in the top right of any of your Workspace service or, alternately, open https://cloud.microsoft and click the Sign in link. The configuration also works with Microsoft Office desktop apps, Microsoft Teams, OneDrive, etc.
Note that each user's onPremisesImmutableId must be set to their UPN (email address), otherwise their sign-in flow will fail with a user does not exist in tenant error. Update all the affected users using the following (replace [DOMAIN] with actual domain):
$userId = "user@[DOMAIN]"
Update-MgUser -userId $userId -onPremisesImmutableId $userId
See also https://learn.microsoft.com/graph/api/internaldomainfederation-get
Verify whether it has worked:
Get-MgDomainFederationConfiguration -DomainId $domainId |fl
Note down the value of Federation ID – you will need it should you wish to revert.
See also https://learn.microsoft.com/graph/api/internaldomainfederation-update
Specify new parameter values where applicable, for example:
$domainAuthParams = @{
displayName = "Google Workplace"
promptLoginBehavior = "disabled"
federatedIdpMfaBehavior = "enforceMfaByFederatedIdp"
}
Update domain federation:
Update-MgDomainFederationConfiguration -DomainId $domainId -InternalDomainFederationId $internalDomainFederationId -BodyParameter $domainAuthParams
Federation Id can be obtained using the verification command above.
See also https://learn.microsoft.com/graph/api/internaldomainfederation-delete
If you need to make changes, revert domain to managed:
Remove-MgDomainFederationConfiguration -DomainId $domainId
Federation Id can be obtained using the verification command above.
You may need to wait from a few seconds to several hours for federation changes to take effect.
$prot = "SAMLP"
$d = "rucinski.uk"
$b = "Rucinski"
$i = "https://accounts.google.com/o/saml2?idpid=C0187dalq"
$a = "https://accounts.google.com/o/saml2/idp?idpid=C0187dalq"
$p = "https://accounts.google.com/o/saml2/idp?idpid=C0187dalq"
$l = "https://login.microsoftonline.com/logout.srf"
$o = "https://accounts.google.com/.well-known/openid-configuration"
$DomainId = "0d2e18da-33bd-4ac9-8ea5-b4d2ce20fecb"