GCP IAM Access Denied: User from another domain does not have access to query BQ under Org

Question

I have GCP org set up under a verified domain name (company.tech) with cloud identity enabled to use google cloud project. I am managing access to users through google groups (via admin panel). I've created a group with users from (company.tech, service account, Gmail & company.co.xx) i.e allowing members outside the org, let's call the group >> gcpusers@company.tech

Following are the IAM policies added for the group:

BigQuery Job User
BigQuery Metadata Viewer

Also, ACL access was added to a dataset BigQuery Data Viewer

The issue is, I am able to query from gmail, service account & company.tech domain accounts but the users under company.co.xx (this is not a cloud identity account but google mapped account using sign up with an existing email with Office 365 subscription) can neither select project nor query and end up getting the following error & cannot preview/query the bigquery dataset tables.

Access Denied: Project <<>>: User does not have bigquery.jobs.create permission in project <<>>

I tried the following but I still get the same error for company.co.xx accounts:

1. Added the custom rule to allow company.co.xx under domain restricted contacts org policy
2. Added the domain under Allowlisted domains in google admin panel (but unfortunately, as mentioned there the domain is not linked with cloud identity/gws instead the accounts are signed up using existing email)

Answer 1

Google Groups is managed independently from Google Cloud IAM - they are independent services. You can add an identity to Google Groups which is not supported by Google Cloud IAM. In your case, that is what you did. If you want to use Microsoft identities with Google Cloud you will need to set up federation with Active Directory.