Federating Google Cloud with Azure Active Directory

This article describes how you can configure Cloud Identity or Google Workspace to use Azure AD as IdP and source for identities.

The article compares the logical structure of Azure AD with the structure used by Cloud Identity and Google Workspace and describes how you can map Azure AD tenants, domains, users, and groups.

Implementing federation

Google Cloud uses Google identities for authentication and access management. Manually maintaining Google identities for each employee can add unnecessary management overhead when all employees already have an account in Azure AD. By federating user identities between Google Cloud and your existing identity management system, you can automate the maintenance of Google identities and tie their lifecycle to existing users in Azure AD.

Federate Cloud Identity with Azure AD

Setting up federation between Azure AD and Cloud Identity or Google Workspace entails two pieces:

  • Provisioning users: Relevant users and groups are synchronized periodically from Azure AD to Cloud Identity or Google Workspace. This process ensures that when you create a new user in Azure AD or synchronize a new user from Active Directory to Azure AD, it's also made available in Google Cloud so that it can be referenced in Google Cloud even before the associated user has logged in for the first time. This process also ensures that user deletions are being propagated.

    Provisioning works one way, which means changes in Azure AD are replicated to Google Cloud but not vice versa. Also, provisioning doesn't include passwords.

  • Single sign-on: Whenever a user needs to authenticate, Google Cloud delegates the authentication to Active Directory by using the Security Assertion Markup Language (SAML) protocol. Depending on your Azure AD configuration, Azure AD might do one of the following:

    • Perform authentication itself.
    • Use pass-through authentication or password hash synchronization.
    • Delegate authentication to an on-premises AD FS server.

Having Cloud Identity or Google Workspace delegate authentication to Azure AD not only avoids having to synchronize passwords to Google Cloud, it also ensures that any applicable policies or multi-factor authentication (MFA) mechanisms you have configured in Azure AD or AD FS are enforced.

Logical structure of Azure AD

When you use Azure, you use one or more Azure AD tenants (also referred to as directories). Azure AD tenants are a top-level structure. They are considered administrative boundaries, and serve as containers for users, groups, as well as resources and resource groups.

Each Azure AD tenant has at least one DNS domain associated with it. This DNS domain is reflected in usernames (also referred to as User Principal Names or UPNs), which take the form of [name]@[domain], where [domain] is one of the DNS domains associated with the respective tenant.

Logical structure of Azure AD

An enterprise might maintain multiple Azure AD tenants. Common reasons for having multiple tenants include distinguishing between different parts of the organization, separating production resources from development and testing resources, and using separate tenants to integrate multiple forests from an on-premises Active Directory.

Logical structure of Google Cloud

In Google Cloud, organizations serve as containers for all resources, and they can be further segmented by using folders and projects. However, except for service accounts, organizations aren't used to manage users and groups, making organizations different from Azure AD tenants.

For managing users and groups, Google Cloud relies on Cloud Identity or Google Workspace. A Cloud Identity or Google Workspace account serves as a private directory for users and groups. As an administrator of the account, you can control the lifecycle and the configuration of users and groups and define how authentication can be performed.

Logical structure of Google Cloud

When you create a Cloud Identity or Google Workspace account, a Google Cloud organization is created automatically for you. The Cloud Identity or Google Workspace account and the Google Cloud organization that's associated with it share the same name and are tied to each other. However, a Google Cloud organization is allowed to reference users and groups from other Cloud Identity or Google Workspace accounts.

Integrating Azure AD and Google Cloud

Despite certain similarities between the logical structure of Azure AD and Google Cloud, no single mapping between the two structures works equally well in all scenarios. Instead, the right approach to integrating the two systems and mapping the structure depends on multiple factors:

  • How to map Azure AD tenants to Cloud Identity or Google Workspace accounts
  • How to map DNS domains
  • How to map users
  • How to map groups

The following sections look at each of these factors.

Google Cloud interacts only with Azure AD, not with your on-premises Active Directory. So the way you've mapped forests and domains of your on-premises Active Directory to Azure AD is of minor concern.

Mapping Azure AD tenants

Single tenant

If you use only a single Azure AD tenant, you can map the tenant to a single Cloud Identity or Google Workspace account and set up federation between the two. This Cloud Identity or Google Workspace account then provides the basis for a single Google Cloud organization that you can use to manage all Google Cloud resources.

Mapping a tenant to a single Cloud Identity account

Multiple tenants

In larger organizations, it's not uncommon to have more than one Azure AD tenant. Multiple tenants might be used to differentiate between testing and production environments, or to differentiate between different parts of an organization.

Although it's possible to provision users and groups from more than one Azure AD tenant to a single Cloud Identity or Google Workspace account, it's currently not possible to set up single sign-on in a way that works for users across multiple Azure AD tenants. If you use multiple Azure AD tenants, you'll need to create a separate Cloud Identity or Google Workspace account for each tenant and set up federation between each pair.

In Google Cloud, a separate organization is created for each Cloud Identity or Google Workspace account. Because Google Cloud allows resources to be organized using projects and folders within a single organization, having more than one organization is often impractical. However, you can select one of the organizations and associate it with the other Cloud Identity or Google Workspace accounts, effectively creating an organization that is federated with multiple Active Directory forests. The other organizations remain unused.

Organization that is federated with multiple Active Directory forests

External users

With Azure AD B2B, you can invite external users as guests to your Azure AD tenant. A new user is created for each guest and Azure AD automatically assigns a UPN to these guest users. The UPN that Azure AD generates uses a prefix derived from the invitee's email address, combined with the tenant's initial domain: [prefix]#EXT#@[tenant].onmicrosoft.com.

Provisioning guest users from Azure AD to Cloud Identity or Google Workspace is subject to certain limitations:

  • You cannot map the UPN of guest users to email addresses in Cloud Identity or Google Workspace because onmicrosoft.com is a domain that cannot be added and verified in Cloud Identity or Google Workspace. You therefore have to map users by using an attribute other than the UPN.
  • If a guest user is suspended in its home tenant, then the corresponding user in Cloud Identity or Google Workspace might remain active and access to Google Cloud resources might not be properly revoked.

A better way to deal with guest users that originate from a different Azure AD tenant is to create multiple Cloud Identity or Google Workspace accounts as outlined in the previous section, each federated with a different Azure AD tenant.

To grant an external user access to certain Google Cloud resources, it's not a prerequisite for the user to have a user account in Cloud Identity or Google Workspace. Unless restricted by policy, you can also add the external user directly as a member to the respective projects, folders, or organization, provided the user has a Google identity.

Mapping DNS domains

DNS plays a crucial role, both for Azure AD and for Cloud Identity and Google Workspace. The second factor to look at when planning to federate Azure AD and Google Cloud is how you can share or map DNS domains between Active Directory and Google Cloud.

Usage of DNS domains in Google Cloud

Google Sign-In, which Google Cloud relies on for authentication purposes, uses email addresses to identify users. Using email addresses not only guarantees that they are globally unique, but also enables Google Cloud to send notification messages to the addresses.

Google Sign-In determines the directory or identity provider to use for authenticating a user based on the domain part of the email addresses, which follows the @. For an email address that uses the gmail.com domain, for example, Google Sign-In uses the directory of Gmail users for authentication.

Usage of DNS domains in GCP

When you sign up for a Google Workspace or Cloud Identity account, you're creating a private directory that Sign-In can use for authentication. In the same way that the Gmail directory is associated with the gmail.com domain, Google Workspace and Cloud Identity accounts need to be associated with a custom domain. Three different kinds of domains are used:

  • Primary domain: This domain identifies the Cloud Identity or Google Workspace account and is used as the name for the organization in Google Cloud. When signing up for Cloud Identity or Google Workspace, you must specify this domain name.
  • Secondary domain: Along with the primary domain, you can associate other, secondary domains with a Cloud Identity or Google Workspace account. Each user in the directory is associated with either the primary domain or one of the secondary domains. Two users, johndoe@example.com and johndoe@secondary.example.com, are considered separate users if example.com is the primary domain and secondary.example.com is a secondary domain.
  • Alias domain: An alias domain is an alternative domain for the primary domain. That is, johndoe@example.com and johndoe@alias.example.com refer to the same user if alias.example.com is set up as an alias domain. An alias domain can only provide an alternative name for the primary domain; it's not possible to add alias domains for secondary domains.

All domains must satisfy the following requirements:

  • They must be valid, global DNS domain names. During setup, you might need administrative access to the respective DNS zones in order to verify domain ownership.
  • A domain, such as example.com, can refer only to a single directory. However, you can use different subdomains, such as subdomain.example.com, to refer to different directories.
  • Primary and secondary domains should have a valid MX record so that messages sent to email addresses that are formed by using this domain name can be delivered properly.

Usage of DNS domains in Azure AD

The way Cloud Identity and Google Workspace uses DNS is similar to how Azure AD relies on DNS to distinguish Azure AD tenants and associate usernames with tenants. But be aware of two notable differences:

  1. Initial domains: When you create an Azure AD tenant, the tenant is associated with an initial domain, which is a subdomain of onmicrosoft.com. This domain is different from any custom domain name that you might register in that you don't own the domain and that you don't have administrative access to the respective DNS zone.

    Cloud Identity doesn't have an equivalent of an initial domain and instead requires that you own all domains that you associate with a Cloud Identity account. This requirement means that you cannot register an onmicrosoft.com subdomain as a Cloud Identity domain.

  2. Domains used in user identifiers: Azure AD distinguishes between email addresses MOERAs (Microsoft Online Email Routing Addresses) and UPNs. Both follow an RFC 822 format (user@domain), but they serve different purposes: Where UPNs are used to identify users and are used in the sign-on form, only MOERAs are used for delivering email.

    The domain suffix used by UPNs is required to match one of the registered domains of your Azure AD tenant—the same requirement does not apply to email addresses.

    Cloud Identity and Google Workspace doesn't rely on the concept of a UPN and instead use a user's email address as an identifier. Consequently, the domain used by the email address must match one of the registered domains of the Cloud Identity or Google Workspace account.

An Azure AD tenant and a Cloud Identity or Google Workspace account can use the same DNS domains. Considering the two differences outlined above, you should base your domain mapping on how you plan to map users between Azure AD and Cloud Identity or Google Workspace.

Mapping users

The third factor to look at when planning to federate Active Directory and Google Cloud is how to map users between Azure AD and Cloud Identity or Google Workspace.

Successfully mapping Azure AD users to users in Cloud Identity or Google Workspace requires two pieces of information for each user:

  1. A stable, unique ID that you can use during synchronization to track which Azure AD user corresponds to which user in Cloud Identity or Google Workspace.
  2. An email address for which the domain part corresponds to a Cloud Identity primary, secondary, or alias domain. Because this email address will be used throughout Google Cloud, the address should be human-readable.

Internally, Azure AD identifies users by ObjectId, which is a randomly generated, globally unique ID. While this ID is stable and therefore meets the first requirement, it's meaningless to humans and doesn't follow the format of an email address. To map users, the only practical options are to map by UPN or by email address.

Mapping users by email address

If the user enters an email address that belongs to a Cloud Identity or Google Workspace account that is configured to use single sign-on with Azure AD, the user is then redirected to the Azure AD sign-on screen.

Azure AD uses UPNs, not email addresses, to identify users, so the sign-on screen prompts the user to provide a UPN.

Sign-on screen that prompts for a UPN

If the Azure AD tenant is configured to use AD FS for sign-on, another redirect takes the user to the AD FS sign-on screen. AD FS can identify users either by their Active Directory UPN or by their Pre–Windows 2000 logon name (domain\user).

AD FS sign-on screen

If the email address used for Cloud Identity or Google Workspace, the UPN used by Azure AD, and the UPN used by Active Directory all differ, the sequence of sign-on screens can easily become confusing for end users. In contrast, if all three identifiers are the same as in the example screenshots (johndoe@example.com), then users aren't exposed to the technical differences between UPNs and email addresses, minimizing potential confusion among your users.

Mapping by UPN

From a user-experience perspective, mapping Azure AD UPNs to Cloud Identity or Google Workspace email addresses might be considered the best option. Another benefit of relying on UPNs is that Azure AD guarantees uniqueness so that you avoid the risk of naming clashes.

However, in order to map Azure AD UPNs to Cloud Identity email addresses, you must meet these requirements:

  • The Azure AD UPNs should be valid email addresses so that any notification emails sent by Google Cloud are correctly delivered to the user's mailbox. If this isn't the case already, you might be able to configure alias email addresses to ensure that the user receives such email.
  • The UPNs of all relevant users in Azure AD must use a custom domain as suffix ([user]@[custom-domain]). UPNs that use the Azure AD initial domain ([user]@[tenant].onmicrosoft.com) cannot be mapped to email addresses in Cloud Identity, because the initial domain isn't owned by you, but by Microsoft.
  • All custom domains used by Azure AD for UPNs must be registered in Cloud Identity as well. This requirement means that you must have access to the respective DNS zones in order to perform domain validation. To avoid overriding existing TXT DNS records you might have created for verifying domain ownership in Azure AD, you can use a CNAME record to verify domain ownership in Cloud Identity.

Mapping users by email address

If mapping Azure AD UPNs to Cloud Identity or Google Workspace email addresses isn't an option, you can map users by email address.

When you specify an email address in Active Directory, it's stored in the mail attribute of the respective user object and Azure AD Connect will synchronize the value to the Mail attribute in Azure AD. Azure AD also makes the attribute available for user provisioning so that you can map it to the email address in Cloud Identity or cloudid_name_short.

Crucially, the Azure AD Mail attribute currently isn't shown in the Azure portal and can only be viewed and edited through APIs or PowerShell. Although the user interface lets you specify an email address and an alternate email address, neither of these values is stored in the Mail attribute, so they can't be used for provisioning to Cloud Identity or cloudid_name_short. As a result, mapping users of an email address is practical only when you do most of your user creation and editing in Active Directory, not in Azure AD.

Mapping users by email address requires that you meet the following additional requirements:

  • Email assignments must be complete. All users that are subject to synchronization must be assigned an email address. Especially when users are synchronized from an on-premises Active Directory, this might not be the case because mail is an optional user attribute in Active Directory. Users that lack an email address in the Azure AD Mail attribute are silently ignored during synchronization.
  • Email addresses must be unique across the Azure AD tenant. Although Active Directory doesn't check uniqueness on user creation, Azure AD Connect detects collisions by default, which might cause the synchronization of affected users to fail.
  • The domains used by email addresses don't need to be registered in Azure AD, but they must be registered in Cloud Identity or cloudid_name_short. This requirement means that you must have access to the respective DNS zones in order to perform domain validation, and it rules out the use of email addresses with domains that you don't own (like gmail.com).

Mapping the user lifecycle

After you’ve defined a mapping between Azure AD users and users in Cloud Identity or Google Workspace, you must decide which set of users you want to provision. Refer to our best practices on mapping identity sets for guidance on making this decision.

If you don't want to provision all users of your Azure AD tenant, you can enable provisioning for a subset of users by using user assignments or scoping filters.

The following table summarizes the default behavior of Azure AD provisioning, and shows how enabling or disabling provisioning for a user controls which actions Azure AD will perform in Cloud Identity or Google Workspace.

Provisioning enabled for Azure AD user User state in Cloud Identity/Google Workspace Action performed in Azure AD Action performed in Cloud Identity/Google Workspace
No (does not exist) Enable provisioning Create new user (*)
No Exists (active) Enable provisioning Update existing user
No Exists (suspended) Enable provisioning Update existing user, keep suspended
Yes Exists Modify user Update existing user
Yes Exists Rename UPN/email address Change primary email address, keep previous address as alias
Yes Exists Disable provisioning User left as-is
Yes Exists Soft-delete user Suspend user
Yes Exists Permanently delete user Suspend user, add del_ prefix to email address

(*) If a consumer account with the same email address exists, the consumer account is evicted.

Mapping groups

The fourth factor to look at when you are planning to federate Active Directory and Google Cloud is whether to synchronize groups between Active Directory and Google Cloud and how to map them.

In Google Cloud, groups are commonly used as a way to manage access efficiently across projects. Rather than assigning individual users to IAM roles in each project, you define a set of groups that model common roles in your organization. You then assign those groups to a set of IAM roles. By modifying the membership of the groups, you can control users' access to an entire set of resources.

Mapping groups between Azure AD and Google Cloud is optional. Once you've set up user provisioning, you can create and manage groups directly in Cloud Identity or Google Workspace, which means that Active Directory or Azure AD remains the central system for identity management but not for Google Cloud access management.

To maintain Active Directory or Azure AD as the central system for identity management and access management, we recommend that you synchronize groups from Azure AD instead of managing them in Cloud Identity or Google Workspace. With this approach, you can set up IAM so that you can use group memberships in Active Directory or Azure AD to control who has access to resources in Google Cloud.

Groups in Cloud Identity and Google Workspace

In Cloud Identity and Google Workspace, there is only a single type of group. Groups in Cloud Identity and Google Workspace aren't confined to the scope of the Cloud Identity or Google Workspace account where they were defined. Instead, they can include users from different Cloud Identity or Google Workspace accounts, support being referenced and nested in other accounts, and be used across any Google Cloud organization.

As they do with users, Cloud Identity and Google Workspace identify groups by email address. The email address doesn't have to correspond to an actual mailbox, but it must use one of the domains registered for the respective Cloud Identity account.

When working with groups in IAM, you often need to specify groups by email address rather than by name. So it's best for groups to have not only a meaningful name, but a meaningful and recognizable email address.

Groups in Azure AD

Azure AD supports multiple types of groups, each catering to different use cases. Groups are scoped to a single tenant and identified by an Object ID, which is a randomly generated, globally unique ID. Groups can be nested and can contain either users from the same tenant or users invited from other tenants using Azure B2B. Azure AD also supports dynamic groups, whose members are determined automatically based on a query.

In the context of integrating Azure AD with Cloud Identity or Google Workspace, two properties of groups are of primary interest—whether a group is mail-enabled and whether it is security-enabled:

  • A security-enabled group can be used to manage access to resources in Azure AD. Any security-enabled group is therefore potentially relevant in the context of Google Cloud.
  • A mail-enabled group has an email address, which is relevant because Cloud Identity and Google Workspace require groups to be identified by an email address.

In Azure AD, you can create groups of type Security or Office 365 (sometimes called unified groups). When synchronizing groups from an on-premises Active Directory or when using the Office 365 type, you can also create groups of type Distribution list.

The following table summarizes the differences between these different kinds of groups regarding being mail-enabled or security-enabled, and how they map to Active Directory group types, assuming a default Azure AD Connect configuration:

Source Active Directory group type Azure AD group type Mail-enabled Security-enabled
Azure AD - Office 365 group Always Optional
Azure AD - Security group Optional Always
on-premises Security group (with email) Security group Yes Yes
on-premises Security group (without email) Security group No Yes
on-premises Distribution list (with email) Distribution list Yes No
on-premises Distribution list (without email) (ignored by Azure AD Connect)

Unlike for users, Azure AD requires that email addresses assigned to groups use a domain that has been registered as a custom domain in Azure AD. This requirement results in the following default behavior:

  • If a group in Active Directory uses an email address that uses a domain that has previously been registered in Azure AD, then the email address is properly maintained during synchronization to Azure AD.
  • If a group in Active Directory uses an email address that has not been registered in Azure AD, then Azure AD auto-generates a new email address during synchronization. This email address uses the tenant's default domain. If your tenant uses the initial domain as the default domain, the resulting email address will be in the form of [name]@[tenant].onmicrosoft.com.
  • If you create an Office 365 group in Azure AD, then Azure AD also auto-generates an email address that uses the tenant's default domain.

Mapping group identities

Successfully mapping Azure AD groups to Cloud Identity or Google Workspace groups requires a common identifier, and this identifier must be an email address. On the Azure AD side, this requirement leaves you with two options:

  • You can use the email address of a group in Azure AD and map it to a Cloud Identity or Google Workspace email address.
  • You can derive an email address from the name of the group in Azure AD and map the resulting address to an email address in Cloud Identity or Google Workspace.

Mapping by email address

Mapping groups by email address is the most obvious choice, yet it requires you to meet several requirements:

  • All groups that are subject to synchronization must have an email address. In practice, this means that you can only synchronize mail-enabled groups. Groups that lack an email address are ignored during provisioning.
  • The email addresses must be unique across the tenant. Because Azure AD doesn't enforce uniqueness, you might have to implement custom checks or policies.
  • The domains used by email addresses must be registered in both Azure AD and Cloud Identity/Google Workspace. Any groups with email addresses that use domains not registered in Cloud Identity/Google Workspace, including the [tenant].onmicrosoft.com domain, will fail to synchronize.

If all relevant groups meet these criteria, identify the domains that are used by these email addresses and ensure that the list of DNS domains registered in Cloud Identity or Google Workspace covers these domains.

Mapping by name

Meeting the criteria required to map groups by email address can be challenging, particularly if many of the security groups you intend to provision to Cloud Identity or Google Workspace aren't mail-enabled. In this case, it might be better to automatically derive an email address from the group's display name.

Deriving an email address presents two challenges:

  1. An email address derived from a group's name might clash with an email address of a user.
  2. Azure AD doesn't enforce uniqueness for group names. If multiple groups in your Azure AD tenant share the same name, email addresses derived from this name will clash, causing only one group to synchronize successfully.

You can overcome the first challenge by using a domain for the generated email address that is different than any of the domains used by users. For example, if all your users use email addresses with example.com as the domain, then you could use groups.example.com for all groups. Registering subdomains in Cloud Identity or Google Workspace doesn't require domain verification, so the DNS zone groups.example.com doesn't even have to exist.

You can overcome the second challenge, duplicate group names, only technically by deriving the group email address from the Object ID. Because the resulting group names are rather cryptic and difficult to work with, it's better to identify and rename duplicate group names in Azure AD before setting up provisioning to Cloud Identity or Google Workspace.

Mapping the group lifecycle

After you’ve defined a mapping between Azure AD groups and groups in Cloud Identity or Google Workspace, you must decide which set of groups you want to provision. Similar to users, you can enable provisioning for a subset of groups by using group assignments or scoping filters.

The following table summarizes the default behavior of Azure AD provisioning, and shows how enabling or disabling provisioning for a group controls which actions Azure AD will perform in Cloud Identity or Google Workspace.

Provisioning enabled for Azure AD group Group state in Cloud Identity/Google Workspace Action performed in Azure AD Action performed in Cloud Identity/Google Workspace
No (does not exist) Enable provisioning Create new group
No Exists Enable provisioning Add member, retain all existing members
Yes Exists Rename group Rename group
Yes Exists Modify description Update description
Yes Exists Add member Add member, retain all existing members
Yes Exists Remove member Remove member
Yes Exists Disable provisioning Group left as-is (incl. members)
Yes Exists Delete group Group left as-is (incl. members)

What's next