Federating o365 with Google

In order to SSO into o365 using Google we need to federate the domains.  This is a requirement of o365. This is done as follows:

Ensure using below commands that Immutableid is not blank and matches UPN of every user.

# Powershell get all users with blank ImmutableID

Get-MsolUser -all | Where-Object {  $_.ImmutableId -notmatch "\S" } | Select-Object UserprincipalName,ImmutableID,WhenCreated,LastDirSyncTime

#Powershell command to change  users’s Immutableid which is blank, to their UPN value

Get-MsolUser -all | Where-Object {  $_.ImmutableId -notmatch "\S" } | ForEach { Set-MsolUser -ObjectId $_.ObjectId -ImmutableId $_.UserPrincipalName }

# Declare variables we will use later for federating domains

$domainName = “example.com”

$Authentication = “Federated”

$FederationBrandName = “Google Cloud Identity”

$IssuerUri = "https://accounts.google.com/o/saml2?idpid=your SAML APP ID here"

$PassiveLogOnUri = “https://accounts.google.com/o/saml2/idp?idpid=your SAML APP ID here

$ActiveLogOnUri =   "https://accounts.google.com/o/saml2/idp?idpid=your SAML APP ID here"

$LogOffUri = "https://accounts.google.com/logout"

$SigningCertificate = "Certificate with no spaces obtained from Google SAML APP"

#Run the following PowerShell command IF this is the first time you are setting up federation on this domain:

Set-MsolDomainAuthentication -DomainName $domainName -Authentication $Authentication -FederationBrandName $FederationBrandName -IssuerUri $IssuerUri -ActiveLogOnUri $ActiveLogOnUri -PassiveLogOnUri $PassiveLogOnUri -LogOffUri $LogOffUri -SigningCertificate $SigningCertificate -PreferredAuthenticationProtocol SAMLP

# Get the federation settings to see if federating domains worked with above command
Get-MSolDomainFederationSettings -DomainName headstart.edu.in | Format-List *

Recently, my Google provided certificate for the SAML expired and SSO into office.com was not working because of malformed certificate. The solution was to regenerate the certificate by adding a new one. The old one gets deleted automatically. The next trick is to reset the certificate in the federeration – for this I had to run the cmdlet as shown below. The $SigningCertificate variable had to reinitiated by copy paste into the terminal before running the cmdlet.

Set-MsolDomainFederationSettings  -DomainName $domainName  -SigningCertificate $signingCertificate  -PreferredAuthenticationProtocol “SAMLP”


The last wrinkle was that MS365 had enabled security defaults so all had to get 2FA. This defeats the purSSO. So I had to disable the Azure AD security defaults using the this procedure. Give some time for all this to ripple through and the next SSO should work like a charm!


Posted in Office 365 Education and tagged , .