Federate your User Accounts in Microsoft Azure AD to Google Cloud Identity

Google Cloud Identity is IDaaS (Identity as a Service) that manages users and groups for Google Cloud and Google Workspace. The lifecycle of users and groups can be managed in the Cloud Identity. User accounts and groups can be created which are controlled within the Identity for access management and compliance. There are multiple ways to create users in Cloud Identity — Manual creation or Bulk upload via CSV.

For large organisations, user accounts could already be managed in another Identity Provider ex. Microsoft Azure AD.

Microsoft Azure AD is a cloud based identity and access management service which helps to control the user access on external and internal resources. It helps to manage the user life cycle centrally and allows integration of cloud apps for a uniform user experience.

Therefore, in cases where user accounts and groups are maintained in Microsoft Azure AD, they can be federated in Google Cloud identity, supporting single source of truth and maintenance in Azure AD while extending their usage in Google Cloud Identity. Below is a sample architectural setup of federation between Google Cloud Identity and Microsoft Azure AD.

To use user accounts and groups in Google Cloud identity, we first need to provision the users from Microsoft Azure AD and then set up Single Sign on between them so that the requests to Google Cloud could be redirected to Microsoft Azure AD for authentication.

For our setup of federation in this document, we will:

• Use the domain demodata.info
• Use a connector that provides user provisioning and single sign on configuration — Google Cloud / G Suite Connector by Microsoft

The Prerequisites required to set up federation between Google Cloud Identity and Microsoft Azure AD are:

1. Google Cloud Identity setup completed — Create first Cloud identity account, specify the super admin username and verify your organisation domain with Google Cloud identity.

2. Microsoft AzureAD account and administrative privileges to set up provisioning and single sign on

3. Domains of the users being federated from Microsoft Azure AD be registered as primary or secondary domains in Google Cloud Identity. All the domains must be registered otherwise the users will not be provisioned and will throw errors during the setup.

4. User who will be used for the connection between Google cloud Identity and Microsoft Azure AD — Create a user for Microsoft Azure AD. We can use the super admin user but it is always recommended to have a dedicated user for simplified maintenance and ownership. Grant the required permissions to this user so that new users can be created, deleted and listed through Azure AD. In our case, the user is azuread-provisioning

5. The users to be federated are present in Microsoft Azure AD

Lets now begin Federating the user accounts between Google Cloud Identity and Microsoft Azure AD

1. Connect Azure AD to Google Cloud Platform Cloud Identity and provision the users. Create a new Enterprise Application using Google Cloud/G Suite Connector by Microsoft

2. Select New Application and search for Google Cloud/G Suite Connector by Microsoft. Select the connector, and select Create

3. In the new application, select Properties under Manage, change as below and Save:

• Enabled for Users Sign-in as No
• Rename it to a name of connector application to depict as Connection and Provisioning
• Assignment Required as No
• Visible to Users as No

4. Select Provisioning under Manage and Get Started

• Select Provisioning Mode -> Automatic and in the Admin credentials provide the user who has the required admin privileges. In our case, user is azuread-provisioning

• In the Mappings section, select Provision Azure Active Directory Users. In the Attribute Mapping, select the “surname” row to edit the attribute.
• In the Edit Attribute section, edit the Default value if null parameter to “_” as below. Select Ok.
• Report the same step for “givenName” attribute.

• Since we are provisioning users only, we will not enable Groups provisioning. If it is required, it can be done in the same Connector along with user provisioning. The steps mentioned at Provisioning Groups by name or email address can be used.
• In the Settings section, in Scope, select Sync only assigned users and groups. This will enable provisioning of users and groups as configured and thus, providing more control. The other option is Sync all users and groups which can be selected as per the business requirement.

• Save the changes and close the Provisioning window.
• Select Users and Groups in Manage, and Add user/group. The users and groups selected and assigned here shall be provisioned.

• Within the Users section, select “None Selected” Hyperlink and select the users to be provisioned. For our example, we select 2 users Chris and John and do not select Tom Doe as below:

• Select and Assign the Users

5. Provision the Users — Select Provisioning in Manage, select Edit Provisioning and Enable the Provisioning by Provisioning Status as On and Save the changes.

• Close the Provisioning window
• The Provisioning is started as below

• The provisioning time is taken based on the number of users selected and the cycle status is updated on the Provisioning window

6. Select Provisioning Logs in Activity section to view the detailed logs

7. Verify the provisioned users in Google Cloud Admin Console.

• In Google Cloud Admin console, In Directory, go to Users and validate the users created. In our example, 2 users must be created, Chris and John as selected in the Azure AD for provisioning.

You can begin your setup of Cloud Identity from Google Cloud Platform Admin console and Microsoft Azure AD.

Perform it now and the Setting up of Single Sign on for the users provisioned now will be performed in the Part-2 of the document.