Entra ID SSO with Google as IdP

Question

Entra ID SSO with Google as IdP

Irvanda 136

Hi,

I am configuring for M365 SSO with Google as IdP by following the guide from this Google documentation :

https://apps.google.com/supportwidget/articlehome?hl=en&article_url=https%3A%2F%2Fsupport.google.com%2Fa%2Fanswer%2F6363817%3Fhl%3Den&assistant_id=generic-unu&product_context=6363817&product_name=UnuFlow&trigger_context=a

In the Office 365 as SAML Service Provider setup, I run the following script but it always fails.

Here is the powershell script (of course I have adjusted the variable values to the values from Google) I used and the failure information I got.

$dom = "ourDomain.com"
$BrandName = "Whatever you want it to be"
$LogOnUrl = GoogleSSOURL
$LogOffUrl = "https://accounts.google.com/logout"
$ecpUrl = GoogleSSOURL
$MyURI = GoogleEntityID
$MySigningCert = CertFromGoogle
$uri = GoogleEntityID
$Protocol = "SAMLP"

Set-MsolDomainAuthentication
   -DomainName $dom
   -FederationBrandName $BrandName
   -Authentication Federated
   -PassiveLogOnUri $LogOnUrl
   -ActiveLogOnUri $ecpUrl
   -SigningCertificate $MySigningCert
   -IssuerUri $MyURI
   -LogOffUri $LogOffUrl
  -PreferredAuthenticationProtocol $Protocol

Accepted answer

0 additional answers

Your answer

Answer 1

Raja Pothuraju 16,840 Microsoft External Staff

Hello @Irvanda,

Thank you for posting your query on Microsoft Q&A.

Based on your description, it appears you are attempting to federate your custom domain with Google IDP. However, when running the Set-MsolDomainAuthentication command, you are encountering the error message:

"Set-MsolDomainAuthentication: Unable to complete this action. Try again later."

This error often occurs when the IssuerUri value is not unique. To resolve this issue, it is recommended to use a unique IssuerUri. You can refer to the following Stack Overflow thread, where a similar issue was resolved by ensuring the IssuerUri was unique: https://stackoverflow.com/questions/57397743/o365-federation-setup-set-msoldomainauthentication-unable-to-complete-actio

To confirm if the IssuerUri is unique, try adding a small modification to the end of the URI in the URL.

If the IssuerUri is confirmed to be unique and the issue persists, I recommend using Microsoft Graph PowerShell commands instead of the MSOL PowerShell command, as the latter is scheduled for deprecation between January 20, 2025, and March 30, 2025.

For more details about this deprecation, refer to this blog post:

https://techcommunity.microsoft.com/blog/identity/action-required-msonline-and-azuread-powershell-retirement---2025-info-and-resou/4364991

You can find documentation for the Microsoft Graph command here:

https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.identity.directorymanagement/update-mgdomainfederationconfiguration?view=graph-powershell-1.0&viewFallbackFrom=graph-powershell-beta

I hope this information is helpful. Please feel free to reach out if you have any further questions.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Thanks,
Raja Pothuraju.

Irvanda 136 Reputation points

2025-01-17T08:11:05.6066667+00:00

Hi Raja,

What are the details to make modifications at the end of the uri in the URL?

If I can still use the Set-MsolDomainAuthentication command, will the running federate configuration be deleted when Set-MsolDomainAuthentication deprecates?
Raja Pothuraju 16,840 Reputation points Microsoft External Staff

2025-01-17T08:28:55.0766667+00:00
Hello @Irvanda,

Thank you for quick response.

Typically, the IssuerUri for Google IDP is formatted as: https://accounts.google.com/o/saml2?idpid=<Google Customer ID>

Ensure that your Google Customer ID is unique and exclusively used by you. For example: https://accounts.google.com/o/saml2?idpid=1234

If the same IssuerUri is used by another domain, it cannot be reused in your tenant. To address this, I recommend making a slight modification to the end of the URI to make it unique. For instance: https://accounts.google.com/o/saml2?idpid=1234567

Regarding your question:

If I still use the Set-MsolDomainAuthentication command, will the existing federated configuration be deleted when Set-MsolDomainAuthentication is deprecated?

No, if you federate your domain now using MSOL commands, the configuration will remain intact and continue to function as expected even after the deprecation of MSOL. The deprecation only affects the ability to use MSOL commands moving forward, not the existing configurations.

The Microsoft Graph commands you can use which something look like below:

Connect-MgGraph ` -Scopes 'Directory.ReadWrite.All Domain.ReadWrite.All Directory.AccessAsUser.All' ` -TenantId $tenant_id New-MgDomainFederationConfiguration ` -DomainId domain.com` -ActiveSignInUri "https://google/saml/v2/SSO" ` -DisplayName "name" ` -IssuerUri "https://google/saml/v2/metadata" ` -MetadataExchangeUri "https://google/saml/v2/metadata" ` -PassiveSignInUri "https://google/saml/v2/SSO" ` -SignOutUri "https://google/saml/v2/SLO" ` -SigningCertificate "XXXXXX" ` -FederatedIdpMfaBehavior "rejectMfaByFederatedIdp" ` -PreferredAuthenticationProtocol "saml" | Format-List

https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.identity.directorymanagement/new-mgdomainfederationconfiguration?view=graph-powershell-1.0

Thanks,
Raja Pothuraju.

Share via

Entra ID SSO with Google as IdP

0 additional answers

Your answer