Questions about using third party IdP to authenticate to Office 365

%3CLINGO-SUB%20id%3D%22lingo-sub-1328959%22%20slang%3D%22en-US%22%3EQuestions%20about%20using%20third%20party%20IdP%20to%20authenticate%20to%20Office%20365%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1328959%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EI%20am%20setting%20up%20Google%20as%20the%20identity%20provider%2C%20and%20no%20issues%20with%20the%20setup%2C%20its%20working%20fine%2C%20but%20i%20have%20a%20few%20questions-%3A%20%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CBR%20%2F%3E1.%20I%20used%20Global%20Admin%20role%20to%20setup%20SSO%2C%20but%20i%20want%20to%20delegate%20future%20domains%20federation%20without%20giving%20global%20admin%20role%2C%20so%20i%20want%20to%20know%20which%20Office%20365%20role%20(instead%20of%20Global%20admin)%20or%20permission%20is%20allowed%20to%20setup%20federation%3F%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E2.%20I%20understand%20Office%20365%20users%20immutableId%20will%20be%20the%20base64%20version%20of%20AD%20objectGUID%20if%20we%20use%20directorySync%2C%20but%20what%20if%20we%20do%20not%20use%20directory%20sync%20(cloud%20only)%2C%20what%20would%20be%20the%20immutableId%20in%20that%20case%2C%20will%20it%20be%20user's%20primary%20email%20id%3F%3CBR%20%2F%3E%3CBR%20%2F%3E3.%20What%20does%20Office%20365%20need%20from%20IdP%20in%20the%20nameId%20of%20SAML%20to%20identify%20and%20authenticate%20the%20user%2C%20is%20it%20immutableId%20or%20UPN%20or%20user's%20primary%20email%20address%3F%3CBR%20%2F%3E%3CBR%20%2F%3E4.%20I%20have%20put%20logoutUri%20when%20setting%20up%20federation%20via%20Powershell%20(e.g%20%24LogOffUri%20%3D%20%E2%80%9C%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fmywebsite.com%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fmywebsite.com%3C%2FA%3E%3CSPAN%3E%E2%80%9D)%20but%20it%20does%20not%20take%20user%20there%20when%20logging%20out%2C%20rather%20logs%20out%20at%20office%20365%20home%20page.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EThank%20you%20so%20much%20in%20advance%20for%20sharing%20your%20insights.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1328959%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAuthentication%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1378907%22%20slang%3D%22en-US%22%3ERe%3A%20Questions%20about%20using%20third%20party%20IdP%20to%20authenticate%20to%20Office%20365%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1378907%22%20slang%3D%22en-US%22%3EFor%20question%20%231%2C%20it%20appears%20Global%20Admin%20is%20required%2C%20as%20I%20don't%20see%20a%20separate%20role%20available%20for%20configuring%20federation%20according%20to%20this%20article%20here%3A%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fmanage-apps%2Fplan-sso-deployment%23required-administrative-roles%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fmanage-apps%2Fplan-sso-deployment%23required-administrative-roles%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EFor%20question%20%232%2C%20the%20UserPrincipalName%20is%20the%20unique%20identifer%20when%20it%20is%20a%20cloud-only%20account.%3CBR%20%2F%3E%3CBR%20%2F%3EFor%20question%20%233%20we%20recommend%20using%20UserPrincipalName%20for%20nameid%3CBR%20%2F%3E%3CBR%20%2F%3EFor%20question%20%234%2C%20In%20the%20Sign-out%20page%20URL%20field%20in%20Google%20Cloud%20(G%20Suite)%20Connector%2C%20paste%20the%20value%20of%20Logout%20URL%20which%20you%20have%20copied%20from%20Azure%20portal.%20There%20is%20a%20video%20here%3A%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fazure.microsoft.com%2Fen-us%2Fresources%2Fvideos%2Fenable-single-sign-on-to-google-apps-in-2-minutes-with-azure-ad%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fazure.microsoft.com%2Fen-us%2Fresources%2Fvideos%2Fenable-single-sign-on-to-google-apps-in-2-minutes-with-azure-ad%2F%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EIf%20this%20post%20was%20helpful%20please%20mark%20as%20best%20response%2C%20thank%20you.%3C%2FLINGO-BODY%3E
Occasional Visitor

I am setting up Google as the identity provider, and no issues with the setup, its working fine, but i have a few questions-:


1. I used Global Admin role to setup SSO, but i want to delegate future domains federation without giving global admin role, so i want to know which Office 365 role (instead of Global admin) or permission is allowed to setup federation? 

2. I understand Office 365 users immutableId will be the base64 version of AD objectGUID if we use directorySync, but what if we do not use directory sync (cloud only), what would be the immutableId in that case, will it be user's primary email id?

3. What does Office 365 need from IdP in the nameId of SAML to identify and authenticate the user, is it immutableId or UPN or user's primary email address?

4. I have put logoutUri when setting up federation via Powershell (e.g $LogOffUri = “
https://mywebsite.com”) but it does not take user there when logging out, rather logs out at office 365 home page.

 

Thank you so much in advance for sharing your insights.

1 Reply
For question #1, it appears Global Admin is required, as I don't see a separate role available for configuring federation according to this article here:
https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/plan-sso-deployment#required-adm...

For question #2, the UserPrincipalName is the unique identifer when it is a cloud-only account.

For question #3 we recommend using UserPrincipalName for nameid

For question #4, In the Sign-out page URL field in Google Cloud (G Suite) Connector, paste the value of Logout URL which you have copied from Azure portal. There is a video here:
https://azure.microsoft.com/en-us/resources/videos/enable-single-sign-on-to-google-apps-in-2-minutes...

If this post was helpful please mark as best response, thank you.