Introduction
As a global administrator or a user/client who is allotted any of the restricted administrator directory roles, you can utilize the Azure portal to invite B2B collaboration users/clients. You can invite guest user/clients to the directory, to a group, or to an application.
By setting up Federation with Google, you can allow invited users/clients to sign in to your shared apps and resources with their own Google accounts, without having to create Microsoft Accounts (MSAs) or Azure AD accounts.
The experience for the Google user/client
When you send an invitation to a Google Gmail user/client, the guest user/client should access your shared apps or resources using a link that includes the tenant context. Their experience changes relying upon whether they're already signed in to Google.
- If the guest user/client isn't signed in to Google, they're prompted to sign in to Google.
- If the guest user/client is already signed in to Google, they'll be prompted to choose the account they want to use. They must choose the account you used to invite them.
Configure a Google developer project
At first, create a new project in the Google Developers Console to get a client ID and a client Secret that you can later add to Azure AD.
- Go to the Google APIs at https://console.developers.google.com and sign in with your Google account. We recommend that you use a shared team Google account.
- Create a new project. On the Dashboard, select "Create Project" and select "Create". On the "New Project" page, enter a Project Name and select "Create".
- Make sure your new project is selected in the project menu. At that point, open the menu in the upper left and select APIs and Services >>>Credentials.
- Choose the OAuth consent screen tab and enter an Application name (Leave alternate settings.)
- Scroll to the "Authorized domains" section and enter microsoftonline.com.
- Select "Save".
- Choose the credentials in the "Create credentials" menu, choose OAuth client ID.
- Under application type, choose Web application, and under "Authorized Redirect URIs", enter the following URIs.
- https://login.microsoftonline.com
- https://login.microsoftonline.com/te/<directory id>/oauth2/authresp
(where <directory id> is your directory ID)
- Select "Create". Copy the client ID and client secret which you'll use when you add the identity provider in the Azure AD portal.
Configure Google federation in Azure AD
Now, you'll set the Google client ID and client secret, either by entering it in the Azure AD portal or by using PowerShell. Make sure to test your Google Federation setup by inviting yourself using a Gmail address and trying to redeem the invitation with your invited Google account.
To configure Google Federation in the Azure AD portal
- Go to the Azure portal. In the left pane, select Azure Active Directory.
- Select Organizational Relationships.
- Select Identity providers, and after that click the Google
- Enter a name. At that point enter the client ID and client secret you obtained before. Select Save.
- After the fill >>> Select
Google guest users sign in process
Remove Google Federation
To delete Google Federation in the Azure AD portal
- Go to the Azure portal. In the left pane, select Azure Active Directory.
- Select Organizational Relationships.
- Select Identity providers.
- On the Google line, select the context menu and then select Delete.
- Select Yes to confirm delete.
Using Google Federation by using PowerShell
- Install the latest version of the Azure AD PowerShell for Graph module
- Run the following command: Connect-AzureAD
- At the sign-in prompt, sign in with the managed Global Administrator account.
- Run the following command,
New-AzureADMSIdentityProvider -Type Google -Name Google -ClientId [Client ID] -ClientSecret [Client secret]
To delete Google Federation by using PowerShell
- Install the latest version of the Azure AD PowerShell for Graph module (AzureADPreview).
- Run Connect-AzureAD.
- In the login in prompt, sign in with the managed Global Administrator account.
- Enter the following command,
Remove-AzureADMSIdentityProvider -Id Google-OAUTH
Summary
In this article, we learned how to add Azure Active Directory B2B collaboration users in the Azure portal. In my next article, I will cover the next step of this series.