Hope you all are doing good!!!
We are getting very good suggestions for our last series on Azure Networking Learn Basics Of Azure Networking In 60 Hours. The suggestions are to add few more important topics to the series to makes more up-to-date because new features are coming and we should update the series with those new features. We would start working on that part once we are done with this Azure Identity And Access Management series.
In our last post, we have discussed on Email one-time passcode authentication in detail with example. Today In this article, we will continue Azure AD Business-to-Business (B2B) And Guest User and discuss how to Configure Google Federation for B2B user.
If you have missed our previous articles on Azure Identity And Access Management (IAM), please check it in following links.
Google Federation for Azure AD Guest User :
When we talk about cloud/hybrid identity, Azure AD B2B allow organizations to establish cross-organization identity connections for which it is not required any additional infrastructure changes. One of my previous article Invitation And Redemption of Guest User explains how we can allow external users to authenticate in to cloud app using their own accounts.
In our last article , we have seen that, by configuring Email one-time passcode authentication, can we successfully invite a Gmail account user without configuring Google federation.
As I said, today in this article, we will discuss, how Azure AD B2B can initiate federation with google to allow users to use their own google accounts to authenticate without Email OTP authentication. In this demo I am going to demonstrate how we can initiate federation with google. Let’s proceed with following steps.
Setup A Google Developer Project :
Step 1 – Go to the Google APIs at https://console.developers.google.com, and lets’ sign in with our Google account to configure a new project. It is recommend that we should use a shared team Google account.
Step 2 – On the Dashboard, click on Create Project, and on the New Project page, enter a Project Name, and then select Create.
Step 3 – Make sure our new project is selected in the project menu. Then under APIs & Services, select OAuth consent screen as shown in the following figure.
Step 4 – As shown in the following figure select External, and then select Create. On the OAuth consent screen, enter an Application name.
Step 5 – Scroll to the Authorized domains section and enter microsoftonline.com so that Google only allows this domain as authorized domain and click Save button to save the configuration.
Step 6 – Next choose Credentials. In the + Create credentials menu, choose OAuth client ID as shown in the following figure.
Step 7 – Under Application type, choose Web application, and then under Authorized redirect URIs, enter the following URLs and hit Create.
https://login.microsoftonline.com/te/<directory id>/oauth2/authresp (where <directory id> is your directory ID). In our case it is : https://login.microsoftonline.com/te/ee63368d-845a-4b7f-8dbc-a7e2c36186/oauth2/authresp
Step 8 – Copy the Client ID and Client Secret, which we will use when we add the identity provider in the Azure AD portal as shown in the following figure.
Setup Google Federation In Azure Active Directory :
Step 9 – Now we will set the Google client ID and client secret, either by entering it in the Azure AD portal or by using PowerShell. In this lab we will do it through Azure portal as shown in the following figure.
- Log-in to the Azure portal and select Azure Active Directory and Select External Identities.
- click on All identity providers, and then click the + Google button.
- By default the Name set to Google. Then enter the client ID and client secret we obtained earlier. hit Save to complete the set-up.
If In future, we want to remove the configuration of Google Federation, then just click on the three button of the setup and click Delete button as shown in the following figure.
Testing Google Federation Set-Up :
Step 10 – Select Users of Azure AD > All Users > click +New guest user link > hit Invite button to invite a new Gmail account user by providing all information as showing in the following figure.
User has not redeem the invitation so Source property of the user is Invited User as shown in the following figure.
Step 11 – As we know when we inviting a guest user, the guest user will get one invitation Email, that includes a Accept Invitation link. The guest user can hit the link to redeem the invitation as shown in the following figure. let’s click Accept Invitation link.
Step 12 – In the redeem process, we need to choose the correct Gmail account as shown in the following figure.
Step 13 – Agree with all policies to access the organization’s portal or resources and click Accept button to complete the redeem process.
As we can see in the following figure, after user successfully redeem the invitation the Source property of user has changed from Invited User to Google but the User type is still Guest.
I hope, this article helps you to configure Google Federation with Azure AD to support B2B user.
As I am exploring the Azure Identity and Access Management (IAM) in a deep level. Please let me know if I missed anything important or if my understanding is not up to mark.
Keep reading, share your thoughts, experiences. Feel free to contact us to discuss more.
Thanks for reading 🙂