Set up SSO and user provisioning between Microsoft Entra ID and ChromeOS

1. Sign in to the Microsoft Azure portal.
2. In the search box at the top, enter enterprise application and select it from the list of search results.
3. At the top of the Enterprise applications pane, click New application.
4. Under Cloud platforms, click Google Cloud Platform.
5. Click Google Cloud/G Suite Connector by Microsoft.
6. For Name, enter Google Cloud/G Suite Connector by Microsoft.
7. Click Create.

Still in the Microsoft Azure portal:

1. On the left, under Manage, click Users and groups. Or, on the Overview page, under Getting started, click Assign users and groups.
2. At the top of the Users and groups pane, click Add user/group.
3. In the Add Assignment pane on the left, under Users, click None selected.
4. In the Users pane, select the user that you want.
5. Click Select.
6. In the Add Assignment pane, click Assign.

Still in the Microsoft Azure portal:

1. On the left, under Manage, click Single sign-on.
2. Select a single sign-on method. Click SAML.
3. On the SAML-based Sign-on page, go to Basic SAML Configuration.
4. Click Edit.
5. Configure Identifier (Entity ID). Add URLs:
   • google.com/a/yourdomain.com
   • https://google.com/a/yourdomain.com
6. Configure Reply URL (Assertion Consumer Service URL):
   1. Add URLs:
      • https://google.com/acs
      • https://google.com/a/yourdomain.com/acs
   2. Set the default:
      • Next to https://google.com/a/yourdomain.com/acs, check the Default box.
7. Configure Sign on URL. Add URL:
   • https://google.com/a/yourdomain.com/ServiceLogin?continue=https://mail.google.com
8. Click Save.
9. Download the Base64 version of the certificate:
   1. Still on the SAML-based Sign-on page, go to SAML Signing Certificate.
   2. Next to Certificate (Base64), click Download.
10. Gather the information that you'll need to configure the Google Cloud / G Suite Connector by Microsoft application to link with Microsoft Entra ID:
    1. Still on the SAML-based Sign-on page, go to Set up Google Cloud / G Suite Connector by Microsoft.
    2. Copy the URLs:
       • Login URL—The page where users sign in to your system and Google Workspace.
       • Logout URL—The page where users are redirected to after signing out.

Configure third-party IdP settings

1. Sign in with an administrator account to the Google Admin console.

   If you aren’t using an administrator account, you can’t access the Admin console.

2. Go to Menu  Security > Overview.

   Requires having the Security Settings administrator privilege.

3. Click Set up single sign-on (SSO) with a third party IdP.
4. Click Add SSO profile.
5. Check the Set up SSO with third-party identity provider box.
6. Enter your third-party IdP URLs:
   1. Sign-in page URL—Paste the Login URL that you copied in Step 3 above.
   2. Sign-out page URL—Paste the Logout URL that you copied in Step 3 above.
      Note: URLs must use HTTPS.
7. Click Replace certificate.
8. Select the file that you want to use and click Open.
9. Click the Use a domain specific issuer box.
10. For Change password URL, enter the URL:
    • https://account.activedirectory.windowsazure.com/changepassword.aspx
11. Click Save.

Configure user settings

Still in the Admin console:

1. Go to  Menu  Devices > Chrome > Settings. The User & browser settings page opens by default.

   Requires having the Mobile Device Management administrator privilege.

   If you signed up for Chrome Enterprise Core, go to Menu  Chrome browser > Settings.

2. To apply the setting to all users and enrolled browsers, leave the top organizational unit selected. Otherwise, select a child organizational unit.
3. Go to Security.
4. For Single sign-on, select Enable SAML-based single sign-on for Chrome devices.
5. (Optional) For SAML single sign-on login frequency, enter a value that is smaller than the password expiration time. For details about the setting, see Set Chrome policies for users or browsers.
6.  
   Click Save. Or, you might click Override for an organizational unit.

   To later restore the inherited value, click Inherit. 

Configure device settings

Still in the Admin console:

1. At the top of the page, click Device settings. Or, from the Admin console Home page, go to DevicesChromeSettingsDevice.
2. To apply the setting to all devices, leave the top organizational unit selected. Otherwise, select a child organizational unit.
3. Go to Sign-in settings.
4. For Single sign-on IdP redirection, select Allow users to go directly to SAML SSO IdP page. For details about the setting, see Set Chrome device policies.
5. For Single sign-on cookie behavior, select Enable transfer of SAML SSO cookies into user session during sign-in. For details about the setting, see Set Chrome device policies.
6. Click Save.

1. Turn on a managed ChromeOS device.
2. On the Sign in to your Chromebook page, click Next.
3. On the Microsoft sign-in page, enter your AD username.
4. Click Next.
5. Enter your password.
6. Click Sign in.
7. To stay signed in and access the user session, click Yes.

When you signed up for Cloud Identity or Google Workspace, you created a super admin account. While you could use it for Microsoft Entra ID, we recommend that you create a separate super admin account that is used exclusively by Microsoft Entra ID.

Create user

1. Sign in with an administrator account to the Google Admin console.

   If you aren’t using an administrator account, you can’t access the Admin console.

2. Go to Menu  Directory > Users.
3. At the top of the page, click Add new user.

   

4. Enter account information. For details, see Add an account for a new user.
5. Click Add new user.
6. To finish adding the new user, click Done.

Make user a super admin

Still in the Admin console:

1. Go to Menu  Directory > Users.
2. In the Users list, find the new user that you just created.
3. Click the user’s name to open their account page.
4. Click Admin roles and privileges.

   

5. Click Assign roles.
6. Next to the Super Admin role, click the slider so it's marked Assigned.
7. Click Save.
   Tip: Have the new administrator add recovery options to their account.

The user typically becomes an admin within a few minutes. However, it can take up to 24 hours.

Manage user account provisioning

1. Sign in to the Microsoft Azure portal.
2. In the search box at the top, enter enterprise application and select it from the list of search results.
3. Search for and click Google Cloud / G Suite Connector by Microsoft.
4. On the left, under Manage, click Provisioning.
5. Click Get started.
6. For Provisioning mode, select Automatic.
7. Click Admin Credentials.
8. Click Authorize.
9. Sign in using the new super admin account that you just created.
10. Click Allow to confirm access to the Cloud Identity API.
11. Under Admin Credentials, click Test Connection. You’ll see a message letting you know if you’re authorized to enable provisioning.
12. (Optional) Under Mappings, configure user or group provisioning. We recommend that you use the default setting.
13. Click Save.
14. At the top of the Provisioning page, click Start provisioning.
15. Wait until sync completes.