Tutorial: Configure Google Apps for automatic user provisioning
The objective of this tutorial is to show you how to automatically provision and de-provision user accounts from Azure Active Directory (Azure AD) to Google Apps.
The scenario that's outlined in this tutorial assumes that you already have the following items:
- An Azure Active directory tenant.
- A valid tenant for Google Apps for Work or Google Apps for Education. You can use a free trial account for either service.
- A user account in Google Apps with Team Admin permissions.
Assign users to Google Apps
Azure Active Directory uses a concept called "assignments" to determine which users should receive access to selected apps. In the context of automatic user account provisioning, only the users and groups that have been "assigned" to an application in Azure AD are synchronized.
Before you configure and enable the provisioning service, you need to decide which users or groups in Azure AD need access to your Google Apps app. After you've made this decision, you can assign these users to your Google Apps app by following the instructions in Assign a user or group to an enterprise app.
We recommend that a single Azure AD user be assigned to Google Apps to test the provisioning configuration. You can assign additional users and groups later.
When you assign a user to Google Apps, select the User or Group role in the assignment dialog box. The Default Access role doesn't work for provisioning.
Enable automated user provisioning
This section guides you through the process of connecting your Azure AD to the user account provisioning API of Google Apps. It also helps you configure the provisioning service to create, update, and disable assigned user accounts in Google Apps based on user and group assignment in Azure AD.
You might also choose to enable SAML-based single sign-on for Google Apps, by following the instructions in the Azure portal. Single sign-on can be configured independently of automatic provisioning, though these two features compliment each other.
Configure automatic user account provisioning
Another viable option for automating user provisioning to Google Apps is to use Google Apps Directory Sync (GADS). GADS provisions your on-premises Active Directory identities to Google Apps. In contrast, the solution in this tutorial provisions your Azure Active Directory (cloud) users and email-enabled groups to Google Apps.
Sign in to the Google Apps Admin console with your administrator account, and then select Security. If you don't see the link, it might be hidden under the More Controls menu at the bottom of the screen.
On the Security page, select API Reference.
Select Enable API access.
For every user that you intend to provision to Google Apps, their user name in Azure Active Directory must be tied to a custom domain. For example, user names that look like email@example.com are not accepted by Google Apps. On the other hand, firstname.lastname@example.org is accepted. You can change an existing user's domain by editing their properties in Azure AD. We've included instructions for how to set a custom domain for both Azure Active Directory and Google Apps in the following steps.
If you haven't added a custom domain name to your Azure Active Directory yet, then take the following steps:
a. In the Azure portal, on the left navigation pane, select Active Directory. In the directory list, select your directory.
b. Select Domain name on the left navigation pane, and then select Add.
c. Type your domain name into the Domain name field. This domain name should be the same domain name that you intend to use for Google Apps. Then select the Add Domain button.
d. Select Next to go to the verification page. To verify that you own this domain, edit the domain's DNS records according to the values that are provided on this page. You might choose to verify by using either MX records or TXT records, depending on what you select for the Record Type option.
For more comprehensive instructions on how to verify domain names with Azure AD, see Add your own domain name to Azure AD.
e. Repeat the preceding steps for all the domains that you intend to add to your directory.
For user provisioning, the Google Apps custom domain must match the domain name of the source Azure AD. If they do not match, you may be able to solve the problem by implementing attribute mapping customization.
Now that you have verified all your domains with Azure AD, you must verify them again with Google Apps. For each domain that isn't already registered with Google Apps, take the following steps:
a. In the Google Apps Admin Console, select Domains.
b. Select Add a domain or a domain alias.
c. Select Add another domain, and then type in the name of the domain that you want to add.
d. Select Continue and verify domain ownership. Then follow the steps to verify that you own the domain name. For comprehensive instructions on how to verify your domain with Google Apps, see Verify your site ownership with Google Apps.
e. Repeat the preceding steps for any additional domains that you intend to add to Google Apps.
If you change the primary domain for your Google Apps tenant, and if you have already configured single sign-on with Azure AD, then you have to repeat step #3 under Step 2: Enable single sign-on.
In the Google Apps Admin console, select Admin Roles.
Determine which admin account you want to use to manage user provisioning. For the admin role of that account, edit the Privileges for that role. Make sure to enable all Admin API Privileges so that this account can be used for provisioning.
If you are configuring a production environment, the best practice is to create an admin account in Google Apps specifically for this step. These accounts must have an admin role associated with them that has the necessary API privileges.
In the Azure portal, browse to the Azure Active Directory > Enterprise Apps > All applications section.
If you have already configured Google Apps for single sign-on, search for your instance of Google Apps by using the search field. Otherwise, select Add, and then search for Google Apps in the application gallery. Select Google Apps from the search results, and then add it to your list of applications.
Select your instance of Google Apps, and then select the Provisioning tab.
Set the Provisioning Mode to Automatic.
Under the Admin Credentials section, select Authorize. It opens a Google Apps authorization dialog box in a new browser window.
Confirm that you want to give Azure Active Directory permission to make changes to your Google Apps tenant. Select Accept.
In the Azure portal, select Test Connection to ensure that Azure AD can connect to your Google Apps app. If the connection fails, ensure that your Google Apps account has Team Admin permissions. Then try the Authorize step again.
Enter the email address of a person or group who should receive provisioning error notifications in the Notification Email field. Then select the check box.
Under the Mappings section, select Synchronize Azure Active Directory Users to Google Apps.
In the Attribute Mappings section, review the user attributes that are synchronized from Azure AD to Google Apps. The attributes that are Matching properties are used to match the user accounts in Google Apps for update operations. Select Save to commit any changes.
To enable the Azure AD provisioning service for Google Apps, change the Provisioning Status to On in Settings.
This process starts the initial synchronization of any users or groups that are assigned to Google Apps in the Users and Groups section. The initial sync takes longer to perform than subsequent syncs, which occur approximately every 40 minutes while the service is running. You can use the Synchronization Details section to monitor progress and follow links to provisioning activity logs. These logs describe all actions that are performed by the provisioning service on your Google Apps app.
For more information on how to read the Azure AD provisioning logs, see Reporting on automatic user account provisioning.