Microsoft Opens Azure Active Directory B2B Service To Add Google As An Identity Provider For B2B Guest Users

By setting up Federation with Google, you can allow invited users/clients to sign in to your shared apps and resources with their own Google accounts, without having to create Microsoft Accounts (MSAs) or Azure AD accounts.

Introduction

As a global administrator or a user/client who is allotted any of the restricted administrator directory roles, you can utilize the Azure portal to invite B2B collaboration users/clients. You can invite guest user/clients to the directory, to a group, or to an application.

By setting up Federation with Google, you can allow invited users/clients to sign in to your shared apps and resources with their own Google accounts, without having to create Microsoft Accounts (MSAs) or Azure AD accounts.

The experience for the Google user/client

 
When you send an invitation to a Google Gmail user/client, the guest user/client should access your shared apps or resources using a link that includes the tenant context. Their experience changes relying upon whether they're already signed in to Google.
  • If the guest user/client isn't signed in to Google, they're prompted to sign in to Google.
  • If the guest user/client is already signed in to Google, they'll be prompted to choose the account they want to use. They must choose the account you used to invite them.

Configure a Google developer project

 
At first, create a new project in the Google Developers Console to get a client ID and a client Secret that you can later add to Azure AD.
  1. Go to the Google APIs at https://console.developers.google.com and sign in with your Google account. We recommend that you use a shared team Google account.
  2. Create a new project. On the Dashboard, select "Create Project" and select "Create". On the "New Project" page, enter a Project Name and select "Create".

    Microsoft Opens Azure Active Directory B2B Service To Add Google As An Identity Provider For B2B Guest Users
  1. Make sure your new project is selected in the project menu. At that point, open the menu in the upper left and select APIs and Services >>>Credentials.

    Microsoft Opens Azure Active Directory B2B Service To Add Google As An Identity Provider For B2B Guest Users
  1. Choose the OAuth consent screen tab and enter an Application name (Leave alternate settings.)

    Microsoft Opens Azure Active Directory B2B Service To Add Google As An Identity Provider For B2B Guest Users
  1. Scroll to the "Authorized domains" section and enter microsoftonline.com.

    Microsoft Opens Azure Active Directory B2B Service To Add Google As An Identity Provider For B2B Guest Users
  1. Select "Save".
  1. Choose the credentials in the "Create credentials" menu, choose OAuth client ID.

    Microsoft Opens Azure Active Directory B2B Service To Add Google As An Identity Provider For B2B Guest Users
  1. Under application type, choose Web application, and under "Authorized Redirect URIs", enter the following URIs.
    • https://login.microsoftonline.com
    • https://login.microsoftonline.com/te/<directory id>/oauth2/authresp

      (where <directory id> is your directory ID)

      Microsoft Opens Azure Active Directory B2B Service To Add Google As An Identity Provider For B2B Guest Users
  1. Select "Create". Copy the client ID and client secret which you'll use when you add the identity provider in the Azure AD portal.

    Microsoft Opens Azure Active Directory B2B Service To Add Google As An Identity Provider For B2B Guest Users

Configure Google federation in Azure AD

 
Now, you'll set the Google client ID and client secret, either by entering it in the Azure AD portal or by using PowerShell. Make sure to test your Google Federation setup by inviting yourself using a Gmail address and trying to redeem the invitation with your invited Google account.
 

To configure Google Federation in the Azure AD portal

  1. Go to the Azure portal. In the left pane, select Azure Active Directory.
  2. Select Organizational Relationships.
  3. Select Identity providers, and after that click the Google
  4. Enter a name. At that point enter the client ID and client secret you obtained before. Select Save.
    • Before

      Microsoft Opens Azure Active Directory B2B Service To Add Google As An Identity Provider For B2B Guest Users
    • After the fill >>> Select

      Microsoft opens Azure Active Directory B2B Service To Add Google As An Identity Provider For B2B Guest Users

Google guest users sign in process
 

Microsoft Opens Azure Active Directory B2B Service To Add Google As An Identity Provider For B2B Guest Users
 
Microsoft Opens Azure Active Directory B2B Service To Add Google As An Identity Provider For B2B Guest Users 

Remove Google Federation

 
To delete Google Federation in the Azure AD portal
  1. Go to the Azure portal. In the left pane, select Azure Active Directory.
  2. Select Organizational Relationships.
  3. Select Identity providers.
  4. On the Google line, select the context menu and then select Delete.

    Microsoft Opens Azure Active Directory B2B Service To Add Google As An Identity Provider For B2B Guest Users
  5. Select Yes to confirm delete.

Using Google Federation by using PowerShell

  1. Install the latest version of the Azure AD PowerShell for Graph module
  2. Run the following command: Connect-AzureAD
  3. At the sign-in prompt, sign in with the managed Global Administrator account.

    Microsoft Opens Azure Active Directory B2B Service To Add Google As An Identity Provider For B2B Guest Users

  4. Run the following command,
    New-AzureADMSIdentityProvider -Type Google -Name Google -ClientId [Client ID] -ClientSecret [Client secret]

    Microsoft Opens Azure Active Directory B2B Service To Add Google As An Identity Provider For B2B Guest Users

To delete Google Federation by using PowerShell

  1. Install the latest version of the Azure AD PowerShell for Graph module (AzureADPreview).
  2. Run Connect-AzureAD.
  3. In the login in prompt, sign in with the managed Global Administrator account.
  4. Enter the following command,
    Remove-AzureADMSIdentityProvider -Id Google-OAUTH

    Microsoft Opens Azure Active Directory B2B Service To Add Google As An Identity Provider For B2B Guest Users

Summary

 
In this article, we learned how to add Azure Active Directory B2B collaboration users in the Azure portal. In my next article, I will cover the next step of this series.