Share via

Set up SSO between MS 365 and Google

Awwab Asif 20 Reputation points
2025-02-11T17:10:12.4066667+00:00

I am reaching out to you today for assistance with setting up SSO using Google as the Identity Provider and Microsoft as the Service Provider. I am encountering issues specifically with the execution of a PowerShell script using Microsoft Graph to create a domain federation configuration for redirecting users to Google for authentication.

I have been through the following steps

Configure Google as the Identity Provider:

  • Create a Google Application:
    • Go to the Google Developers Console.
      • Create a new project and configure OAuth consent screen.
        • Create OAuth credentials and note down the Client ID and Client Secret.
  1. Set Up Microsoft as the Service Provider:
    • Configure SAML in Microsoft: 
      - In the Microsoft Entra admin center, navigate to Identity > External Identities > All identity providers.

      - Select Google and configure it by entering the necessary details such as the Client ID and Client Secret obtained from Google.

      1. PowerShell Script for Domain Federation:

         - Install Microsoft Graph PowerShell Module:

            - Connect to Microsoft Graph:

               - Create Domain Federation Configuration:

 

$domain = "yourdomain.com" $googleMetadataUrl = "https://accounts.google.com/.well-known/openid-configuration" New-MgDomainFederationConfiguration -DomainName $domain -MetadataUrl $googleMetadataUrl -IssuerUri "https://accounts.google.com"

Connect-MgGraph -Scopes "Domain.ReadWrite.All"

Install-Module Microsoft.Graph -Scope CurrentUser
image.png

Is this an issue with Google or am I missing something?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,245 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jonathan Pereira Castillo 14,145 Reputation points Microsoft Vendor
    2025-02-11T19:09:09.69+00:00

    Hi Awwab Asif ,

    It looks like you're encountering an issue with insufficient privileges when trying to create a domain federation configuration using Microsoft Graph. Let's go through the steps to ensure everything is set up correctly and troubleshoot the issue.

    Steps to Set Up SSO Between Microsoft 365 and Google

    1. Configure Google as the Identity Provider

    • Create a Google Application:
      1. Go to the Google Developers Console.
      2. Create a new project and configure the OAuth consent screen.
      3. Create OAuth credentials and note down the Client ID and Client Secret.

    2. Set Up Microsoft as the Service Provider

    • Configure SAML in Microsoft:
      1. In the Microsoft Entra admin center, navigate to Identity > External Identities > All identity providers.
      2. Select Google and configure it by entering the necessary details such as the Client ID and Client Secret obtained from Google.

    3. PowerShell Script for Domain Federation

    • Install Microsoft Graph PowerShell Module: 
        Install-Module Microsoft.Graph -Scope CurrentUser
    • Connect to Microsoft Graph: 
        Connect-MgGraph -Scopes "Domain.ReadWrite.All"
    • Create Domain Federation Configuration: 
        $domain = "yourdomain.com"
  $googleMetadataUrl = "https://accounts.google.com/.well-known/openid-configuration"
  New-MgDomainFederationConfiguration -DomainName $domain -MetadataUrl $googleMetadataUrl -IssuerUri "https://accounts.google.com"

    Troubleshooting the Issue

    1. Check Permissions

    The error message indicates insufficient privileges. Ensure that the account you're using has the necessary permissions to create domain federation configurations. You need to have the Domain.ReadWrite.All permission.

    2. Update Microsoft Graph PowerShell Module

    Make sure you are using the latest version of the Microsoft Graph PowerShell module. You can update it using:

    Update-Module Microsoft.Graph

    3. Verify Configuration

    Double-check the configuration details, such as the Client ID, Client Secret, and metadata URL, to ensure they are correct.

    4. Debugging

    Use the -Debug parameter to get more detailed information about the error:

    New-MgDomainFederationConfiguration -DomainName $domain -MetadataUrl $googleMetadataUrl -IssuerUri "https://accounts.google.com" -Debug

    References

    I hope these steps help you resolve the issue. If you need further assistance, feel free to ask. Good luck with your setup!

    Best regards,
    Jonathan

    Your feedback is very important to us! If this answer resolved your query, please click 'YES'. This helps us continuously improve the quality and relevance of our solutions. Thank you for your cooperation!

  2. Awwab Asif 20 Reputation points
    2025-02-12T09:57:16.6666667+00:00

    I am a Global Admin and have ran through the steps as provided but still getting the same error message.

    Please provide further assistance

    0 comments
  3. Jonathan Pereira Castillo 14,145 Reputation points Microsoft Vendor
    2025-02-12T16:16:01.6266667+00:00

    Thank you, Awwab Asif

    Since you're still encountering issues, here are some additional steps and suggestions to help troubleshoot and resolve the problem:

    Additional Troubleshooting Steps

    1. Verify Permissions and Roles
      • Ensure that the account you're using has the Domain.ReadWrite.All permission. As a Global Admin, you should have this permission, but it's worth double-checking.
      • You can verify your permissions by navigating to Azure Active Directory > Roles and administrators in the Azure portal.
    2. Update Microsoft Graph PowerShell Module
      • Make sure you are using the latest version of the Microsoft Graph PowerShell module. You can update it using the following command: 
             Update-Module Microsoft.Graph
    3. Check Configuration Details
      • Double-check the configuration details, such as the Client ID, Client Secret, and metadata URL, to ensure they are correct. Any discrepancies can cause issues with the setup.
    4. Use Debugging Tools
      • Use the -Debug parameter to get more detailed information about the error. This can help identify the specific issue causing the problem: 
             New-MgDomainFederationConfiguration -DomainName $domain -MetadataUrl $googleMetadataUrl -IssuerUri "https://accounts.google.com" -Debug
    5. Review Logs and Error Messages
      • Check the logs and error messages generated during the execution of the PowerShell script. This can provide insights into what might be going wrong.
    6. Consult Documentation

    Feel free to ask if you have any more questions or need further assistance! 

    Best regards,

    Jonathan

    Your feedback is very important to us! If this answer resolved your query, please click 'YES'. This helps us continuously improve the quality and relevance of our solutions. Thank you for your cooperation!

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.