3

I have a client who is an NPO, so they get GSuite for NGO's and Office 365 E1 for free.

They would love to remain with Gsuite and use certain Office 365 features such as OneDrive. Spent a week trying to get it right, I have been following all the online tutorials on how to get this accomplished but keep failing when I get to "Map Office 365 user attributes to corresponding Cloud Directory attributes" in Gsuite. The issue from what I see appears to be the "onPremisesImmutableId". What does this map to within Gsuite?

Has anyone managed to get this working? I have followed all the tutorials I can find online, but when it comes to the attributes that is where everyone has no info on.

Thanks

Refaad Mirando
  • 31
  • 1
  • 2

3 Answers3

3

So far I've been able to set up Google as SAML IDP with provisioning enabled so that accounts created on G Suite and added to an office-users group are created in Azure AD with a license assigned.

The google documentation is straightforward, but makes only brief mention of the windows setup, which is the hard part. I pulled together several other sources to get things working.

  1. Add SAML App (Office365) in the Google Admin console Apps section. Settings should all be properly established. Office365 Entry

  2. Check Office365 SAML app config enter image description here NOTE

  3. Configure Provisioning (synch accounts from GSuite to Azure AD) GSuite Office365 Provisioning. Optionally set the scope to a Google group (only members of that group or OU will be auto-provisioned; I used a group I called office-users) enter image description here

    Azure AD setup

  4. Validate your domain on Azure

  5. Start a powershell console and install required tools enter image description here

> Connect-MsolService (connect using admin credentials)

`> Set-MsolDomainAuthentication -DomainName "{your-domain}" -FederationBrandName "{your brand login}" -Authentication Federated -PassiveLogOnUri "{google-url}" -ActiveLogOnUri "{google-url}" -SigningCertificate "{cert info}" -IssuerUri "{google-issuer}" -LogOffUri "{google-uri}" -PreferredAuthenticationProtocol "SAMLP"

where the certificate is the google .pem file, without newlines or start/end markers, and the following URIs, where GOOGLESAMLID is your G Suite immutable ID (from the Google Admin console SSO setup pane)

google-uri=https://accounts.google.com/a/saml2/idp?idpid=GOOGLESAMLID

google-issuer=https://accounts.google.com/a/saml2?idpid=GOOGLESAMLID

Read properties back:

> Get-MsolDomainFederationSettings -DomainName "{your-domain}" | Format-List *

  1. Turn off Azure password reset self-service

  2. Test by creating a new G Suite user. A corresponding user should be created in AD.

I'm still trying to figure out how to map a new G Suite user to an existing Azure AD user. Seems like this should be possible, but I don't know where the mapping is stored.

I was able to create a user first on windows and set its ImmutableId property to the intended GSuite email address:

> Set-MsolUser -UserPrincipalName "my@domain.com" -ImmutableId "my@domain.com"
> $user = Get-MsolUser -UserPrincipalName "my@domain.com"
> $user.ImmutableId

Then create a new user in GSuite and put the new user into the scope you identified to have access to Office apps. Azure AD will now redirect to Google to authenticate, and you can use your Google creds instead of whatever was on Azure.

EDIT Once a new user is created in GSuite, it may take a few minutes for the changes to propagate to Azure AD.

technomage
  • 9,861
  • 2
  • 26
  • 40
  • 1
    Hi Technomage, Followed your directions, got the provisioning to work, but when using a test account I they the following error "AADSTS51004: To sign into this application the account user@mydomain.com must be added to the 81cb65e6-7b04-440d-9e2d-49d8c0cdd0d7 directory." – Refaad Mirando Nov 01 '18 at 08:01
  • Also wanted to say thank you so much for all your assistance – Refaad Mirando Nov 01 '18 at 12:05
  • I'd seen that error as well, I believe the "directory" is your primary Azure AD. It went away after I got all the other details nailed down. Make sure that GSuite to Azure AD provisioning is enabled and it has had time to add the user to Azure AD. – technomage Nov 08 '18 at 19:36
0

I believe you map onPremisesImmutableId with Basic Information -> Username

If you select any other field you get the warning: Your users may not be able to sign in as SSO attribute mapping for Name ID is different from that of onPremisesImmutableId. Do you want to continue?

Dom
  • 121
  • 6
0

I've also ran into a problem with Office 365/G-Suite Directory Just to add for the ImmutableID, I found something interesting on Reddit:

Google gives their domain admins the ability to create a populate free-form attributes that are attached to users. It's basically named hidden attributes attached to your users. For the case of Federating with O365 you need to create a Schema with at least one attribute called ImmutableID. This is the SAML NameID attribute used to correlate the Google user with the Office 365 user. The ImmutableID (an attribute only used in O365) is a Base64 representation of the Active Directory user GUID. Example: 58bcbac8-0b42-4a3e-ae76-307510908f59 becomes +D2MBMPlTp+Hh7Q0qEm3iw== You can either drop this into your current create/update users scripts, target the API directly, or user another tool like GAM. You can't add this value manually to the schema in the G Suite control panel because it won't allow you to enter some of the characters, this has to be scripted in in one way or another. We have a side utility that keeps user's names in sync, we added this to that.

See thread here: https://www.reddit.com/r/k12sysadmin/comments/83w004/google_to_microsoft_azure_ado365_sso/

Essentially, you want to create an extra Schema for Office 365 and add that ImmutableID field. I'm probably gonna use our AD as source for that, will let you know.

Louis-Philippe Kyer
  • 1