Google Workspace to Office 365 SSO & Provisioning Guide

Table of Contents

1. Topic Overview

Overview of our scenario and expected output .

Jump to section

2. System Requirements

Let us ensure system prerequisite for Google Workspace to Office SSO.

Jump to section

3. Office 365 ImmutableId

What is immutableId and how does it impact federation?

Jump to section

4. Google Workspace to Office 365 SSO

Step by step instructions to setup Google to Office 365 SSO.

Jump to section

5. Google to Office Provisioning

Instructions to setup Google Workspace to Office 365 user provisioning.

Jump to section

6. FAQs

Get answer to FAQs, or ask if you have any question.

Jump to section

Google Workspace to Office 365 SSO & Provisioning

Topic Overview & Expected Output

  • There might be use cases where you would like to setup Google Workspace SSO to office 365
    so your Office 365 users can authenticate via their Google Workspace or Google Cloud Identity accounts.

A couple of use cases that I have seen are-:

  1. Your organization has moved to Google Workspace, but a few users still have accounts in Office 365.
  2. Your organization has moved to Google Cloud Identity as your Identity provider and now needs to authenticate to target applications including Office 365.

Google Cloud Identity is very flexible and it can be used as “Service Provider”, Identity provider or even both.

In this blog post, I would show you how you can use Google Cloud Identity or Google Workspace as identity provider and use Google Workspace SSO to sign in Office 365 via SAML 2.0 (or WS-Fed).

Let’s start with our expected output, we should see following after our setup-:

  • Our users should see the Office 365 application icon in their Google Workspace or Cloud Identity dashboard and launcher, and when they click on it, they should be logged into Office 365 (via their Google Identity) without being asked for credentials.

  • If our users directly go to Office 365, they should be redirected to their Google Cloud Identity (or Google Workspace) login page, and then back to Office 365 after success Google login.

     

  • Users should be automatically provisioned (and de-provisioned) in Office 365 when they are provisioned (and de-provisioned) in Google Workspace or Google Cloud Identity.
 

System Requirements

Lets look at the system requirements which you should complete for seamless federation and user lifecycle management from Google Workspace to Office 365.

Google Workspace to Office 365 SSO : System Requirements

Office 365 requirements :

  • Verified Domain (e.g yourdomain.com)
  • Global Administrator role
  • PowerShell (with Microsoft Azure Active Directory Module) installed
  • One Test user (user@yourdomain.com)
Notes :
1.  If you have Azure Active Directory Premium, you might be able to create a custom role from Privileged Identity Management instead of assigning Global Admin role (e.g Hybrid Identity Administrator, Directory Synchronization Accounts).

2. You do not own the default Microsoft  domain (e.g yourdomain.onmicrosoft.com), and hence can not setup federation on it. You would need to add the domain you own (e.g goldyarora.com) for it, you can find Microsoft’s documentation to add domain in Office here.


Google Workspace (or Google Cloud Identity) requirements :

  • Supported Google Workspace, Cloud Identity or Drive SKU (details below)
  • Google Workspace or Google Cloud Identity Super Administrator role
  • One Test user provisioned (e.g user@yourdomain.com)

List of Google subscriptions with SSO & Provisioning availability

Plan SSO Provisioning
Google Workspace Basic Available Available
Google Workspace Business Available Available
Google Workspace Enterprise Available Available
Google Cloud Identity Free Available Not Available
Google Cloud Identity Premium Available Available
Google Drive Enterprise Available Not Available
Google Workspace Education Available Available
Google Workspace Education Enterprise Available Available

Undestanding Office 365 ImmutableId

In this section, let’s understand Office 365 immutableId attribute, how does it impact our Google Workspace to Office 365 SSO, and how to fix it with a few PowerShell commands

Understand & Fix Office 365 ImmutableId

Office 365 has an immutableId attribute to uniquely identify users (primaryKey). It is similar to objectGUID in Active Directory.


Now what your users’ immutableId would look like depends on how you provision your users, lets look at various provisioning options along with their impact on immutableId-:

  1. You have just setup Office 365 and the only user you have is someuser@somename.onmicrosoft.com : You do not need to worry about ImmutableId as you have not created users in Office 365 (except your default .onmicrosoft.com one), you can simply go to next section as you don’t need to fix immutableId).

  2. Users created directly in Office 365 Admin Console on “Non-Federated” domain : ImmutableId would be blank.

  3. Users created via Azure AD Sync : ImmutableId would be the base64 encoded version of Active Directory’s objectGUID (based on default directory sync configuration, but can be changed).

  4. Users created via Identity Provider (e.g Okta) on a federated domain : ImmutableId would be the value you send to Office 365 when making create user API call via your IdP.


 If you are in #2, #3 or #4 category, please read following carefully :

As your Office 365 users have immutableId which is different than their Office 365 UPN

You have two options to deal with it :

Option 1 : Custom Attribute in Google with your ImmutableId

Create a custom attribute in Google (e.g immutableId) → populate it with users’ office 365 immutableId → and then configure Google to send this custom attribute when responding to SAML request.

However, this option would be painful as it requires you to keep managing and populating Google users with their respective Office 365 immutableId.

If you decide to go with this option, you can skip the rest of this section, and go to next one where I show you how to setup Google Workspace to Office 365 SSO.

Option 2 : Change your users’ ImmutableId

 

Now, by definition, immutableId is not meant to be changed, however there might be scenarios like this where you might consider to change it.

You may keep reading if you decide to go with this option, as I would now show you how to change your Office 365 users’ immutableId.

Change ImmutableId

You would need to disable Directory Sync to be able to change ImmutableId, you can do it with  following PowerShell command :

Set-MsolDirSyncEnabled -EnableDirSync $false

1. Run the following Powershell command to see all your users UPN, ImmutableId, whencreated and last directory sync time.

Command to view users in PowerShell :

Get-MsolUser -All | Select-Object UserprincipalName,ImmutableID,WhenCreated,LastDirSyncTime

Command to download in csv :

$exportUsers = Get-MsolUser -All | Select-Object UserprincipalName,ImmutableID,WhenCreated,LastDirSyncTime | Export-Csv C:\csvfile


2. If your users’ immutableId is not equal to their Office 365 UPN, then run the following Powershell command to temporarily change their UPN to a non federated domain.

PowerShell command to change UPN of a single user (Change orange part to yours) :

Set-MsolUserPrincipalName -UserPrincipalName admin@id.goldyarora.com -NewUserPrincipalName admin@second.ci.goldyarora.com

 

PowerShell Command to change UPN of all users except where UPN starts with admin (Change the orange part to yours):

Get-MsolUser -all | Where { -Not $_.UserPrincipalName.ToLower().StartsWith(“admin“) } | ForEach { Set-MsolUserPrincipalName -ObjectId $_.ObjectId -NewUserPrincipalName ($_.UserPrincipalName.Split(“@”)[0] + “@second.ci.goldyarora.com“) }

3. Run the following PowerShell command to change ImmutableId of your users whom UPN is now temporarily changed to non federated domain.

PowerShell command to change ImmutableId of a single user (Change the orange part to yours) :

Set-MsolUser -UserPrincipalName admin@second.ci.goldyarora.com -ImmutableId admin@id.goldyarora.com

 

PowerShell Command to change ImmutableId of all users except where UPN starts with admin (Change the orange part to yours) :

Get-MsolUser -all | Where { -Not $_.UserPrincipalName.ToLower().StartsWith(“admin“) } | ForEach { Set-MsolUser -ObjectId $_.ObjectId -ImmutableId ($_.UserPrincipalName.Split(“@”)[0] + “@id.goldyarora.com“) }

4. Run the following powerShell command to change the UPN back to original as we have now changed the ImmutableId.

PowerShell command to change UPN of a single user (Change the orange part to yours):
Set-MsolUserPrincipalName -UserPrincipalName admin@second.ci.goldyarora.com -NewUserPrincipalName admin@id.goldyarora.com

 

PowerShell Command to change UPN of all users except where UPN starts with admin (Change the orange part to yours) :
Get-MsolUser -all | Where { -Not $_.UserPrincipalName.ToLower().StartsWith(“admin“) } | ForEach { Set-MsolUserPrincipalName -ObjectId $_.ObjectId -NewUserPrincipalName ($_.UserPrincipalName.Split(“@”)[0] + “@id.goldyarora.com“) }

5. Run the following PowerShell command to confirm that ImmutableId for our users have been changed and now matching the UPN.

Command to view users in PowerShell-:

Get-MsolUser -All | Select-Object UserprincipalName,ImmutableID Command to download in csv-:

$exportUsers = Get-MsolUser -All | Select-Object UserprincipalName, ImmutableID | Export-Csv C:\csvfile

Now you are ready to move to next step where we will setup Google Workspace to Office 365 Single Single On (SSO).

Google Workspace to Office 365 SSO Setup

Google Workspace to Office 365 SSO Guide

Setup Office 365 as Service Provider in Google Workspace

1. Login to Google Workspace or Google Cloud Identity Admin Console (admin.google.com)

2. Go to Apps, and then click on SAML apps as shown in the screenshot below 

Go to SAML Apps in Google Admin Console

Click on + icon to search and add Office as SAML application.

Click plus icon to add a new SAML app
  1. Search Google’s SAML apps catalogue for Office 365.

  2. Go to Microsoft Office 365 from the search results.

  3. Click on the right arrow (shown as #3 in screenshot below) to configure Office 365 as SAML application.
 
Add Office 365 SAML app
  1. Download IDP metadata from option two (we will use the values from it when configuring Google as IDP in Office 365 later).

  2. Click on Next after your downloaded metadata.
Download IDP metadata from Google
  • You may leave the default values for Application name and click on next
leave app name as default and click on next

1. Enable Signed Response by checking the box as shown in the screenshot below.

2. Select Basic Information –> Primary Email to be sent in Name ID

3. Select “Persistent” as the Name ID format.

Note : If you did not change your Office 365 users’ immutableId to UPN, and rather decided to go with immutableId itself, then select your custom attribute which contains users’ immutableId here, and not primary email.
configure Office 365 details in Google SAML app
  1. Select Basic Information –> Primary Email for the IDPEmail attribute mapping.

  2. Click on “Finish” to complete SAML application setup for Office 365.
setup attribute mapping for Google to Office 365 SSO

Create Powershell variables for Office 365 SSO

Office 365 needs a few properties for federation setup so it can securely send SAML request to Google, and can also parse the the response.

Property Name Why we need it? Property Value
Domain Name This will our Office 365 domain name that we want to federate to Google. Domain Name that we want to federate.
Authentication We would need to tell Office 365 our authentication method. Federated
Federation Brand Name This is for our reference, we can provide any contextual name here (e.g Google) Google Cloud Identity
Issuer URI Microsoft needs to know who issued the SAML response, here we would put our Google Entity ID here. Entity ID

(Available in the IDP metadata that we downloaded from Google)
Active and passive logon URI This would be the Identity provider (Google in our case) URL, which Office 365 would refer to as SSO URL. Google SSO URL

(available in the IDP metadata file that we downloaded from Google)
LogOffUri To specify where should Office 365 redirect our users when they log out.

You can put URL any URL here.
https://accounts.google.com/logout
Signing Certificate This would be the public key which Google provided us, Office 365 would use this to identity itself in the SAML request, and also to parse SAML response. X509Certificate Value

(available in the IDP metadata file that we downloaded from Google)
PreferredAuthenticationProtocol To specify the preferred authentication protocol. SAMLP

Your variables would look like this (with your own values for domain name, federated brand name, issuerUri, activeLogOnUri, PassiveLogOnUri, Signing Certificate)

$domainName = “id.goldyarora.com”
$Authentication = “Federated”
$FederationBrandName = “Google Cloud Identity”
$IssuerUri = “https://accounts.google.com/o/saml2?idpid=C03a9sjs9
$PassiveLogOnUri = “https://accounts.google.com/o/saml2/idp?idpid=C03a9sjs9
$ActiveLogOnUri = “https://accounts.google.com/o/saml2/idp?idpid=C03a9sjs9
$LogOffUri = “https://accounts.google.com/logout”
$SigningCertificate = “MIIDdDCCAlygAwIBAgIGAXEQDuMqMA0GCSqGSIb3DQEBCwUAMHsxFDASBgNVBAoTC0dvb2dsZSBJbmMuMRYwFAYDVQQHEw1
Nb3VudGFpbiBWaWV3MQ8wDQYDVQQDwZHb29nbGUxGDAWBgNV

BAsTD0dvb2dsZSBGb3IgV29yazELMAkGA1UEBhMCVVMxEzARBgN
VBAgTCkNhbGlmb3JuaWEwHhcNMjAwMzI1MDQ1OTAxWhcNMjUw
MzI0MDQ1OTAxWjB7MRQwEgYDVQQKEwtHb29nbGUgSW5jLjEWMB
QGA1UEBxMNTW91bnRhaW4gVmlldzEPMA0GA1UEAxMGR29vZ2xlM
RgwFgYDVQQLEw9Hb29nbGUgRm9yIFdvcmsxCzAJBgNVBAYTAlVTM
RMwEQYDVQQIEwpDYWxpZm9ybmlhMIIBIjANBgkqhkiG9w0BAQEFAA
OCAQ8AMIIBCgKCAQEA6GfDWaCspEWgMKE8aTpUq3W95p9JulrT4UE
ROj6s3/RJDpyCeZQYOPOcFiJqEIPwiEK5QFkQFHOZUEgjqhHAcyDUf1D

Now let us copy our variables, and run them in Powershell

  • Open Microsoft Powershell
Open Microsoft Powershell
  • Connect to Office 365 with the command Connect-MsolService
Connect to Office 365 in Powershell with connect-msolservice command
  • Now a window would pop up asking for your Office 365 credentials.

  • Enter your Office 365 Administrator Email Id.
enter your office 365 admin email id
  • Enter your Office 365 Administrator Password.
enter your office 365 admin password
  • If you are enrolled in to MFA, verify your identity by authentication via MFA.
do the mfa if you have enabled it
  • Now paste the copied variables that you created above as shown in the screenshot and press enter.

  • If everything went fine here, you won’t see any error, and Powershell would be ready to take next command.
enter your powershell variables
  • Now we need to run command to setup federation (or change it if you already have federation setup) which would ask PowerShell to fetch values of the federation properties from the variables we just defined.

  • You can also run this command to check whether your domain is already federated or not.
  • Get-MSolDomainFederationSettings -DomainName id.goldyarora.com | Format-List *

Run the following PowerShell command IF this is the first time you are setting up federation on this domain:

Set-MsolDomainAuthentication -DomainName $domainName -Authentication $Authentication -FederationBrandName $FederationBrandName -IssuerUri $IssuerUri -ActiveLogOnUri $ActiveLogOnUri -PassiveLogOnUri $PassiveLogOnUri -LogOffUri $LogOffUri -SigningCertificate $SigningCertificate -PreferredAuthenticationProtocol SAMLP

Run the following PowerShell command IF you already have federation on this domain, and now need to change it to Google :

Set-MsolDomainFederationSettings -DomainName $domainName -Authentication $Authentication -FederationBrandName $FederationBrandName -IssuerUri $IssuerUri -ActiveLogOnUri $ActiveLogOnUri -PassiveLogOnUri $PassiveLogOnUri -LogOffUri $LogOffUri -SigningCertificate $SigningCertificate -PreferredAuthenticationProtocol SAMLP

Enter powershell command to setup federation
  • Now let us test to ensure federation settings are set for our domain.

  • Run the following Powershell command replacing id.goldyarora.com with your own domain.

  • Get-MSolDomainFederationSettings -DomainName id.goldyarora.com | Format-List *

  • You should see the values of your variables against the federation properties as shown in the screenshot below.
test your federation settings in Powershell

Provide Office 365 SAML application access to our Google users

Now, as we are done with Google Cloud Identity or Google Workspace to Office 365 SSO setup, we need to assign Office 365 SAML application to our required users.

You can either assign this application to all of your users in Google tenant, OR only to a subset of users via their OrgUnit or Group membership.

I would recommend you to put one test user in a group (lets called Office365testgroup), and then give Office 365 SAML app access only to this group.

This way we would be able to test our SSO before we roll it out to broader audience.

Once you create your Group and add a test user in it, assign Office 365 app to this group as shown in below screenshot :

(Note -: The test user you add in this group, should already be provisioned in Google)

  1. Go to Office 365 SAML app that you created in Google.
  2. In the left hand navigation, search for your Group.
  3. Enable the App for this group.
  4. Save changes.
Enable Office 365 SAML app for a group

Testing our SSO (Google / Identity Provider Initiated)

  • Login to Google with your test user and to https://gsuite.google.com/dashboard

  • Here you should see Office 365 application as it has been assigned to you via test group membership.
Office 365 SAML app in Google dashboard
  • As you are already logged in to your Google account, Google would send the SAML assertion to Office 365 when you click on the application icon.

  • You should have been logged in successfully to your Office 365 application.


    Note-: If your Office 365 Administrator has enabled MFA, and if you haven’t set it up yet, you would be asked to register it.

Logged into Office 365 via Google SSO

Testing our SSO (Office 365 / Service provider Initiated)

Now, as we have federation in place, when our user tries to login directly to Office 365, he should be redirected to Google.

sign in to office 365

Office 365 is redirecting our user to Google as we have setup Google as our identity provider.

Office 365 should redirect to Google for SSO

Now if the user is already logged into Google, then user would straight away land to Office 365 page.

If the user is not already logged into Google, then would require to login to Google first.

Then, if our user would be asked to login to Google (if not already logged in), and should landing at Office 365 after successful login to Google.

login to Google

Now, Google would send the SAML response to Office 365, and user should be logged into Office 365.

Logged into Office 365 via Google SSO

As you have now successfully tested both IdP initiated and SP initiated sign on, feel free to assign Office 365 application to all / required users.

You can turn off SSO if required (may be for troubleshooting) with following command (replace my domain name with yours) :

Set-MsolDomainAuthentication -DomainName id.goldyarora.com -Authentication managed

Google Workspace to Office 365 Provisioning

In this section, let us understand how we can manage our Office 365 users lifecycle via Google Cloud Identity (or Google Workspace).

G Suite to Office 365 Provisioning Guide

 

Click on the Office 365 application that you created earlier (Google Workspace Admin Console –> SAML Apps –> Office 365) as shown in the screenshot below.

Go to office 365 SAML app in Google

Click on User Provisioning to start the configuration of Google Workspace to Office 365 provisioning.

Note : If you do not see User Provisioning here, that means you either do not have Super Admin role in Google, or you have Google Workspace or Google Cloud Identity plan that does not offer auto user provisioning. 

Click on user provisioning

Click on “Set up user provisioning”.

Set up user provisioning

You would need to authorize Google to be able to create and manage users in Office 365, click on “Authorize”.

authorize Google Workspace to provision in Office 365

Login in to Office 365 with your Administrator Email

Sign in to Office 365 with admin email

Enter your Office 365 Administrator password

enter your office 365 administrator password

Approve the sign in request if you have MFA enabled on your Office 365 Admin account.

enter your office 365 MFA

Attribute Mapping :

  • You would now need to map attributes (e.g which attributes should Google send to Office 365 to create and manage your users.

  • These 4 attributes shown below are required ones including “onPremisesImmutableId” where you would need to provide mapping.

  • You can any value that you want for immutableId, I would go with Google Workspace user’s primary email for it.
      
  • You can also click on “Show All” to map other optional attributes.
map google to office 365 attributes

Here you should add your Google group which you would be using for provisioning to Office 365.

Whoever is in this group, would be created as user in Office 365.

Select your Google group as scope to provision in Office 365

Click Ok

Activate Office 365 provisioning in Google

Now as we have mapped the attributes along with defining our provisioning scope via Google group, we are all set to activate provisioning from Google Workspace to Office 365.

Click on “Activate Provisioning” as shown in the screenshot below.

Activate office 365 provisioning

At this stage, Google would inform us one more time to ensure we have mapped the attributes correctly along with defining our provisioning scope, because once we turn on Activate here, Google would start the provisioning right away.

As we are all set with these requirements, let us go ahead and activate provisioning by clicking on “Activate” button.

Activate provisioning from Google

At this time, users in your scoping group should be created in Office 365.

These actions (including create, suspend or update users) would be logged in your Google Admin Console –> Reporting –> Audit –> Admin.

You should also go to your Office 365 Admin console to confirm that you users are created and/or updated there.

 

FAQs

Here am listing some of the frequently asked questions about Google Workspace to Office 365 SSO & User Lifecycle management, please comment in the bottom if you have any question, and I will add it (along with the answer) to FAQs.

FAQ

Most frequent questions and answers about Google Workspace to Office 365 SSO and Provisioning.

Google does not provide an option to provision / manage groups and memberships to Office 365.

Only Google Workspace or Google Cloud Identity Super Administrators can add SAML applications.

Please make sure you are assigned Super Admin role.

No, Google does not support 3rd party MFA integration.

However you should be able to leverage Google’s MFA (which supports multiple MFA methods including security key).

Google’s MFA is available to Google Workspace and Google Cloud Identity customers without any additional cost.

Google Cloud Identity (or Google Workspace) Administrators with Reporting priveleges can look at SAML and Provisioning logs.

Following SAML Login logs are available at this path Admin Console –> Reports –> Audit –> SAML

SAML Login Logs :

  • Event Nama – (e.g Successful login)

  • Event description (e.g Goldy Arora logged in)

  • User (e.g admin@id.goldyarora.com)

  • Application Name (e.g Microsoft Office 365)

  • Organization name (user’s orgUnit name like /Contractors)

  • Initiated by (who initiated the login e.g Service provider or Identity Provider)

  • Failure type (if any failure, e.g Application not configured)

  • Response status (e.g SUCCESS_URI)

  • Response second level status

  • IP Address (login user’s IP address, e.g 96.248.xxx.xx)

  • Date (date and time of user login, e.g 3 Feb 2020, 08:47:59 GMT-5)


Following provisioning (and deprovisioning) logs are available at this path Admin Console –> Reports –> Audit –> Admin

  •  Event Name (e.g Update Auto Provisioned User)

  • Event Description (e.g User admin@id.goldyarora.com was updated on application Microsoft Office 365 by auto provisioning)

  • Admin (which Admin performed this operation)

  • Date (date and time when this operation was performed, e.g 24 Apr 2020, 13:59:30 GMT-4)

  • IP (IP address of the Admin who performed this operation, e.g 96.248.XXX.XX)

 

 

 
 

Ask it in the comments below, and I would try to answer it (if i can) as soon as I get time.

RECOMMENDED READING

As you just read Google Workspace to Office 365 SSO and Provisioning Guide, I would recommend following as complimentary reading.
Okta - Google - Integration - Guide
AdminGoogle WorkspaceSecuritySSO

Definitive Guide to Okta & Google Integration

Read More →
Definitive-Guide-to-Google-Conflicting-Accounts
AdminGoogle Workspace

Definitive Guide to Google Conflicting Accounts

Read More →
Password-Vaulted-Apps-Service-in-Google Workspace-and-Google-Cloud-Identity
AdminGoogle WorkspaceSecuritySSO

Securely login to any app with Google Workspace Password Vaulted Apps

Read More →

84 thoughts on “Google Workspace to Office 365 SSO and Provisioning Guide”

  1. Hi Goldy,

    Thanks for your tutorial on G-Suite to Office365 SSO and provisioning. I have been able to succesfully set up the single-sign on and provisioning on my domain. However, I am trying one additional step beyond what you explained and I am not getting results there. After having done all that you explained above, I tried the following steps:
    1. Connected a PC using “Join to Azure AD”
    2. Tried to login into the Windows 10 PC using the credentials of one of the users of G-suite identity – it was not working, used to give an error “Incorrect user or password”
    3. Tried to login into the PC using the credentials of one of the primary tenant (onmicrosoft.com) – all users are able to login.

    Can you please help me understand and resolve the problem where the users of G suite are unable to login into Windows 10 using their g-suite identity.

  2. Many thanks for your helpful article. I have successfully configured our Not-For-Profit Google Workspace and Office 365 platforms to use a shared SSO (on Google). However I have now encountered an issue which I am unable to resolve and I am hoping that you can help.
    If I authenticate in a web browser everything works fine however, if I try to log in through any of the desktop office apps (on a Windows 10 platform) I get the following: –
    – “Let’s get you signed in” > “Use a different account” > “Work or school account”
    – Microsoft sign in appears > “Next”
    – “We can’t connect you. Looks like we can’t connect to one of our services right now. Please try again later, or contact your helpdesk if the issue persists.” – HTTP 404 – accounts.google.com

    As you can see the application is failing to communicate with the appropriate Google authentication page.

    Do you have any suggestions about how I might resolve this?

  3. Thanks Goldy! This blog was very useful to help me set up gsuite to azure AD SSO using gsuite as identity provider. I have a question if you could help me with:
    My SSO sign on (both active and passive) into Office 365/Azure and user provisioning in Azure is working perfectly. I have joined a device to Azure AD after this. But now, I am unable to have my gsuite users login into the AzureAD joined PC using their credentials (domain.com). All users who are created on the tenant (domain.onmicrosoft.com) are able to login into this PC with their Azure AD, but Gsuite users are unable to login using their domain.com credentials. Could you please suggest what is going wrong? Thanks a lot for all your help.

  4. Hi Goldy
    Thank you so much for this wonderful admin guide.

    I have one little question for which I probably already know the answer, but just to be sure:

    The client has two completely separate Google instances (students.schoolname.com and schoolname.com). I have no idea what made them setup separate instances and it’s quite silly actually.

    The client would like to use SSO to connect to M365 with users from both google instances but from what I see M365 only takes one federation instance, and I can’t connect both Google instances. I would probably also have to setup two separate M365 instances, right?

    Thank you in advance for your highly appreciated answer.

  5. Hi Goldy,

    Your article in section 4: “Create Powershell variables for Office 365 SSO” you mention to watch a video for step by step instructions on creating variables. There is no link, or I’m finding it hard to locate this?

  6. Hi, first of all thanks a lot for you guide!
    My name is Piero, I work in a school in Palermo (Italy); I did all the steps and everythings seems to
    be Ok but when I try to login with the test account it doesn’t work and I receice this error: “500. That’s an error”.
    If I try to login to the microsoft portal with the google credential i receive this error:

    403. That’s an error.

    Error: app_not_configured_for_user

    Service is not configured for this user.

    Request Details
    idpid=C0123drdu
    RelayState=estsredirect=2&estsrequest=rQIIAa1VS6vsWBk9dc69p–9oF5ERJzYB9pGGuqcvJO6crVTSaoqqTwqj6okNQl5VlJ5v1P7F-iscSQ6aoc9UNSJOHJ8QeixP8CBIxEEJw3WnTh1oLD3hg8Wi_V9rL2-Vx_gj-gj9Ah9cgc_wm8-QigPJ8iImMME4s-xCMfmi4ULzQmKIiOUIj3P95tvvnpt5n_94c93v1E-X0Gvb37_259-Mfte3HVV–bpaRzHxzzxm7Ito-7RL_OnpJsn3R9msy9ns5_dflQ15eB-mvhD0nVlk5Rh7hZ9mIVd2IDyMQz6x6T74rYlUBKDFhgGkYsFgWAYjj5KiBZLBn055monnWlgXyBINo9n0eQQxeA6Od8DO5cwhaUnic1yGXCoZO6BbKidfJZTRb_icxVc8ahiSJ0EgrNiHGMZqJgE4vgvt99Q6L6LkffPVRoI_3H7Miqb3KnKtvvF3Z9fKlVY8AFTFkXod4_vYWHRJb7bJWWxa8oqbLokbN_SNEfTgqYunAqyiIIUpbBg9GM9DcTBr3eqgM8tvLQm1zDGoB3X_Hy-RfGdGQ2dMWx5yXE2yFafbJSUNxPfOYK22SeAUm0W1pWtbF4W63MWrCSYMT0a2lictvDA0IWsSgWCa8GRJS9FvziDwD6cCAfyCgxeR-pgmhMisnA-9Fy91-xhtBYlRB6Wu1JfK-mx0_LJ1s9G6zc-Yy7KSBwTeOnGmGBmFrkV0pXJm7QRFcfacTzf2aRSZi2PubSS9Cif3Cz3mDYGPZQwGMTIEhKAyYTnK3GxKBgL4VCvAixRHqBLO7rYeYjMWi8OuxNUTr3naB0yJWdz5eRgWsK1LQgnZXdRje1-gspdTO_z5oDWHVpt0Kbz_CNOypo8V3B1Cg7tKQe4j_ItDu0HZ_CiOQrT9PJ6RG4_cllmnsayD1ZL3kpGMc6v9pETBCSMTRO7dIGNEdnu4bBiaQNtdruubTbRKjNQV4Bpa0LyUu7xHveDLTpuK98h9FBCCy33Ngdb24vKgo8GcK4abH6Z12p8SvpgngRC1ccQ0Qg0zLemc5yUbHMKHQk_5ql9iCx621oGmOgY9bFtn0Z8mtoTPnkKQp0ZOix1pWYouMrl3TIjJROQViaqe6YcEAfXKYR04UtJwrJb1IoUD-LmBDjdcTG4VCGjlkRVANBFydic7VEWzQE6tCV30QK1Ehproc97Ttjk6VaNtXxVe3yBbeb55iSNF1tjfDrW56kpjphQKWgu-2R3nJ8PCFCg8Xxh8_17f9PmXAJDtmjY1rGLpIYd1kVxmgC-jY8ZueeK1C-tUcqgy35lg4NJMEx3Zp1TUAMudHaCWANAD7ZY206sGca63MJN7Wg4dThYBev61tTFO85voANNSCoH-gTBqKl1h5oM6FW868u-DJNk6Z2E9iwsKZkjm9SaD6lPS0u_W0ormle7pltmwNP357wYyaFsUDTXuAC15E21d2MppiokjnYoWE2Yag59ndI1z1O6CqcX_DSdaFFba5c8dbhuAgmicwwWrcO91AdWrWsMlQ48RS2TopBOF1WhrnPgz9zBy4GRZPWBoa_CI5Mu_a5UsH0iQk6d1mh2xoTAHQ8iQQPHqQqt4Rxf2AA7KZ21Dza2H5unrXgpHX4j6WEFj0tfssS2Mh00RPMDz9n1MJHFStDWZCgtz7DSclnMUaOucF5JkD1cX796CafL0VukLdaalSEmqiCrdMSNh8wB0Y7-3d39NZ3zsnh39_VrdBVJ8OE1m6MkC798Nvvbs2-_eP767js3H9784FvQ3ZsXL169vnlf_evZ7FfPrxvgR59-RTnf_efq89knvxT0-5t3z5_SyCXXWMba8REQgbEFmic_hVvtPA0qmPJeOu0kxlp0Tw3_FnkDf3Y_–z-_t39S551ZM7AcPjv97OffHDzx5e_vv0vy-THYeQkwVuO5l1eLT0mlvg-cLVWYZakyh9i4ogyMaJZp-V7p9q0fk3k03aPD6yzHLnvo-76etuP_z8srZOO_pWHFh8wBFs8oA8ICqMIjhEkSeEP4cPD6eHhP018rDA8-5bmWQSGIBgjHJ2TnP9Rwp–dvNv0
    SAMLRequest=PHNhbWxwOkF1dGhuUmVxdWVzdCBJRD0iXzllZjI5OTJkLWU4NjktNDFkMi1iMTQyLWUyYjQwYzlhNWYzMSIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMjAtMTEtMTRUMDk6NDg6MDAuNzg5WiIgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCI+PElzc3VlciB4bWxucz0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI+dXJuOmZlZGVyYXRpb246TWljcm9zb2Z0T25saW5lPC9Jc3N1ZXI+PHNhbWxwOk5hbWVJRFBvbGljeSBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpuYW1laWQtZm9ybWF0OnBlcnNpc3RlbnQiLz48L3NhbWxwOkF1dGhuUmVxdWVzdD4=
    username=prova@icvittorioemanueleterzo.edu.it

    Can you help me please?! =)

  7. Excellent guide, great job!
    We setup the SAML SSO, and had been using it for a while. One day, we all received error [‘AADSTS5000811: Unable to verify token signature
    . We ran the cmdlet Get-MsolDomainFederationSettings -DomainName “domainname” | Format-List * , we found out that the SigningCertificate was changed. Also, there is a nextSigningCertificate show up from nowhere. We were able to fix it by re-run Set-MsolDomainAuthentication with the correct certificate. However, we are still not able to find out the root cause. Do you have any idea why the SSO SigningCertificate got changed in the Microsoft? Are there any logs I can look up?

  8. I did federation and everything works. if users log in by chrome with nine-dot in the app everything works. if they log in with credentials from the office portal or from the teams desktop app appears 404 error. I don’t know what to do to solve ..help me please🙏

  9. Hi Goldy, I have a problem with SSO, the string in powershell $ PassiveLogOnUri and $ ActiveLogOnUri:
    “https://accounts.google.com/o/saml2?idpid=C010ug3p3”
    if I try to log into portal.office.com I get the message
    “404. That’s an error.The requested URL was not found on this server. That’s all we know.”
    Help me please

  10. Hi, what is this error ?
    name@school.edu.it, 45003, StatusCode: 403 : Forbidden : {
    error : {
    code : Authorization_RequestDenied
    message : Insufficient privileges to complete the operation.
    innerError : {
    date : 2020-10-21T16:18:07
    request-id : 49435902-d9eb-4cae-843c-03e475fbba3d
    client-request-id : 49435902-d9eb-4cae-843c-03e475fbba3d
    }
    }
    }
    Tanks

  11. Hi, I really liked your manual although I found it to late and followed a similar one on github.

    Maybe you can help me anyway?
    I have a problem with one user.
    He was part of a test run with the goal to make sure that the autoprovisioning part would work.
    So I added him to google group and made the group the sync filter or sync scope (or whatever it is called).
    It worked. he appeard in the AAD.
    Then I deleted him in from AAD.
    Then I added more users to the google group (him still being a member of the group).
    But the user from the test run did not appear again in the AAD.
    So I removed him from the google group.
    Then at least I got a sync error after a view hours saying

    user@somedomain.com, 45003, StatusCode: 404 : Not Found : {
    error : {
    code : Request_ResourceNotFound
    message : Resource [some ID]’ does not exist or one of its queried reference-property objects are not present.
    innerError : {
    date : 2020-10-14T13:02:20
    request-id : [some other ID]
    client-request-id : [some other ID]
    }
    }
    }

    So I added the user to the google group again hoping he would get provisioned again – but even after a workday he did not appear in the AAD and there was no new entry in the Google Workspace audit log.
    So I tried adding him using the invite process in the AAD, but I can’t invite him because my domain is verified.
    Is there any way to solve this?

  12. Massimo Baronti

    Hello Goldy.
    I’m following your guide “Gsuite to Microsoft365 SSO & provisioning”.
    I have two questions.
    1) The scenario is as follows: our school has a domain for GSuite “@ schoolname.education” and the microsoft subdomain “@ schoolname.onmicrosoft.com”. Can I federate the two domains or I need to purchase another domain to be configured as default on microsoft 365?
    2) I created users on microsoft365 and then deleted them. Is imutableID activated?
    On powershell I got the csv file (As you can see the immutableID field is empty):
    ————————-
    “UserPrincipalName”, “ImmutableId”, “WhenCreated”, “LastDirSyncTime”
    “admin@icbientinabuti.onmicrosoft.com” ,, “24/09/2020 17:12:33”,
    ———————————-

    Regards,

    1. 1. Yes, you would need your own domain, you do not have ownership on … onmicrosoft.com and it cant be used for federation.

      2. It should not, try creating that user again.

  13. Andrea Lombardini

    Thank you a lot.
    Really excellent guide.
    I found a little error when i tryed to change the federation params by PowerShell command:

    Set-MsolDomainFederationSettings -DomainName $domainName -Authentication $Authentication -FederationBrandName $FederationBrandName -IssuerUri $IssuerUri -ActiveLogOnUri $ActiveLogOnUri -PassiveLogOnUri $PassiveLogOnUri -LogOffUri $LogOffUri -SigningCertificate $SigningCertificate -PreferredAuthenticationProtocol SAMLP

    the answer was:
    Set-MsolDomainFederationSettings : Impossibile trovare un parametro corrispondente al nome ‘Authentication’.
    In riga:1 car:58

    So I deleted the Authentication param and all went OK. In this way:

    Set-MsolDomainFederationSettings -DomainName $domainName -FederationBrandName $FederationBrandName -IssuerUri $IssuerUri -ActiveLogOnUri $ActiveLogOnUri -PassiveLogOnUri $PassiveLogOnUri -LogOffUri $LogOffUri -SigningCertificate $SigningCertificate -PreferredAuthenticationProtocol SAMLP

    hope this can help.
    Cheers from Italy,
    Andrea

  14. Thank you so much for this detailed article. You are a life saver! We have a Google Workspace for Education and recently received licenses of Microsoft 365 for Education as well. I am now able to provision users from Google Workspace to Microsoft 365 and use SSO.

    Only comment is that until I configured the auto provisioning, testing the SSO was unsuccessful. I kept getting the ‘AADSTS51004 user does not exist in the directory’ error. However, after configuring the auto provisioning and waiting for a while for the synchronization, it is working well.

    Thank you once again!

    1. your very welcome, glad it could help you configure google workspace sso to office 365.

      Reason behind the error you saw is, that when you created these users via google, their email became their immutableId, and it worked fine, however if you create users directly in Office 365 / Ad sync, then you would first need to ensure immutableId = user’s email address.

  15. Hi, I posted a comment yesterday regarding the error that I am receiving after setting up SSO between GSuite account and Office 365/MS Teams app.

    AADSTS50107: The requested federation realm object ‘https://accounts.google.com/o/saml2?idpid=’ does not exist.

    That comment is not appearing here yet. But I wanted to share how I resolved the error.

    I had already made sure immutableId and Primary Email are the same – Thanks to Goldy for all Powershell scripts provided here. I also confirmed that certificate from Google has been installed in Azure AD via Powershell

    Please note that slight difference between the URLs to use for $IssuerUri and $PassiveLogOnUri/$ActiveLogOnUri. This actually got me. Once I corrected that, then everything worked perfectly.

    o/saml2?idpid= and o/saml2/idp?idpid=

    Thanks Goldy for the guide. It helped me in great deal.

  16. Hi Goldy,
    thank your work and your excellent guide.
    When I’m testing my SSO (Google/Identity Provider Initiated) everything works well, after I’ve changed my Immutableid in Powershell as you recommended.
    Instead, when I’m testing my SSO (Microsoft 365/Service provider Initiate) I see the message
    “Taking you to your organization’s sign-in page” and, after few second, a new page with tis error
    “Google -null. That’s an error.
    Error parsing the request, No SAML message present in request That’s all we know”
    I contacted Microsoft support, but they told me that the problem is in Gsuite…
    What can I do?
    Thank you very much
    Linda

    1. Hi Linda – hard to figure it out this way, I would recommend you to install a SAML chrome extension, and parse the SAML request/response, it should help you troubleshoot.

  17. Hi Goldy – Great article. It helped to configure MS Teams with Google Authentication. Thank you so much for that.

    But, in the step to test the SSO or when I tried to login Office 365 or MS Teams,
    I am getting the error
    AADSTS50107: The requested federation realm object ‘https://accounts.google.com/o/saml2?idpid=……… does not exist.
    Please advise.
    When I tried to login Office 365 or MS Teams, it correctly redirected me to organization login page. After entering login and password information, I get the above error. I checked and confirm the uri information is correct.
    I am not sure if I am missing any other configurations. Or Does it take a while to propagate the changes to all users?

  18. At the step:
    “You would need to disable Directory Sync to be able to change ImmutableId, you can do it with following PowerShell command :
    Set-MsolDirSyncEnabled -EnableDirSync $false

    you disable the dir sync.
    After the config process end, we must enable it again ?

    1. You should not if you would be using Google to provision the users too.
      if you plan to keep using AAD, then you would need to either keep dealing with changing of immutableIds to email address OR rather provide the immutableId when sending SAML response from google (e.g create custom attribute in google and populate it with immutableId, and send this in saml response).

  19. Hi Goldy,
    Super useful tutorial!
    When I run Get-MSolDomainFederationSettings -DomainName mydomain.com | Format-List * to check the federated settings, I do not the screen you have identified nor does it return an error, it simply accepts the command and then present the PS> cursor ready to take the next command. Any thoughts? I have been able to provision users into Office365 from GSuite, however when I try to log in using my GSuite credentials the GSuite account password is not recognised.
    Thanks for any advice, Stuart

  20. Hi Goldy,
    Need to clarify if you have different domain in Azure AD (@abc.com (need to federate with gsuite sso)and different(@xyz.com) Gusite, which matching attribute should be taken care to auto proviso the user from gusite to Azure AD for SSO. (reason I am worried about existing user of AZure AD as need to change Immutable ID)

  21. Hello, I really appreciate what you have done with this tutorial, thank you so much, please if is possible for you helping me with this error after adding this command.

    Set-MsolDomainFederationSettings -DomainName $domainName -Authentication $Authentication -FederationBrandName $FederationBrandName -IssuerUri $IssuerUri -ActiveLogOnUri $ActiveLogOnUri -PassiveLogOnUri $PassiveLogOnUri -LogOffUri $LogOffUri -SigningCertificate $SigningCertificate -PreferredAuthenticationProtocol SAMLP
    Set-MsolDomainFederationSettings : A parameter cannot be found that matches parameter name ‘Authentication’.
    At line:1 char:58
    + … ainFederationSettings -DomainName $domainName -Authentication $Authen …
    + ~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidArgument: (:) [Set-MsolDomainFederationSettings], ParameterBindingException
    + FullyQualifiedErrorId : NamedParameterNotFound,Microsoft.Online.Administration.Automation.SetDomainFederationSettings

    Please I don’t know what to do from here, and additionally when I write this command Get-MSolDomainFederationSettings -DomainName id.goldyarora.com | Format-List *(I use my domain) but nothing shows.
    Thank you so much

    1. Sorry I added the wrong error message, this is the one.
      Set-MsolDomainAuthentication : You cannot remove this domain as the default domain without replacing it with another
      default domain. Use the the Set-MsolDomain cmdlet to set another domain as the default domain before you delete this
      domain.
      At line:1 char:1
      + Set-MsolDomainAuthentication -DomainName $domainName -Authentication …
      + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      + CategoryInfo : OperationStopped: (:) [Set-MsolDomainAuthentication], MicrosoftOnlineException
      + FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.DefaultDomainUnsetException,Microsoft.Online.
      Administration.Automation.SetDomainAuthentication

      Thanks

  22. Hello,

    I am getting the following error.

    Is there something I’m missing?

    PS C:\WINDOWS\system32> Set-MsolDomainAuthentication -DomainName $domainName -Authentication $Authentication -FederationBrandName $FederationBrandName -IssuerUri $IssuerUri -ActiveLogOnUri $ActiveLogOnUri -PassiveLogOnUri $PassiveLogOnUri -LogOffUri $LogOffUri -SigningCertificate $SigningCertificate -PreferredAuthenticationProtocol SAMLP
    Set-MsolDomainAuthentication : You cannot remove this domain as the default domain without replacing it with another
    default domain. Use the the Set-MsolDomain cmdlet to set another domain as the default domain before you delete this
    domain.
    At line:1 char:1
    + Set-MsolDomainAuthentication -DomainName $domainName -Authentication …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : OperationStopped: (:) [Set-MsolDomainAuthentication], MicrosoftOnlineException
    + FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.DefaultDomainUnsetException,Microsoft.Online.
    Administration.Automation.SetDomainAuthentication

  23. Hi, I got this error after login with GSuite account and click on Office365 APP:

    AADSTS50107: The requested federation realm object ‘https://accounts.google.com/o/saml2?idpid=C02XXXXXX’ does not exist.

    How can I solved it? Thank you

    1. You should look at couple of things-:

      1. Check the immutableId of the user in concern, it should match the user’s primary email address.

      2. Ensure that the certificate has been installed from Google to Office 365 (PowerShell) correctly.

  24. Hi Goldy,

    first let me say thank you very much for this detailed and helpful article, it helped us to complete the task of setting up SSO finally after struggling for a very long time! I highly appreciate your work!

    Unfortunately we are still running into two issues.
    1. When trying to authenticate via Powershell tools (eg Connect-AzAccount) to Azure via a federated GSuite Account, a windows opens in which we enter the user’s email and get forwarded to Google sign-in. After entering the email id (to Google sign-in), a javascript error is coming up (Row 0, Character 0, Error: Script error, Code: 0, URL: https://ssl.gstatic.com/accounts/static/_/js/k=gaia.gaiafe_signin.en_GB.NDip7jdsosI.O/am=DAEAAAAAAAAAAAAIJQ/d=1/ct=zgms/rs=ABkqax2W4vQiXsXmnqnIgR1x4YkH6EPDxA/m=signin,signin_challenge) and asks me whether to proceed with script execution yes/no. Clicking yes or no, i get asked for my password and MFA token, but i’m unable to finalize the authentication properly (MFA does not get approved, probably because of the script error). The window does not change any more, and does not close. Do you know what can be done to resolve this issue? While googling we found a couple of references to a local MS Teams issue (involving clearing local caches), but this has not resolved our problem. We have Chrome installed as the default browser on Win10.

    2. We assigned a Office 365 license to a GSuite SSO user and are able to activate the local installation on a Windows 10 machine successfully. However, after some days, or after a reboot, we are getting a warning saying “There are issues with your account, please login again.” This works, but has to be done every day and is therefore annoying. Do you have any idea on this?

    Again, thanks for all your great how-to’s, it’s greatly appreciated!

    All the best Torben

    1. You’re welcome Torben.
      1. Try installing a SAML tracer chrome plugin and use to trace the saml request and response, this should help figure out, I slightly recall seeing this error but didn’t document what i did to fix it:(.

      2. Sorry, I don’t much idea on this 2nd one.

  25. Hi Seem to have a problem everything works fine in the browser but some users require a full office install licence but when they try and log in all they get is a looks like we cant connect to one of our services right now please try again later HTTP 400 error accounts.google.com

  26. ok, I solved all problem but not provisioning, I got this error in gsuite console:
    Error during Office365 sync: 17007 error code

    1. I have not seen this error, but after googling it a bit, it seems related to granting access to Google to create users in Office 365, try providing the OAuth consent again.

  27. Thank you very much! I got the link to your explanation from Microsoft Support (Adrian) and managed to get it up and running. Our school will be very happy to have automatic access to Office365 and Minecraft Education.
    It’s a shame I cannot automatically assign licenses in O365 (for instance using OU or groups in Gsuite to choose the right license in O365), that would make it fully automated.

        1. I think your question is about assigning licenses to Office 365 users via dynamic groups in Office 365 itself? if yes, then i have not tried it but it should work i think.

  28. hi! If I already have user with @gsuitedomain in offce365 and manage it for a fake SSO creating manually user in Gsuite and Off365 with same username @gsuitedomain but different pwd, what’s happen if I change immutableID of off365 user @gsuitedomain ?

    thanks!

    1. I didn’t understand your question, how would you create the user in Office 365 if you already have it with that email?
      if your question is about creating the user in Google Workspace with the same email that you have in Office 365, then it’ll not work right away, you would need to change the immutableId in Office 365 to match Google Workspace user’s email address (unless you want to go with other option that is to put current immutableId in Google Workspace as a custom attribute and then rather send this custom attribute as nameId in SAML response).

      1. hi! I add gsuite domain in off365 only with TXT DNS record. When I create user in off365 I use @gsuitedomain also in off365 but different pwd, so I have:
        1. gsuite account @gsuitedomain
        2. off365 account @gsuitedomain with different pwd of 1.

        So I have a fake SSO.

        If I want use your real SSO procedure, what’s happen if I change immutableID of off365 user @gsuitedomain ?

        I hope to be more clear.
        ThankS

        1. You have two options here-:
          1. Take the immutable id of off365 user @gsuitedomain –> create a custom attribute in Google Workspace –> and put immutable id as its value –> send this attribute as SAML nameId value.
          OR
          2. Change the immutableId of off365 user @gsuitedomain to match user’s primary email address, if you do that, nothing will change on the front (e.g you can still login directly to off365 user @gsuitedomain as usual), however it’ll make your SSO setup and management easy.

  29. In the step to test the SSO, I am getting the error
    AADSTS50107: The requested federation realm object ‘https://accounts.google.com/o/saml2?idpid=……… does not exist Please advise

  30. This tutorial is exact what i looking for.
    I administer a Google Suite of a faculty (eg faculty.com), now we are trying to associate Office 365 to our users.

    We are using only the default domain in 365 (faculty.onmicrosoft.com)

    I was following the tutorial and now i am stuck in this part (below)

    * I dont understand the error, the domain name (faculty.com) must be set in office 365? How can i do this?

    *Thank you for sharing your knowledge

    PS C:\Windows\system32> Set-MsolDomainAuthentication -DomainName $domainName -Authentication $Authentication -FederationBrandName $FederationBrandName -IssuerUri $IssuerUri -ActiveLogOnUri $ActiveLogOnUri -PassiveLogOnUri $PassiveLogOnUri -LogOffUri $LogOffUri -SigningCertificate $SigningCertificate -PreferredAuthenticationProtocol SAMLP

    Set-MsolDomainAuthentication : This domain does not exist. Check the name and try again.
    No linha:1 caractere:1
    + Set-MsolDomainAuthentication -DomainName $domainName -Authentication …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : OperationStopped: (:) [Set-MsolDomainAuthentication], MicrosoftOnlineException
    + FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.DomainNotFoundException,Microsoft.Online.Administration.Automation.SetDomainAuthentication

    1. You’re welcome.

      I have this requirement listed in the system requirements section, you do not own/control faculty.onmicrosoft.com, it is Microsoft’s domain, hence you can not setup federation on it.

      You would need to add your domain (e.g faculty.com) in Office 365, you would find Microsoft’s documentation on adding domain under the system requirements section in this post.

    1. Unfortunately, like Google Workspace, Office 365 does not allow setting up federation within the user interface, so you would have to go with powershell.

      You don’t need any specific server for this thought, any regular windows machine (e.g windows 10, even virtual machine) which can run powershell should be enough.

  31. Dear,
    First of all thank your work and the excellent guide.
    I have a question, that nobody in Microsoft support has been able to answer.
    I am managing GSuite for education and registered the domain in Office365, I am trying to use the GSuite credentials to authenticate in Office365.
    But the step of where you have to use Powershell I cannot do it, because there is no local server, everything is in the cloud.
    I have tried to use Windows 10 PowerShell but it does not recognize the commands.
    I don’t know what I’m doing wrong or how else to integrate SSO into Office365 with GSuite.

    1. Unfortunately, like Google Workspace, Office 365 does not allow setting up federation within the user interface, so you would have to go with powershell.

      I would recommend you to google some help on how to install powershell and its associated modules to interact with Office 365.

  32. Edömér Csúry

    I just love you man, have been searching for an understandable guide a few days now and you sir helped me with this a lot to complete my contract. Detailed instruction and it worked on the first try! You won a fan today!!! Cheers to you and thank you!!!

  33. Michael Kerry

    Hi,
    I want to disable federation for temporarily (for troubleshooting). I can see powershell command for that.
    But how will I go back to federation, without any issue.

    1. You can turn off SSO by running the command Set-MsolDomainAuthentication -DomainName yourdomainname.com -Authentication managed

      however, if you need to federate after this, you would need to re-do the process (e.g create powershell variables, run the federation command).

  34. Hi Sir,
    G suite identity service will with Microsoft Tenant domain i.e abc.onmicrosoft.com . or we need own domain instead of Microsoft.

  35. I went through the setup steps. When I try to authenticate my test user, it redirects to Google, but when I get to the Microsoft page, I get: “AADSTS5000811: Unable to verify token signature. The signing key identifier does not match any valid registered keys.” I checked the signing certificate with Get-MsolDomainFederationSettings. It seems to match what I have in the metadata file. Any suggestions?

    1. Please ensure there is not space in the cert which you copied from Google, otherwise PowerShell will take it but later you would see an error during user authentication.

  36. You document which Google licensing I need in order to set up SSO, but not the Microsoft license. I’m working with Microsoft 365 Apps for Business. Do you know if I’m still able to set up SSO with this Microsoft licensing level?

  37. If I’m in a non-federated domain, I’m still unclear on what changes I need to make to the O365 user accounts. Do I change the UPN and immutable ID to the corresponding user’s GSuite email address?

    1. 1. I would suggest you to first do a quick look up at your Office 365 users’ immutableId via the provided PowerShell script in this post.

      2. If your immutableId is not equal to your Google Workspace users’ primary email address, then you should either change it to match Google Workspace email OR create a custom attribute in Google Workspace –> populate it with your Office 365 ImmutableId and then use to send this in SAML response.

      1. Your article states that in a non-federated scenario the immutable Id should be blank. If that’s the case, I can set it to the user’s corresponding GSuite address, and I don’t have to do anything to the UPN. Am I understanding correctly?

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to Top