Azure Active Directory is the Identity Provider for Microsoft online services such as Azure, Azure DevOps and Office 365. If you use another identity provider, you have to federate with Azure Active Directory using the B2B Collaboration feature in order to be able to use the identities you already have in G suite.
The create_federation.ps1 script creates a direct federation from Azure Active Directory to a G Suite domain. The goal is to access Azure resources with users originating from the federated G Suite domain.
- Windows PowerShell (hence Windows)
- Windows PowerShell AzureADPreview module. The AzureADPreview module is installed by
create_federation.ps1. - Familiarize yourself with the relationship between Azure and Azure Active Directory and Azure Identity Management and Access Control best practices
- Create custom SAML App in G Suite tenant:
- Use ACS URL
https://login.microsoftonline.com/<aad tenant id>/saml2 - Use Entity ID
urn:federation:MicrosoftOnline
- Export IDP metadata file e.g.
GoogleIDPMetadata-mybrand.io.xmland place it in the same location ascreate_federation.ps1 - Add claim
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddresswith value Basic Information -> Primary Email address - Enable the newly created G Suite SAML app (default state is OFF)
- Create federation by running
create_federation.ps1with G Suite domain name as argument - Invite B2B Guest users from the federated domain
- There is a G Suite Office 365 SAML App (it is named after Office 365 as Google assumes that is what you will be accessing, however AAD works with any Microsoft online service), which can be used instead of the custom SAML app. I did not use this app, as it attempts to auto-provision users in the AAD tenant and I prefer this to be a AAD managed process instead.
- Azure Active Directory Google federation is also in preview, but does not allow custom G Suite domains to be used (yet). Hence direct (SAML, WS-Fed) federation is used instead.
Access the Azure Portal using a fully qualified url including AAD domain name in it e.g. https://portal.azure.com/mybrand.onmicrosoft.com.
- The Azure EA Portal does not understand B2B accounts, so you can't sign in with Google identities there. However, you should be able to create Azure subscriptions with B2B accounts from the Azure Portal using this method. Note is is recommended to use (break glass) functional user accounts as Azure account owners (see best practices).
- Setting up federation requires Windows PowerShell modules, hence Windows as OS (no PowerShell Core support unfortunately)
- This uses Azure Active Directory B2B Direct federation, which is in preview (i.e. limited SLA)
- I couldn't find a first party CLI for G Suite, so that (SAML app creation) part of the set up is manual
- Azure Active Directory B2B Documentation
- Azure Active Directory management blade
- Azure Identity Management and access control security best practices
- Direct federation with AD FS and third-party providers for guest users
- How Azure subscriptions are associated with Azure Active Directory
- PowerShell Windows AzureADPreview module
This project is provided as-is, and may not necessarily be maintained