Windows

Adding Azure ID Attribute to your Google Users

Joshua Martin

2 min read
Adding Azure ID Attribute to your Google Users
Photo by Chandler Cruttenden / Unsplash

If, like me, you have decided to force your users to log in to MS365 with their Google accounts, I recommend this gentleman's guide. Doing this the other way 'round (using MS to sign into Google) is incredibly easy, but us Google-centric orgs have quite a bit more work to do.

I plan to put together my own complete guide soon, but assuming you are using the most common settings including syncing users via Azure AD Connect, the steps are basically as follows:

  1. Create a custom user attribute (schema) in Google to hold the unique ID associated with each Azure user.
  2. Do ?SOMETHING? to write the ID (probably ms-Ds-ConsistencyGuid) to each user so MS365 can connect the dots.
  3. Create a SAML application in Google Workspace and map attributes appropriately.
  4. Connect Powershell to Azure, and run a few commands to enable federation.

The hard part, believe it or not, is #2. ms-Ds-ConsistencyGuid identifies each user in MS365/Entra/Azure/whatever, and is stored as an array of bytes, which means out of the box it looks something like:
[30, 199, 152, 150, 34, 52, 66, 136, 43, 88, 128, 20, 246, 222, 232, 245]
We need to convert this to a string, and attach it to each user. Trying to do this via GCDS is impossible, as even though we can add custom attributes, we have no way to convert them properly. The answer, as usual, is Powershell.

You will need to set up GAM first for this to work.

Get-ADUser -Filter * -Properties ms-Ds-ConsistencyGuid,mail | Where-Object {$_.'mail' -ne $null} | Where-Object {$_.'ms-Ds-ConsistencyGuid' -ne $null} | Select-Object mail, @{Name = 'ImmutableID'; Expression = { [system.convert]::ToBase64String($_.'ms-Ds-ConsistencyGuid') } } | Export-Csv -path "ImmutableID.csv" -NoTypeInformation

gam csv ImmutableID.csv gam update user ~mail Microsoft.ImmutableID ~ImmutableID

Remove-Item -Path ImmutableID.csv

There's a bit to unpack here, but the first line pulls the ms-Ds-ConsistencyGuid for every AD user account, converts it into a string, and dumps them all (along with associated email addresses) into a temporary csv file.
Line 2 has GAM read the csv, match each user email, and attach each ms-Ds-ConsistencyGuid to each user (via custom attribute Microsoft > ImmutableID).
Line 3 deletes the csv file.

Once an AD account is created, this value should never change, so after running this script once you should only ever have to run it again when you create a new AD User. That's a good thing since it can take quite a long time to run if you have a lot of users...

Read more