Jul 162020
The following are my notes for setting up Azure AD B2B Direct Federation with a GSuite domain. The official documentation can be referenced at https://docs.microsoft.com/en-us/azure/active-directory/b2b/direct-federation. Note that if you only want to invite Gmail.com users you can use Google Federation steps instead https://docs.microsoft.com/en-us/azure/active-directory/b2b/google-federation
Steps to configure AAD B2B Direct Federation with GSuite Domain
- Login to https://admin.google.com -> Security -> Set up single sign-on (SSO) for SAML applications
- Choose Download Metadata, and save the returned GoogleIDPMetadata.xml locally
- Browse to https://portal.azure.com -> Azure AD -> External Identities -> All identity providers -> New SAML/WS-Fed IdP . Choose protocol = SAML, domain name = gSuite domain name, method = parse metadata file. Browse to your GoogleIDPMetadata.xml file and hit parse, then save:
- From https://support.google.com/a/answer/6363817?hl=en follow Step 3. “Set up Google as a SAML identity provider (IdP)” and Browse to https://admin.google.com -> Apps -> SAML Apps -> New App
- Filter existing apps by “Microsoft Office 365” and add the app
- Download Metadata locally to .XML file
- Save
- Browse back to apps and choose “Microsoft Office 365”
- Edit Attribute Mapping to be as follows
| IDPEmail* | Basic Information | Primary Email |
| urn:oasis:names:tc:SAML:2.0:nameid-format:persistent | Basic Information | Primary Email |
| http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress | Basic Information | Primary Email |
- From https://support.google.com/a/answer/6363817?hl=en follow Step 4. “Enable the Office 365 app” and Choose Edit Service -> Service Status -> ON for everyone
- Lastly Invite the Guest GSuite domain User from Azure AD
- Now From Azure AD portal -> Invite New User -> Invite a user from G Suite domain
- G Suite user gets invite email, and clicks redemption link and signs in with G Suite credentials to redeem invite successfully