Enable Google Federation in Microsoft Entra for external users with Gmail accounts

When an invitation to use Collaborate is sent to a client's Gmail account, the recipient will receive a SharePoint code that is commonly delivered to their Junk/Trash email folder. There can also be a delay before the code arrives.

To overcome this, Google Federation can be enabled in Microsoft Entra.

External users are then able to access the shared content with your practice using their existing Gmail account ID and password. This provides clients with faster access to any shared documents or to the shared folders. If a client is already logged into Google, they won't need to enter a password.

Step 1 - Prerequisites

Google Account

You will need to either create or select a Google account that can be used to enable Google Federation. This will be required in Step 2.

Configure SharePoint Admin Center settings

You will need to configure your SharePoint Admin Settings to provide authentication and management of guests accessing your New Collaborate site. Refer to Setting up Microsoft 365 for New Collaborate.

Step 2 - Configure Google Project and App Registration

For more information refer to the Microsoft article Add Google as an identity provider for B2B guest users.

  1. Open the Google Cloud Platform from https://console.developers.google.com/and log in using the Google account from Step 1. 

  2. Click Select a project.

  3. Click New Project.

  4. Enter the Project name (for example, "Google Federation for FYI").

  5. Click Create.

  6. Open the new project by selecting the link in the Notifications message box, or by using the project menu at the top of the page.

  7. In the left menu, select API & Services, then click the OAuth consent screen.

  8. Under User Type, select External and then click Create. The App Creation screen displays.

  9. Enter the App name (for example, "Google Federation for FYI").

  10. Enter an email address for the User support email.

  11. You can optionally add a logo by clicking Browse for App logo.
    Important Note: If an image is uploaded after the app has been published, Google will need to verify it.

  12. In the Authorised domain section, click Add Domain and enter "microsoftonline.com" (without quotation marks).

  13. In the Developer contact information section, add an email address.

  14. Click Save and Continue.

  15. In the left menu, select Credentials.

  16. Select Create Credentials, and then select OAuth client ID.

  17. In the Application type menu, select Web application.

  18. Give the application a suitable name, for example "Google Federation for FYI".

  19. Under Authorized redirect URIs add the following URLs:
    Note: The text in bold will need to be replaced with details unique to your practice, ensuring the angled brackets are also removed.

    • https://login.microsoftonline.com

    • https://login.microsoftonline.com/te/<tenant ID>/oauth2/authresp 
      (Refer to the Microsoft article How to find your Microsoft Entra tenant ID)

    • https://login.microsoftonline.com/te/<tenantname>.onmicrosoft.com/oauth2/authresp
      (Where <tenantname> can be obtained from the URL of the sharepoint site, for example, https://yourgrowthpartners.sharepoint.com would have a tenant name of "yourgrowthpartners")

  20. Click Create.

  21. The Client ID and Client Secret display. Copy and save both of these to a safe location to be used in the next Step.

  22. Click the Publish app button on the OAuth consent screen to make the app available to any clients with a Google Account.

Note: Adding a Google identity provider to a user flow is not required.

Step 3 - Add Google Federation as an Identity Provider

  1. Open Azure Active Directory from https://portal.azure.com/ and log in as in Step 3 above.

  2. Click Identity Providers.

  3. Click Google in the menu at the top.

  4. Enter the Client ID and Client Secret that was saved in Step 4 above.

  5. Click Save.

Step 4 - Test the User Experience

  1. In FYI, share a document via Collaborate with a test client that is set up to use a Google account (refer to Sharing Documents via Collaborate).
    Add a test client to the Sharing Settings, where the client is set up to use a Google account (refer to Sharing the Share Folder with the Client).

  2. After opening the link in the email received by the test client, enter the Gmail account in the Microsoft login screen. Microsoft will redirect this to the accounts.google.com authentication screen.

  3. Enter the Gmail account of the test client the document or invite was sent to.

  4. Enter the password for this account.

  5. Complete the 2-Step Verification code (if applicable).

  6. Review and accept the permissions as the client. This is for the guest account creation and administration in Azure Active Directory.

  7. Check that the document or folder that was shared is available to the test client.

Step 5 - Review the Guest Account Creation in Azure

  1. Open Azure Active Directory from https://portal.azure.com/ and log in as in Step 3 above.

  2. Click Users.

  3. Search for the guest user account for the test client with which the document or folder was shared.

  4. Ensure that the Identity Issuer shows as "google.com".

If the user has previously logged in with Microsoft, Azure will not show google.com. Instead, the user will continue to be redirected to Microsoft to log in. To redirect the user to Google, you will need to reset the user's "Redemption Status". Refer to the Microsoft article Reset redemption status for a guest user.

Was this article helpful?
0 out of 0 found this helpful