How can we enable Google Federation in Azure so that external users are able to access the shared content with us using their existing Gmail account?

Note: You are viewing an article on the Legacy version of Collaborate. Click here to view New Collaborate.

Overview

Currently, when a document is shared via Collaborate, or a Collaboration invite to the Share Folder, is sent to a client's Gmail account, the recipient will receive a SharePoint code that is commonly delivered to their Junk/Trash email folder. There can also be a delay before the code arrives.

To overcome this, Google Federation can be enabled in Azure.

External users are then able to access the shared content with your practice using their existing Gmail account ID and password. This provides clients with faster access to any shared documents or to the shared folders. If a client is already logged into Google, they won't need to enter a password.

Steps 1 to 5 in this article are based on the following article https://www.anupams.net/enable-google-federation-external-sharepoint/.

Step 1 - Prerequisites

Google Account

You will need to either create or select a Google account that can be used to enable Google Federation. This will be required in Step 2.

Configure SharePoint Admin Center settings

1. Open the SharePoint Admin Center with a Microsoft 365 admin account by navigating to https://admin.microsoft.com
2. On the menu on the left, click Show All.
3. Click SharePoint to open the SharePoint admin center.
   
   
   
4. Expand Policies and click Sharing.
5. Ensure the External Sharing levels are set to 'New and existing guests'.
   
   
   
   
6. Click Save.

Enable Azure AD B2B

Ensure the SharePoint and OneDrive integration with Azure AD B2B is enabled. Refer to Collaborating with Azure AD B2B.

Step 2 - Configure Google Project and App Registration

1. Open the Google Cloud Platform from https://console.developers.google.com/and log in using the Google account from Step 1. 
   
2. Click Select a project.
3. Click New Project.
4. Enter the Project name (for example, "Google Federation for FYI").
5. Click Create.
6. Click the OAuth consent screen in the menu on the left-hand side.
7. Checkmark External to enable this.
8. Click Create.
   The App Creation screen displays.
9. Enter the App name (for example, "Google Federation for FYI").
10. Enter an email address for the User support email.
11. You can optionally add a logo by clicking Browse for App logo.
    Important Note: If an image is uploaded after the app has been published, Google will need to verify it.
12. In the Authorised domain section, click Add Domain and enter "microsoftonline.com" (without quotation marks).
13. In the Developer contact information section, add an email address.
14. Click SAVE AND CONTINUE.
15. In the Edit app registration, click ADD OR REMOVE SCOPES.
16. Ensure the following Scopes are added:
    
    .../auth/userinfo.email - See your primary Google Account email address
    .../auth/userinfo.profile - See your personal info, including any personal info you've made publicly available
    openid - Associate you with your personal info on Google
    
    
17. Click UPDATE.
18. Click SAVE AND CONTINUE
    
19. If required, click Add Users to test the setup (this is optional at this stage).

Step 3 - Locate Directory Information In Azure

1. Open Azure Active Directory from https://portal.azure.com/ and log in as an Azure Administrator.
2. Click Properties in the menu on the left-hand side.
3. Copy the Tenant ID.

Step 4 - Generate OAuth Credentials

1. Re-display the Google Cloud Platform from https://console.developers.google.com/ as in Step 2 above.
2. Click Credentials in the menu on the left-hand side.
3. Click CREATE CREDENTIALS.
4. Select OAuth Client ID.
5. For the Application Type, select Web Application.
6. Enter a Name for the application (for example, "Google Federation for FYI").
7. Under Authorised Redirect URIs, click ADD URL
8. Add the following:
   
   
   • https://login.microsoftonline.com
   • https://login.microsoftonline.com/te/<directory id>/oauth2/authresp
     Replace <directory id> with the Tenant ID from Azure Active Directory
     
     
9. Click SAVE.
   
   Note: This process may take a few minutes or a few hours for Google to complete the process.
   
   
10. The Client ID and Client Secret display. Copy and save both of these to a safe location to be used in the next Step.

Step 5 - Add Google Federation as an Identity Provider

1. Open Azure Active Directory from https://portal.azure.com/ and log in as in Step 3 above.
2. Click Identity Providers.
3. Click Google in the menu at the top.
4. Enter the Client ID and Client Secret that was saved in Step 4 above.
5. Click Save.

Step 6 - Test the User Experience

1. In FYI, share a document via Collaborate with a test client that is set up to use a Google account (refer to Sharing Documents via Collaborate).
   or
   Invite a test client that is set up to use a Google account to use FYI Collaborate (refer to Sharing the Share Folder with the Client).
   
   
2. After opening the link in the email received by the test client, enter the Gmail account in the Microsoft login screen. Microsoft will redirect this to the accounts.google.com authentication screen.
3. Enter the Gmail account of the test client the document or invite was sent to.
4. Enter the password for this account
5. Complete the 2-Step Verification code (if applicable).
6. Review and accept the permissions as the client. This is for the guest account creation and administration in Azure Active Directory.
7. Check that the document or folder that was shared is available to the test client.

Step 7 - Review the Guest Account Creation in Azure

1. Open Azure Active Directory from https://portal.azure.com/ and log in as in Step 3 above.
2. Click Users.
3. Search for the guest user account for the test client that the document or folder was shared to.
4. Ensure that Identity Issuer shows as "google.com".