Articles in this section

How can we enable Google Federation in Azure so that external users are able to access the shared content with us using their existing Gmail account?

Jann DiPaolo
  • Updated
Follow

Overview

Currently, when a document in SharePoint is shared via OneDrive, or a Collaboration invite to the Share Folder, is sent to a client's Gmail account, the recipient will receive a SharePoint code that is commonly delivered in their Junk/Trash email folder. There can also be a delay before the code arrives.

To overcome this, Google Federation can be enabled in Azure.

External users are then able to access the shared content with your practice using their existing Gmail account ID and password. This provides clients quicker access to any shared documents or to the share folders. If a client is already logged into Google, they will not to need to enter a password.

Steps 1 to 5 in this article are based on the following help article https://www.anupams.net/enable-google-federation-external-sharepoint/.

Step 1 - Prerequisites

  1. Create or select a Google account that can be used to enable Google Federation.
  2. Open the SharePoint Admin Center from https://admin.microsoft.com/, then navigate to SharePoint Admin Centre and login as the Goggle account above.
  3. Ensure the External Sharing levels are set to 'New and existing guests'.
    Refer to Step 2 - Ensure External Sharing is Turned On in Link your Practice's OneDrive Admin Account.
  4. Ensure the SharePoint and OneDrive integration with Azure AD B2B is enabled.
    Refer to the following Microsoft help article https://docs.microsoft.com/en-us/sharepoint/sharepoint-azureb2b-integration 

Step 2 - Configure Google Project and App Registration

  1. Open Google Cloud Platform from https://console.developers.google.com/and login using the Google account from Step 1. 
  2. Click Select a project.
  3. Click New Project.
  4. Enter the Project name (for example, "Google Federation for FYI").
  5. Click Create.
  6. Click OAuth consent screen in the menu on the left-hand side.
  7. Checkmark External to enable this.
  8. Click Create.
    The App Creation screen displays.
  9. Enter the App name (for example, "Google Federation for FYI").
  10. Enter an email address for the User support email.
  11. You can optionally add a logo by clicking Browse for App logo.
    Important Note: If an image is uploaded after the app has been published, Google will need to verify it.
  12. In the Authorised domain section, click Add Domain and enter "microsoftonline.com" (without the quotation marks).
  13. In the Developer contact information section, add an email address.
  14. Click SAVE AND CONTINUE.
  15. In the Edit app registration, click ADD OR REMOVE SCOPES.
  16. Ensure the following Scopes are added:

    .../auth/userinfo.email - See your primary Google Account email address
    .../auth/userinfo.profile - See your personal info, including any personal info you've made publicly available
    openid - Associate you with your personal info on Google

  17. Click UPDATE.
  18. Click SAVE AND CONTINUE
  19. If required, click Add Users to test the setup (this is optional at this stage).

Step 3 - Locate Directory Information In Azure

  1. Open Azure Active Directory from https://portal.azure.com/ and login as an Azure Administrator.
  2. Click Properties in the menu on the left-hand side.
  3. Copy the Tenant ID.

Step 4 - Generate OAuth Credentials

  1. Re-display the Google Cloud Platform from https://console.developers.google.com/ as in Step 2 above.
  2. Click Credentials in the menu on the left-hand side.
  3. Click CREATE CREDENTIALS.
  4. Select OAuth Client ID.
  5. For the Application Type, select Web Application.
  6. Enter a Name for the application (for example, "Google Federation for FYI").
  7. Under Authorised Redirect URIs, click ADD URL
  8. Add the following:

    • https://login.microsoftonline.com
    • https://login.microsoftonline.com/te/<directory id>/oauth2/authresp
      Replace <directory id> with the Tenant ID from Azure Active Directory

  9. Click SAVE.

    Note: This process may take a few minutes or a few hours for Google to complete the process.

  10. The Client ID and Client Secret display. Copy and save both of these to a safe location to be used in the next Step.

Step 5 - Add Google Federation as an Identity Provider

  1. Open Azure Active Directory from https://portal.azure.com/ and login as in Step 3 above.
  2. Click Identity Providers.
  3. Click Google in the menu at the top.
  4. Enter the Client ID and Client Secret that was saved in Step 4 above.
  5. Click Save.

Step 6 - Test the User Experience

  1. In FYI, share a document via OneDrive with a test client that is set up to use a Google account (refer to Sharing Documents via OneDrive).
    or
    Invite a test client that is set up to use a Google account to use FYI Collaborate (refer to Sharing the Share Folder with the Client).

  2. After opening the link in the email received by the test client, enter the Gmail account in the Microsoft login screen. Microsoft will redirect this to the accounts.google.com authentication screen.
  3. Enter the Gmail account for the test client that the document or invite was sent to.
  4. Enter the password for this account
  5. Complete the 2-Step Verification code (if applicable).
  6. Review and accept the permissions as the client. This is for the guest account creation and administration in Azure Active Directory.
  7. Check that the document or folder that was shared is available to the test client.

Step 7 - Review the Guest Account Creation in Azure

  1. Open Azure Active Directory from https://portal.azure.com/ and login as in Step 3 above.
  2. Click Users.
  3. Search for the guest user account for the test client that the document or folder was shared to.
  4. Ensure that Identity Issuer shows as "google.com".

 

Related articles