Google Identity Provider Federation with Azure AD B2B

Google Identity Provider Federation with Azure AD B2B

Azure AD B2B is used as identity and access management service which is meant for enterprise application. The enterprise applications are generally targeted to users in an organization. All these users are part of same active directory.

For enterprise applications, sometimes, it is required to provide access to the external users for limited period of time. For ex. there might be auditors who want access to your enterprise applications.

The federation with Google identity provider will enable such external users to access the enterprise applications using their own Google accounts. The organization does not need to create temporary Microsoft Accounts to provide them access.

Let’s have a look at how to configure Azure AD B2B to allow federation with Google identity provider.

Google Developers Console

Go to the Google APIs at https://console.developers.google.com, and sign in with your Google account.  It is recommended to use common team’s account rather than your own account – as this account will act as administrator’s account.

Create New Project

From the dashboard, click on create new project. If you already have a project click on the project name shown on top navigation and then click on New Project.

On new project panel, enter the name the project as “First B2B App” and then click on Create.

OAuth Consent Screen

After the project, make sure the newly created project is selected from the top navigation. Then select the OAuth consent screen from the left navigation. Select External option and then click on Create.

On the next screen, enter the Application name to be Azure AD B2B and in the Authorized domains, enter microsoftonline.com and then click on Save.

Credentials

Next, select the Credentials option from left side navigation. On new panel, click on Create Credentials and select OAuth client ID option.

On next screen, we need to enter three inputs.

Then hit the Save button.

Client ID and Client Secret

Copy the Client ID and Client Secret values from the Credentials screen. These inputs will be required in next step while configuring the federation with Azure AD.

Azure AD Configurations

Login to Azure Portal and go to the Azure Active Directory B2B tenant.

Add External Identity Provider

Then select External identities option from left navigation and then click on All identity providers. Select Google option and a new panel will open on right side.

On this new panel, enter the Client ID and Client Secret values copied from the Google Developers Console.

Invite User

We have done all configurations to allow external users with google accounts to sign in to our B2B tenant.

Next step is to invite the user. Again, go to Azure AD B2B instance and select Users and then click on New guest user.

On the new guest user screen, we can see that invite user is already selected. There are some inputs which we need to provide to invite the user. Below are the details

  • Name – first and last name of the guest user
  • Email address – email address of the guest user, required field
  • Personal message – a personal welcome message to the guest user
  • Groups: add the guest user to one or more existing groups. this can also be done later
  • Directory role: If you require Azure AD administrative permissions for the user, you can add them to an Azure AD role.

Then click on Invite button.

The invited user will receive an email and they will have to click on the accept invitation button from email. When user clicks on the link for accepting the invitation, the user will be granted access on directory. Now, user can access any application in the B2B tenant.

Test Application

Now, we have done all the configurations, we have invited a user for collaborating in our Azure AD B2B tenant. We can quickly create an application, lets say angular application.

Refer my previous blog for detailed steps on this.

Run and Verify

Now, if we run our application, we will be shown a login screen. Now login using the external user, which we already have invited to our B2B tenant. After entering user name, user will be redirected to Google’s identity provider.

If user is already logged in to Google account, then user will be shown a consent screen from Google. Otherwise user will be asked to provide the username and password of their Google account and then the consent form will be shown.

After successful login, the API call will be made and an alert message will show result from weather forecast service.

So, we have successfully invited users to B2B tenant and they can use their Google accounts for accessing our applications. I hope you enjoyed this article. Let me know your thoughts.

Leave a Reply