SOLVED

Question about SSO

%3CLINGO-SUB%20id%3D%22lingo-sub-311160%22%20slang%3D%22en-US%22%3EQuestion%20about%20SSO%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-311160%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20organization%20has%20cloud-only%20users%20in%20Azure%20AD.%26nbsp%3B%20We%20also%20have%20a%20GSuite%20tenant%20that%20we%20use%20for%20email.%26nbsp%3B%20The%20GSuite%20tenant%20has%20multiple%20domains%20associated%20with%20it%20and%20there%20are%20user%20accounts%20in%20each%20of%20these%20domains.%26nbsp%3B%20My%20question%20is%2C%20is%20it%20possible%20to%20configure%20Azure%20AD%20SSO%20with%20my%20GSuite%20tenant%20and%20exclude%20specific%20domains%20from%20SSO%3F%26nbsp%3B%20Or%20does%20Azure%20AD%20SSO%20apply%20to%20all%20of%20the%20users%20in%20my%20GSuite%20tenant%20no%20matter%20what%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-311160%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%20Management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-313151%22%20slang%3D%22en-US%22%3ERe%3A%20Question%20about%20SSO%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-313151%22%20slang%3D%22en-US%22%3E%3CP%3EJust%20for%20clarification%3A%3C%2FP%3E%3CUL%3E%3CLI%3EAzure%20AD%20supports%20multiple%20IDPs%2C%20one%20per%20domain%3C%2FLI%3E%3CLI%3EG%20Suite%20supports%20only%20one%20IDP%3C%2FLI%3E%3C%2FUL%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-312750%22%20slang%3D%22en-US%22%3ERe%3A%20Question%20about%20SSO%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-312750%22%20slang%3D%22en-US%22%3EThank%20you%20for%20the%20information.%20I%20appreciate%20it.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-312149%22%20slang%3D%22en-US%22%3ERe%3A%20Question%20about%20SSO%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-312149%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Mike!%26nbsp%3B%20According%20to%20documentation%20for%20configuring%20SSO%20with%20Azure%20AD%20and%20G%20Suite%2C%20you%20can%20only%20have%20one%20identity%20provider%20for%20the%20tenant.%26nbsp%3B%20Based%20on%20this%2C%20it%20sounds%20like%20all%20of%20your%20domains%20will%20either%20have%20to%20use%20Azure%20AD%20or%20all%20use%20Google%20as%20the%20IDP.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CBLOCKQUOTE%3E%0A%3CP%3E%3CSTRONG%3EQ%3A%20Can%20I%20enable%20single%20sign-on%20for%20only%20a%20subset%20of%20my%20G%20Suite%20users%3F%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EA%3A%20No%2C%20turning%20on%20single%20sign-on%20immediately%20requires%20all%20your%20G%20Suite%20users%20to%20authenticate%20with%20their%20Azure%20AD%20credentials.%20Because%20G%20Suite%20doesn't%20support%20having%20multiple%20identity%20providers%2C%20the%20identity%20provider%20for%20your%20G%20Suite%20environment%20can%20either%20be%20Azure%20AD%20or%20Google%20--%20but%20not%20both%20at%20the%20same%20time.%3C%2FP%3E%0A%3C%2FBLOCKQUOTE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EReference%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fsaas-apps%2Fgoogle-apps-tutorial%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fsaas-apps%2Fgoogle-apps-tutorial%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Mike D
Occasional Contributor

Hello,

 

My organization has cloud-only users in Azure AD.  We also have a GSuite tenant that we use for email.  The GSuite tenant has multiple domains associated with it and there are user accounts in each of these domains.  My question is, is it possible to configure Azure AD SSO with my GSuite tenant and exclude specific domains from SSO?  Or does Azure AD SSO apply to all of the users in my GSuite tenant no matter what?

 

Thank you.

3 Replies
Solution

Hi Mike!  According to documentation for configuring SSO with Azure AD and G Suite, you can only have one identity provider for the tenant.  Based on this, it sounds like all of your domains will either have to use Azure AD or all use Google as the IDP.

 

Q: Can I enable single sign-on for only a subset of my G Suite users?

A: No, turning on single sign-on immediately requires all your G Suite users to authenticate with their Azure AD credentials. Because G Suite doesn't support having multiple identity providers, the identity provider for your G Suite environment can either be Azure AD or Google -- but not both at the same time.

 

Reference: https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/google-apps-tutorial

Thank you for the information. I appreciate it.

Just for clarification:

  • Azure AD supports multiple IDPs, one per domain
  • G Suite supports only one IDP
Related Conversations
Extentions Synchronization
Deleted in Discussions on
3 Replies
Tabs and Dark Mode
cjc2112 in Discussions on
36 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
9 Replies