My DIY project for this weekend is to try and implement a method to set Google as an identity provider for Azure AD resource access requirements. If someone can access apps or services on a different platform without having to create an account of the resource owner’s end, that makes lives more easier and simply takes off the hassle of registering another account.
This article includes
Hassle the Guest user has to go through to setup a Microsoft account, how to federate the Azure AD instance with Google as an external IdP and how to impose MFA on those accounts with the help of AAD Dynamic Security groups.
Azure B2B typically gives few options to the user
- Connect Guest users from a different Azure AD instance
- Connect Guest users from any other service provider after creating a Microsoft account
- Federate with an identity provider so the users in that domain can access Azure AD resources without having to create a Microsoft account
The Hassle of setting yourself as a Guest User
There are more than few steps the invited user has to go through before signing up for a Microsoft account to be able to access the resources governed by the Azure AD. Check below
My focus is around the point 3. Federation of Azure AD instance with Google so the invited users doesn’t have to create a Microsoft account to access the resources.
This eliminates – Google users having to remember another set of credentials
What do you require?
- Global Admin rights on the Azure AD portal where you have resources
- A Gmail account (free should be fine) – Better to use a separate service type account rather than a personal type account
There are 2 sides to the configuration.
- Prepare Google (Gmail) instance to accept OAuth requests from Azure AD
- To set Google as an Identity Provider
Prepare Google (Gmail) instance to accept OAuth requests from Azure AD
- Login to https://console.developers.google.com by using your Gmail
- Go to Create Project to make a new development project
- Name the project. In this case it is AzB2B-TestOrg and hit Create
- Go to the notifications and select the project and make sure you are in that project
- Go to OAuth consent screen > Select External > hit Create
- Set the Application name and the authorized domains as below. Application name can be any name as you wish
- Next, go to Credentials in the same Project and,
Select Create Credentials > OAuth client ID
- Select Web Application from Application Type
Set the the below values
AzB2B-TestOrg. I keep the same name across the board for some consistency
after grabbing the Tenant ID set below
How to find the Tenant ID?
Go to Azure AD Portal (https://aad.portal.azure.com/) > Azure Active Directory > Properties > Copy the Tenant ID
As soon as you hit Create, You’ll get the below screen with the Client ID and the Client Secret which is important for the Azure AD.
And that’s all as far as the Gmail is concerned.
And let’s move on to the Azure AD now.
To set Google as an Identity Provider
Simply go to https://aad.portal.azure.com/ > Azure Active Directory > External Identities > All Identity Providers > Select Google from the top
Copy the previously generated Client ID and the Client Secret here and hit Save
Now you can see Google has setup as an Identity Provider
That’s pretty much it from the Azure AD end as far as adding an External Identity provider is concerned, in this case, Google.
Lets test this now
Invite a Gmail User
You can either send a SharePoint link to an external user (Gmail) or an Admin can create a Guest user from the Azure AD portal and or assign licenses if required
Once the user accept the invite by following the URL in email, They’ll be directed to the Google Sign-in Page. Provided you have already signed-in to Gmail (if not you have to log in to that invited email address)
Once you hit on the Gmail account, that will then redirected to the Office login page, press Yes
This will now redirected to the respective M365 tenant, thanks for the redirection URLs we set in the Gmail API for the app.
This will go through the standard OAuth Flow to get the Authorization to provide access to a Gmail account to a resource in Azure AD.
Viola! You are in!
Now that you are successfully in, you can assign Apps for this user from Azure AD > Enterprise Applications and it will start appear below
How Azure AD shows the identity provider
How to impose zero-trust over these accounts?
You can create a Dynamic Security Group after assigning a P1 license to the External user account with the below query so it will capture the right accounts
And create a Conditional Access Policy named MFA for External IdPs
Enable it for All Cloud Apps with a Grant condition via MFA
Once the user goes to access the resources in the Azure AD environment, they will now directed to the Multi Factor Auth registration page as usual and you can be sure that your data is secured even someone tampers a Gmail account where the internal IT admins can’t keep a track of.
- MS Teams can be only accessible via the endpoint https://teams.microsoft.com on any device
- Use should use the My Application Portal in the below format else the identity will not be recognized by Azure AD
xxxxxxxx.onmicrosoft.com – is my example M365 portal domain