Office 365 cloud application

• Add your Google Workspace domain to Microsoft Office 365. For instructions, see Add a domain to Microsoft 365.
• Install PowerShell (with Microsoft Azure Active Directory Module).

Office 365 uses the ImmutableID attribute to uniquely identify users. For SSO between Google and Office 365 to work, each Office 365 user must have an ImmutableId, and the SAML Name ID attribute sent to Office 365 during SSO must be the same as the ImmutableId.

An Office 365 user’s ImmutableID varies according to how the user is created. Here are the most likely scenarios:

• No users yet in Office 365. If you set up Google to autoprovision users, you don’t have to configure ImmutableID, it is mapped by default to the user’s email address (the User Principle Name or UPN). Continue to Step 2 below.
• If users were created in Office 365 Admin console, ImmutableID should be blank. For these users, use the PowerShell Set-MsolUser command to set the ImmutableID in Office 365 to match the user’s UPN: 

  Set-MsolUser -UserPrincipalName testuser@your-company.com -ImmutableId testuser@your-company.com

  You can also use Set-MsolUser to bulk update all users. Refer to the PowerShell documentation for specific instructions.

• If users were created via Azure Active Directory sync, ImmutableID is an encoded version of the Active Directory objectGUID. For these users:
  1. Use PowerShell to retrieve the ImmutableID from Azure AD. For example, to retrieve ImmutableID for all users and export to a CSV file:

     $exportUsers = Get-MsolUser -All | Select-Object UserprincipalName, ImmutableID | Export-Csv C:\csvfile

  2. Create a custom attribute in Google, then populate each user’s profile with their Office 365 ImmutableID. For instructions see add a new custom attribute and update a user profile. You can also automate the process using GAM (an open source command line tool) or the Workspace Admin SDK.

For more information on ImmutableID, see Microsoft documentation.

1. Sign in to your Google Admin console.

   Sign in using an account with super administrator privileges (does not end in @gmail.com).

2. In the Admin console, go to Menu  SecurityAuthenticationSSO with SAML applications.

   You must be signed in as a super administrator for this task.

3. In the Set up single sign-on (SSO) section, copy and save the SSO URL and Entity ID, and download the Certificate.

Next you'll switch to Office 365 to do the setup steps in Step 3. You'll return to the Admin console in Step 4 below to finish SSO configuration.

1. In a new browser tab, log into your Office 365 application as an administrator.
2. Using a text editor, create PowerShell variables from the IdP data you copied from Google. Here are the values needed for each variable:

   Variable	Value
   $DomainName	“your-company.com”
   $FederationBrandName	“Google Cloud Identity” (or any value you choose)
   $Authentication	“Federated”
   $PassiveLogOnUrl $ActiveLogOnUri	“SSO URL” (from Google IdP information)
   $SigningCertificate	“Paste complete certificate here” (from Google IdP information)*
   $IssuerURI	“Entity ID” (from Google IdP information)
   $LogOffUri	“https://accounts.google.com/logout”
   $PreferredAuthenticationProtocol	“SAMLP”

   *Ensure the $SigningCertifcate variable is on one line of text, or PowerShell will return an error message.
3. Using the PowerShell console, run the Set-MsolDomainAuthentication command to configure your Active Directory domain for federation. Refer to the Microsoft PowerShell documentation for specific instructions.
4. (Optional) To test federation settings, use the following PowerShell command: 

   Get-MSolDomainFederationSettings -DomainName your-company.com | Format-List *

Note: If your domain is already federated and you need to change federation to Google, run the
Set-MsolDomainFederationSettings command, using the same parameters listed in the table above.

1. Sign in to your Google Admin console.

   Sign in using an account with super administrator privileges (does not end in @gmail.com).

2. In the Admin console, go to Menu  AppsWeb and mobile apps.
3. Click Add appSearch for apps.
4. Enter Office 365 in the search field.
5. In the search results, hover over the Office 365 SAML app and click Select.
6. On the Google Identity Provider details page, click Continue.
7. On the Service provider details page:
   1. Check Signed response.
   2. Set the Name ID format to "PERSISTENT”.
   3. If you created a custom attribute to add the Office 365 Immutable ID to your Google users' profiles (see Step 1 above), select the custom attribute as Name ID. Otherwise set Name ID to Basic Information > Primary email.
8. Click Continue.
9. On the Attribute mapping page, click the Select field menu and map the following Google directory attributes to their corresponding Office 365 attributes:
    

   Google Directory attribute	Office 365 attribute
   Basic Information > Primary Email	IDPEmail

10. (Optional) To enter group names that are relevant for this app:

    1. For Group membership (optional), click Search for a group, enter one or more letters of the group name, and select the group name.
    2. Add additional groups as needed (maximum of 75 groups).
    3. For App attribute, enter the service provider’s corresponding groups attribute name.

    Regardless of how many group names you enter, the SAML response will include only groups that a user is a member of (directly or indirectly). For more information, go to About group membership mapping.

11. Click Finish.

1. Sign in to your Google Admin console.

   Sign in using an account with super administrator privileges (does not end in @gmail.com).

2. In the Admin console, go to Menu  AppsWeb and mobile apps.
3. Select Office 365.
4. Click User access.

5. To turn a service on or off for everyone in your organization, click On for everyone or Off for everyone, and then click Save.

6. (Optional) To turn a service on or off for an organizational unit:

   1. At the left, select the organizational unit.
   2. To change the Service status, select On or Off.
   3. Choose one:
      • If the Service status is set to Inherited and you want to keep the updated setting, even if the parent setting changes, click Override.
      • If the Service status is set to Overridden, either click Inherit to revert to the same setting as its parent, or click Save to keep the new setting, even if the parent setting changes.
        Note: Learn more about organizational structure.
7. To turn on a service for a set of users across or within organizational units, select an access group. For details, go to Use groups to customize service access.
8. Ensure that your Office 365 user account email IDs match those in your Google domain.

Office 365 supports both Identity Provider (IdP) initiated and Service Provider (SP) initiated SSO. Follow these steps to verify SSO in either mode:

IdP-initiated

1. Sign in to your Google Admin console.

   Sign in using an account with super administrator privileges (does not end in @gmail.com).

2. In the Admin console, go to Menu  AppsWeb and mobile apps.
3. Select Office 365.
4. At the top left, click Test SAML login. 

   Office 365 should open in a separate tab. If it doesn’t, use the information in the resulting SAML error messages to update your IdP and SP settings as needed, then retest SAML login.

SP-initiated

1. Open https://login.microsoftonline.com/.
   You should be automatically redirected to the Google sign in page.
2. Enter your sign in credentials.
3. After your sign in credentials are authenticated you will be automatically redirected back to Office 365.

As a super administrator, you can automatically provision users in the Office 365 application.