Azure AD – You now use Google ID with Azure B2B

It has been in preview for the past few months, it is now GA (generally available): you can now invite external users (Azure AD B2B – Business to Business) using Google ID as identity provider, supporting @gmail.com and @googlemail.com email address domains.

Before enabling support for Google ID, you first need to create a Google client ID and secret by accessing https://console.developers.google.com/; it is recommended to use a shared Google account to logon

Create a new project and name it; optionally if you already have an organization configured you can also define it

image  image

Once your Google API project has been created, configure the OAuth consent screen option of your project

image

There define the application details and define the Authorized domains with the value microsoftonline.com

image  image

Once done, save it and access the Credentials option to create an OAuth client ID

image

Select Web application and define the settings with Authorized redirect URIs set to:

  • https://login.microsoftonline.com
  • https://login.microsoftonline.com/te/<directory id>/oauth2/authresp
    (where <directory id> is your directory ID)

image

Save the client ID and secret.

Then you can logon to your Azure portal (https://portal.azure.com/) or Azure AD Portal (https://aad.portal.azure.com/) to enable Google ID federation for your Azure AD and reach the Organizational relationship

image

Then access the Identity Providers to add the Google one on which you define the client ID and secret you have created above

image  image  image

You can also enable it using PowerShell using the below command

New-AzureADMSIdentityProvider -Type Google -Name Google -ClientId [Client ID] -ClientSecret [Client secret]

That’s it, you are now federating with Google identity services. You can now invite external/guest users using their Google account.

Leave a Comment

Your email address will not be published. Required fields are marked *