Sync G Suite accounts with Azure active directory!
Note:
ACS URL: https://login.microsoftonline.com/login.srf
Entity ID: urn:federation:MicrosoftOnline
Ensure that you are using an administrator Azure Active Directory account that is not already linked to your existing Google account.
Validate your domain on Azure: https://portal.azure.com/?l=en.en-us#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Domains
And DON'T set this domain as Primary:
Download the GoogleIDPMetadata-{your-domain}.xml file:
Then install all required tools (powershell tools)
And start a powershell console:
Install-Module MSOnline
Enter your MS credentials.
Import-Module MSOnline
$Msolcred = Get-credential
Connect-MsolService -Credential $MsolCred
Now edit my sample dfs-pf-samlp.xml file with your Google Ids:
GOOGLESAMLIDand- copy paste your certificate (from
GoogleIDPMetadata-{your-domain}.xmlfile)
Then import the config into powershell:
$wsfed = Import-Clixml dfs-pf-samlp.xml
And Set the domain as federated:
Set-MsolDomainAuthentication -DomainName "{your-domain}" -FederationBrandName $wsfed.FederationBrandName -Authentication Federated -PassiveLogOnUri $wsfed.PassiveLogOnUri -ActiveLogOnUri $wsfed.ActiveLogonUri -SigningCertificate $wsfed.SigningCertificate -IssuerUri $wsfed.IssuerUri -LogOffUri $wsfed.LogOffUri -PreferredAuthenticationProtocol "SAMLP"
And use this command to export your domain settings:
Get-MsolDomainFederationSettings -DomainName "{your-domain}" | Export-Clixml dfs-pf-samlp.xml
The command to view the config is:
Get-MsolDomainFederationSettings -DomainName "{your-domain}" | Format-List *
Next you have to assign a license to all your users and to set azure self service password reset to off:
https://portal.azure.com/?l=en.en-us#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/PasswordReset
Test the link with incognito mode or invite mode:
- From Office 365: https://www.office.com/
- From App launcher (Google App)
- Delete the user from the Azure side.
- Wait a few hours for G Suite Auto Provisioning to work.
