SSO to Google from Office 365 - different domains

Copper Contributor

Currently we have (contoso.com) as our domain for office 365 that is running adconnect on our on prem with hybrid aad. Identities are synced from on prem to o365, phs, and password write back.

 

We have Gsuite on a different domain (westcontoso.org).

 

Is it possible to set up sso from office 365 to gsuite so our users can use their o365 credentials to log in to chromebooks and android phones ?

 

One more question, what would be the best way to test this with a gsuite in production without breaking anything ? The g suite identity is mainly used for accessing chromebooks and managing android devices.

 

Thank you.

4 Replies
Hi KleoNunket,

It should be possible, see the following link for more info https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/google-apps-tutorial

Hope it solves your problem.
Hi HarriJaakkonen,

It looks that if i do this in production environment, my users won't be able to sign in with their g suite credentials as only one IDP can be used at a time, is this correct ?

Thank you.
Yes, your users won't be temporarily able to sign-in but once the connector is up and running it should be finding them with their email address which is provided during the federation.

From the Microsoft documentation Q&A number 6:

Q: What should I do when I get an "invalid email" error message?

A: For this setup, the email attribute is required for the users to be able to sign-in. This attribute cannot be set manually.

The email attribute is auto populated for any user with a valid Exchange license. If user is not email-enabled, this error will be received as the application needs to get this attribute to give access.

You can go to portal.office.com with an Admin account, then click in the Admin center, billing, subscriptions, select your Microsoft 365 Subscription and then click on assign to users, select the users you want to check their subscription and in the right pane, click on edit licenses.

Once the Microsoft 365 license is assigned, it may take some minutes to be applied. After that, the user.mail attribute will be auto populated and the issue should be resolved.

Hope this one helps.
So, that means all my users would have to re enroll with their o365 credentials ?

I use gsuite to manage my users mobile devices. I would like to achieve the following, for example user john has a chromebook and an android phone.

I would like that user to have two accounts for a user:

A) john@gsuite.com account - with sso enabled so they can log in to chromebook with their o365 credentials.
B) johnmobile@gsuite.com account - no sso enabled, the password for this would be known by IT only, so we can manage and enroll their their mobile devices without resetting their o365 password.

I think G suite now offers ability to exclude OU or groups from SSO.

Thank you!