You are using an unsupported browser. Please update your browser to the latest version on or before July 31, 2020.
close
You are viewing the article in preview mode. It is not live at the moment.
Home > IT Helpdesk > Google Workspace Federation Documentation
Google Workspace Federation Documentation
print icon
Kevin Kidder
Sep 10, 2025
views icon 33

Summary:

Google Workspace federation to Microsoft 365 is controlled and configured via a Web SAML app in the Google Admin Center. This app can be found by clicking the "Apps" option on the Admin portal sidebar > Web and Mobile Apps > "Microsoft Office 365". Alternatively, the app is linked below. This link may break at some point in the future.
https://admin.google.com/ac/apps/saml/40346491253

This app allow Google Workspace to act as an Identity Provider for Office 365. When enabled and configured, users added to the associated Google group will be created in 365 after a short delay (usually 5-60 minutes). When logging into 365, these users will be prompted to log into their Google accounts if not already logged in. The Web App on the Google side must exist for this authentication to occur, but the Autoprovisioning profile can be safely deleted without affecting existing users. This profile affects user data mapping from Google to Office. Deleting the Autoprovisioning profile is a common fix for federation errors, and new users added during the re-creation will be automatically Federated when complete.

Initial Procedure:

Google Documentation

Autoprovisioning Configuration:

Provisioning Scope:
Federation Group

Attribute Mapping:
All settings not listed below should be left as default

  • Formatted Name -> Display Name
  • Alias Name -> Mail Nickname
  • Email Value -> onPremisesImmutableID
  • Email Value -> User Principal Name
  • Add "Federation Group"

Deprovisioning:
All settings not listed should be unchecked

When a user is suspended from Google:
Suspend Microsoft Office 365 Account = Within 24 Hours
Hard Delete the account in Microsoft Office 365 = After 21 Days

When a user is deleted from Google:
Suspend Microsoft Office 365 Account = Within 24 hours
Hard delete the account if Microsoft Office 365 = within 24 hours

 

Troubleshooting:

User Added to Federation Group but not showing up in Office 365:

Google workspace users can take up to three hours to federate. If this amount of time passes with no change or an error is suspected, check the Autoprovision sync logs for errors. Logs can be downloaded by going to Workspace Admin Center > Apps > Web and Mobile Apps > Microsoft Office 365 > “Download List” under Autoprovisioning.

Many errors can be resolved by deleting and recreating the Autoprovision profile. From the Microsoft 365 Web app page, click “Autoprovision” > Delete Configuration. Re-configure the autoprovision profile using the above settings. Toggle Autoprovisioning back to active when done.

Users that have been deleted and later recreated in either IDP are more prone to Federation errors.

Authentication Error During App Creation:

Can be caused by authenticating in a browser with a saved prgus.com login. Open a guest profile/Incognito window, navigate back to the page and re-authenticate.

User Does Not Exist in Directory Error:

This error can occur when a user's username is changed on the Google side, or if a new user is created with the same username as a user currently in the Entra recycle bin. 
To fix this, delete the user both from the Office 365 Admin portal and the Entra "recently deleted users" page (https://portal.azure.com/#view/Microsoft_AAD_UsersAndTenants/DeletedUsersList.ReactView). Delete the Autoprovisioning profile and re-create it. Once the affected user re-federates, they'll be able to log in. 

Updating Certificates:

Requirements:
Powershell 5.1
MSOnline Powershell Module

  1. Check the in-use certificates through the Web App Page. Apps > Web and Mobile Apps > Microsoft Office 365 > Service Provider Details > Manage Certificates
  2. Delete any exipired certificates. If needed, create a new certificate by clicking “Add Certificate”
  3. Download all current certificates. Download the script in the attachment and open it in notepad. Replace the strings "REPLACE_WITH_ABSOLUTE_CERTIFICATE_PATH" with the full paths to the downloaded certificate files. If there was only one certificate, set both strings to that path.
  4. Verify that the second set of certificates matches the certificates in Workspace. Try logging into portal.office.com with a prgconsulting.net account to confirm federation is configured correctly.

External Documentation:

 

Feedback
0 out of 0 found this helpful

close button
scroll to top icon