How to federate Google (Gmail) accounts with Azure AD to access resources without a Microsoft account

My DIY project for this weekend is to try and implement a method to set Google as an identity provider for Azure AD resource access requirements. If someone can access apps or services on a different platform without having to create an account of the resource owner’s end, that makes lives more easier and simply takes off the hassle of registering another account.

This article includes
Hassle the Guest user has to go through to setup a Microsoft account, how to federate the Azure AD instance with Google as an external IdP and how to impose MFA on those accounts with the help of AAD Dynamic Security groups.

Azure B2B typically gives few options to the user

  1. Connect Guest users from a different Azure AD instance
  2. Connect Guest users from any other service provider after creating a Microsoft account
  3. Federate with an identity provider so the users in that domain can access Azure AD resources without having to create a Microsoft account

The Hassle of setting yourself as a Guest User

There are more than few steps the invited user has to go through before signing up for a Microsoft account to be able to access the resources governed by the Azure AD. Check below

My focus is around the point 3. Federation of Azure AD instance with Google so the invited users doesn’t have to create a Microsoft account to access the resources.

This eliminates – Google users having to remember another set of credentials


What do you require?

  • Global Admin rights on the Azure AD portal where you have resources
  • A Gmail account (free should be fine) – Better to use a separate service type account rather than a personal type account

Configuration

There are 2 sides to the configuration.

  1. Prepare Google (Gmail) instance to accept OAuth requests from Azure AD
  2. To set Google as an Identity Provider

Prepare Google (Gmail) instance to accept OAuth requests from Azure AD

  • Go to Create Project to make a new development project
  • Name the project. In this case it is AzB2B-TestOrg and hit Create
  • Go to the notifications and select the project and make sure you are in that project
  • Go to OAuth consent screen > Select External > hit Create
  • Set the Application name and the authorized domains as below. Application name can be any name as you wish
  • Next, go to Credentials in the same Project and,
    Select Create Credentials > OAuth client ID
  • Select Web Application from Application Type

Set the the below values

App name:
AzB2B-TestOrg. I keep the same name across the board for some consistency

Authorized redirect URIs:
https://login.microsoftonline.com
https://login.microsoftonline.com/te/<tenant ID>/oauth2/authresp
https://login.microsoftonline.com/te/<verified domain>/oauth2/authresp

after grabbing the Tenant ID set below

How to find the Tenant ID?


Go to Azure AD Portal (https://aad.portal.azure.com/) > Azure Active Directory > Properties > Copy the Tenant ID

As soon as you hit Create, You’ll get the below screen with the Client ID and the Client Secret which is important for the Azure AD.

And that’s all as far as the Gmail is concerned.

And let’s move on to the Azure AD now.


To set Google as an Identity Provider

Simply go to https://aad.portal.azure.com/ > Azure Active Directory > External Identities > All Identity Providers > Select Google from the top

Copy the previously generated Client ID and the Client Secret here and hit Save

Now you can see Google has setup as an Identity Provider

That’s pretty much it from the Azure AD end as far as adding an External Identity provider is concerned, in this case, Google.


Lets test this now

Invite a Gmail User

You can either send a SharePoint link to an external user (Gmail) or an Admin can create a Guest user from the Azure AD portal and or assign licenses if required

Once the user accept the invite by following the URL in email, They’ll be directed to the Google Sign-in Page. Provided you have already signed-in to Gmail (if not you have to log in to that invited email address)

Once you hit on the Gmail account, that will then redirected to the Office login page, press Yes

This will now redirected to the respective M365 tenant, thanks for the redirection URLs we set in the Gmail API for the app.

This will go through the standard OAuth Flow to get the Authorization to provide access to a Gmail account to a resource in Azure AD.

Press Accept

Viola! You are in!

Now that you are successfully in, you can assign Apps for this user from Azure AD > Enterprise Applications and it will start appear below


How Azure AD shows the identity provider


How to impose zero-trust over these accounts?

You can create a Dynamic Security Group after assigning a P1 license to the External user account with the below query so it will capture the right accounts

And create a Conditional Access Policy named MFA for External IdPs
Enable it for All Cloud Apps with a Grant condition via MFA

Once the user goes to access the resources in the Azure AD environment, they will now directed to the Multi Factor Auth registration page as usual and you can be sure that your data is secured even someone tampers a Gmail account where the internal IT admins can’t keep a track of.


Few Gotchas

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.