0

We run our domains via Google. We have those domains verified in Azure for various purposes.

What I'd like to accomplish is to allow my user that use O365 to be able sign in with their Google Credentials. As I understand it, this is done through federation, SAML, and SSO. I've followed Google's instruction on setting this up and have hit a snag.

Using PowerShell's Set-MsolDomainAuthentication command I get an error every time I try to change the Authentication method from Managed to Federated. I can confirm that I can see the domains and their managed status via PowerShell commands, so I am at least connected to our Azure.

Set-MsolDomainAuthentication : Unable to complete this action. Try again later.

At line:1 char:1
+ Set-MsolDomainAuthentication
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (:) [Set-MsolDomainAuthentication], MicrosoftOnlineException
    + FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.InternalServiceException,Microsoft.Online.Adm
   inistration.Automation.SetDomainAuthentication

Azure logs show the attempt as

DirectoryManagement
Set domain authentication
Failure
Microsoft.Online.Workflows.ValidationException

Any help and direction is welcome. I've been searching high and low for solutions.

Side note: I have tried the convert command as well, with no luck.

mklement0
  • 382,024
  • 64
  • 607
  • 775
Taylor Julander
  • 1
  • 2
  • I've done it for this post, but please [format your posts properly](https://stackoverflow.com/help/formatting) in the future. – mklement0 Feb 14 '23 at 22:52

2 Answers2

0

Solution:

Run the following command:

Set-MsolDomainAuthentication -Name <domainName> -Authentication Managed -ActiveLogOnUri <ActiveLogOnUri> -FederationBrandName <FederationBrandName> -PassiveLogOnUri <PassiveLogOnUri> -SigningCertificate <SigningCertificate> -IssuerUri <IssuerUri> -LogOffUri <LogOffUri> -MetadataExchangeUri <MetadataExchangeUri> -PreferredAuthenticationProtocol <PreferredAuthenticationProtocol>
Compo
  • 36,585
  • 5
  • 27
  • 39
Charles
  • 1
  • I have formatted your answer code, but in order for this to be understood in the context of the question, could you please insert the OP's information, and provide some explanation of the reasons why this is a solution to the submitted problem. – Compo Feb 17 '23 at 15:51
0

Found a solution using this method rather than googles prescribed method. https://medium.com/@james.winegar/how-to-single-sign-on-sso-between-g-suite-and-office-365-with-g-suite-as-identity-provider-idp-5bf5031835a0

IMPORTANT SIDE NOTE: For some reason or another, you cannot federate multiple domains with the same entityID in Azure. The workaround is to add spaces to the end of the entityID and Location URLs.

In my instance, I edited the metadata.xml and added the space within the quotes. There are two Location URLs in the XML, make the same change in both of them.

IE entityID="https://accounts.google.com/o/saml2?idpid=yourGoogleId "

And Location="https://accounts.google.com/o/saml2/idp?idpid=yourGoogleId "

Repeat this process for each additional domain from the same entityID. Keep in mind this is NOT a supported workaround, so use with caution.

Taylor Julander
  • 1
  • 2