Notification

Planning your return to office strategy? See how ChromeOS can help.

Set up SSO and user provisioning between Microsoft Entra ID and ChromeOS

As an admin, you can set up user provisioning and single sign-on (SSO) between a Microsoft Entra ID tenant and your Google Workspace or Cloud Identity account. Then, your users can sign in to an Microsoft Entra ID authentication page instead of the Google sign-in screen on their ChromeOS devices.

Security Assertion Markup Language (SAML) single sign-on (SSO) support for ChromeOS devices allows users to sign in to a device with the same authentication mechanisms that you use within the rest of your organization. Their passwords can remain within your organization's Identity Provider (IdP). Signing in is very similar to signing in to a Google Workspace account from a browser via SAML SSO. However, because a user is signing in to a device, there are several additional considerations.

Before you begin

  • Your domain is configured in Microsoft Entra ID and Google (Workspace or Cloud Identity).
  • User account names are the same for Microsoft Entra ID and Google. The Microsoft Entra ID directory holds your domain as a registered subdomain.
  • These steps do not require a local federation, such as Active Directory Federation Services (ADFS). However, they do rely on the equivalent cloud based service bundled with the Microsoft Entra ID Free tier.

How to

Step 1: Create enterprise application
  1. Sign in to the Microsoft Azure portal.
  2. In the search box at the top, enter enterprise application and select it from the list of search results.
  3. At the top of the Enterprise applications pane, click New application.
  4. Under Cloud platforms, click Google Cloud Platform.
  5. Click Google Cloud/G Suite Connector by Microsoft.
  6. For Name, enter Google Cloud/G Suite Connector by Microsoft.
  7. Click Create.
Step 2: Assign a specific user to your enterprise application

Still in the Microsoft Azure portal:

  1. On the left, under Manage, click Users and groups. Or, on the Overview page, under Getting started, click Assign users and groups.
  2. At the top of the Users and groups pane, click Add user/group.
  3. In the Add Assignment pane on the left, under Users, click None selected.
  4. In the Users pane, select the user that you want.
  5. Click Select.
  6. In the Add Assignment pane, click Assign.
Step 3: Set up SSO with SAML

Still in the Microsoft Azure portal:

  1. On the left, under Manage, click Single sign-on.
  2. Select a single sign-on method. Click SAML.
  3. On the SAML-based Sign-on page, go to Basic SAML Configuration.
  4. Click Edit.
  5. Configure Identifier (Entity ID). Add URLs:
    • google.com/a/yourdomain.com
    • https://google.com/a/yourdomain.com
  6. Configure Reply URL (Assertion Consumer Service URL):
    1. Add URLs:
      • https://www.google.com/acs
      • https://www.google.com/a/yourdomain.com/acs
    2. Set the default:
      • Next to https://www.google.com/a/yourdomain.com/acs, check the Default box.
  7. Configure Sign on URL. Add URL:
    • https://www.google.com/a/yourdomain.com/ServiceLogin?continue=https://mail.google.com
  8. Click Save.
  9. Download the Base64 version of the certificate:
    1. Still on the SAML-based Sign-on page, go to SAML Signing Certificate.
    2. Next to Certificate (Base64), click Download.
  10. Gather the information that you'll need to configure the Google Cloud / G Suite Connector by Microsoft application to link with Microsoft Entra ID:
    1. Still on the SAML-based Sign-on page, go to Set up Google Cloud / G Suite Connector by Microsoft.
    2. Copy the URLs:
      • Login URL—The page where users sign in to your system and Google Workspace.
      • Logout URL—The page where users are redirected to after signing out.
Step 4: Configure Microsoft Entra SSO SSO

Configure third-party IdP settings

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2.  In the Admin console, go to Menu and then Securityand thenOverview.
  3. Click Set up single sign-on (SSO) with a third party IdP.
  4. Click Add SSO profile.
  5. Check the Set up SSO with third-party identity provider box.
  6. Enter your third-party IdP URLs:
    1. Sign-in page URL—Paste the Login URL that you copied in Step 3 above.
    2. Sign-out page URL—Paste the Logout URL that you copied in Step 3 above.
      Note: URLs must use HTTPS.
  7. Click Replace certificate.
  8. Select the file that you want to use and click Open.
  9. Click the Use a domain specific issuer box.
  10. For Change password URL, enter the URL:
    • https://account.activedirectory.windowsazure.com/changepassword.aspx
  11. Click Save.

Configure user settings

Still in the Admin console:

  1. In the Admin console, go to Menu and then Devicesand thenChromeand thenSettings. The User & browser settings page opens by default.

    If you signed up for Chrome Browser Cloud Management, go to Menu and then Chrome browserand thenSettings.

  2. To apply the setting to all devices, leave the top organizational unit selected. Otherwise, select a child organizational unit.
  3. Go to Security.
  4. For Single sign-on, select Enable SAML-based single sign-on for Chrome devices.
  5. (Optional) For SAML single sign-on login frequency, enter a value that is smaller than the password expiration time. For details about the setting, see Set Chrome policies for users or browsers.
  6. Click Save.

Configure device settings

Still in the Admin console:

  1. At the top of the page, click Device settings. Or, from the Admin console Home page, go to Devicesand thenChromeand thenSettingsand thenDevice.
  2. To apply the setting to all devices, leave the top organizational unit selected. Otherwise, select a child organizational unit.
  3. Go to Sign-in settings.
  4. For Single sign-on IdP redirection, select Allow users to go directly to SAML SSO IdP page. For details about the setting, see Set Chrome device policies.
  5. For Single sign-on cookie behavior, select Enable transfer of SAML SSO cookies into user session during sign-in. For details about the setting, see Set Chrome device policies.
  6. Click Save.
Step 5: Test ChromeOS devices
  1. Turn on a managed ChromeOS device.
  2. On the Sign in to your Chromebook page, click Next.
  3. On the Microsoft sign-in page, enter your AD username.
  4. Click Next.
  5. Enter your password.
  6. Click Sign in.
  7. To stay signed in and access the user session, click Yes.
Step 6: Configure Microsoft Entra ID users provisioning

When you signed up for Cloud Identity or Google Workspace, you created a super admin account. While you could use it for Microsoft Entra ID, we recommend that you create a separate super admin account that is used exclusively by Microsoft Entra ID.

Create user

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Directoryand thenUsers.
  3. At the top of the page, click Add new user.

    Add new user is selected at the top of the users table.

  4. Enter account information. For details, see Add an account for a new user.
  5. Click Add new user.
  6. To finish adding the new user, click Done.

Make user a super admin

Still in the Admin console:

  1. In the Admin console, go to Menu and then Directoryand thenUsers.
  2. In the Users list, find the new user that you just created.
  3. Click the user’s name to open their account page.
  4. Click Admin roles and privileges.

    Points out Administrative roles link.

  5. Click Assign roles.
  6. Next to the Super Admin role, click the slider so it's marked Assigned.
  7. Click Save.
    Tip: Have the new administrator add recovery options to their account.

The user typically becomes an admin within a few minutes. However, it can take up to 24 hours.

Manage user account provisioning

  1. Sign in to the Microsoft Azure portal.
  2. In the search box at the top, enter enterprise application and select it from the list of search results.
  3. Search for and click Google Cloud / G Suite Connector by Microsoft.
  4. On the left, under Manage, click Provisioning.
  5. Click Get started.
  6. For Provisioning mode, select Automatic.
  7. Click Admin Credentials.
  8. Click Authorize.
  9. Sign in using the new super admin account that you just created.
  10. Click Allow to confirm access to the Cloud Identity API.
  11. Under Admin Credentials, click Test Connection. You’ll see a message letting you know if you’re authorized to enable provisioning.
  12. (Optional) Under Mappings, configure user or group provisioning. We recommend that you use the default setting.
  13. Click Save.
  14. At the top of the Provisioning page, click Start provisioning.
  15. Wait until sync completes.

Related topics

Google and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu