Azure AD B2B– Google Federation
By Default when inviting guests in Azure AD you can natively invite a gmail account. However what happens is when you accept the invitation you will be instructed to set a password and it will create a Microsoft Account.
To simplify this experience i am going to show you how to federate with google so that B2B users can sign in directly with their gmail account without having to set a password for a Microsoft account as well.
- First step is to sign in at https://console.developers.google.com/ with a shared corporate google account.
- Next Create a Project and give it a name
- Ensure Your Project is selected
- Navigate to OAuth Consent Screen
- Enter an Application name
- Under Authorized Domains add “Microsoftonline.com”
- Click Save
- Choose Credentials from the Menu
- Click Create Credentials
- Select OAuth Client ID
- Choose Web Application
- Add the following redirect URLS
- https://login.microsoftonline.com
- https://login.microsoftonline.com/te/DIRECTORYID/oauth2/authresp (you need to replace directory ID with your own tenant ID which can be obtained from Azure Active Directory > Properties)
- Click Create
- You will then be shown a screen with your client ID and Secret, keep this screen ready as we will need it when we enter the azure ad portal.
- Navigate to Azure Active Directory (https://Portal.azure.com)
- Choose Organizational Relationships
- Select Identity Providers
- Click +Google
- Copy the Client ID and Secret from the Google Portal
- Click Save
End User Experience
- Received Invite Email:
- Review Permissions
There we have it, after federating with google we can now accept a guest invitation and sign in directly with a gmail account instead of having to create a password.