Landing Zone Post | GCP Identity Options | Integration with Microsoft Entra ID

One of the first things we do when on-boarding any clients to google cloud, is to enroll them to cloud identity.

In this post, I would try and showcase how we go about the processes for cloud identity and IAM.

Probing

One of the first thing we will need to do is we try and find the identity provider and how the organisation is placed by asking below questions.

• Is the client already using G suites or Google workspace or Microsoft office 365.
• How many different teams are available to manage resources in cloud identity and google cloud. Like network admins, org admins team, security admin team and monitoring team.
• Any link between HR system and azure ad or google cloud identity.
• How many domains does the company have?
• Federation between two domains.

For more info, please refer this google documentation.

Cloud Identity Prerequisites

Before enrolling to cloud identity, we need follow the enrollment process of creating an org which involves

• Finalising a domain name.
• DNS registration for the domain
• Deciding on who will be the superadmin.
• Go through the best practices like there should be only 2 superadmins, superadmin and normal id should be different, 2fa should be enabled, drill process should be in place to use the superadmin ID.

Cloud Identity Enrollment

• Cloud identity is a must for enrolling to gsuites/google workspace and google cloud.
• Here is the link explaining how to onboard to cloud identity.
• User onboarding can happen manually or via uploading to csv or via integration with HRIS.

Deep Dive into Microsoft Entra SSO

In case if clients are using office 365, it’s important to have one identity provider and single user onboarding and offboarding source of truth.

Google cloud can have users sign in with Microsoft Entra ID. SSO enabled with SAML integration.

There is a google cloud connector which is an enterprise application available in Microsoft entra AD which helps with user onboarding to google cloud.

For more info, we can delve into this google article to perform Microsoft entra SSO.

User Off-boarding

When using Microsoft entra the connector has the option to ensure to disable the ID in google cloud when removed from Entra AD group.

If using google identity, we can disable the user.

There are other advanced topics like primary and secondary domains and resolving conflicting ids. For more much info, please go through this article.

Conclusion

When on-boarding any client on google cloud, we have to ensure we understand how identities will be managed and the lifecycle will be taken care of.

Hope this article gave some insight into the same and shared some important articles which can be referred for detailed information.