Forum Discussion
SSO to Google from Office 365 - different domains
Currently we have (contoso.com) as our domain for office 365 that is running adconnect on our on prem with hybrid aad. Identities are synced from on prem to o365, phs, and password write back. We...
Hi KleoNunket,
It should be possible, see the following link for more info https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/google-apps-tutorial
Hope it solves your problem.
It should be possible, see the following link for more info https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/google-apps-tutorial
Hope it solves your problem.
Hi HarriJaakkonen,
It looks that if i do this in production environment, my users won't be able to sign in with their g suite credentials as only one IDP can be used at a time, is this correct ?
Thank you.
It looks that if i do this in production environment, my users won't be able to sign in with their g suite credentials as only one IDP can be used at a time, is this correct ?
Thank you.
- Yes, your users won't be temporarily able to sign-in but once the connector is up and running it should be finding them with their email address which is provided during the federation.
From the Microsoft documentation Q&A number 6:
Q: What should I do when I get an "invalid email" error message?
A: For this setup, the email attribute is required for the users to be able to sign-in. This attribute cannot be set manually.
The email attribute is auto populated for any user with a valid Exchange license. If user is not email-enabled, this error will be received as the application needs to get this attribute to give access.
You can go to portal.office.com with an Admin account, then click in the Admin center, billing, subscriptions, select your Microsoft 365 Subscription and then click on assign to users, select the users you want to check their subscription and in the right pane, click on edit licenses.
Once the Microsoft 365 license is assigned, it may take some minutes to be applied. After that, the user.mail attribute will be auto populated and the issue should be resolved.
Hope this one helps.- So, that means all my users would have to re enroll with their o365 credentials ?
I use gsuite to manage my users mobile devices. I would like to achieve the following, for example user john has a chromebook and an android phone.
I would like that user to have two accounts for a user:
A) john@gsuite.com account - with sso enabled so they can log in to chromebook with their o365 credentials.
B) johnmobile@gsuite.com account - no sso enabled, the password for this would be known by IT only, so we can manage and enroll their their mobile devices without resetting their o365 password.
I think G suite now offers ability to exclude OU or groups from SSO.
Thank you!
