Azure SSO intergration to Google Cloud

[Matt Strickland]

Hi all,

Just a reach out if anyone out there uses Azure AD as an IdP/SSO for Google Cloud (We are a Microsoft School only at the moment) and any issues I might stumble across?

Just as a background we have local AD, Azure AD Connect and use O365 for staff and students. No Google integration (however staff have made google accounts with the same account I intend to federate)

I would like to at least provision school accounts for chomebooks with some provisioning profiles. I think I am happy keeping two management consoles (not using Azure to manage chromebooks), but use Azure as SSO/IdP for the school chromebook account.

Is this the best document to start implementation?:

https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/google-apps-tutorial

The long term planning is that one day AD will eventually be retired, and Azure is our IdP/SSO for everything else that supports it.

Matt

[James Andrewartha]

Hi Matt,

We are doing this, although not with Chromebooks. The documentation you
linked is correct, see also the Google equivalent documentation
https://cloud.google.com/architecture/identity/federating-gcp-with-azure-active-directory

The changeover was fine, I still use GCDS for provisioning users and
groups though. Global admins can't use SSO.
https://support.google.com/accounts/answer/183128?hl=en&ref_topic=1699313 covers
what happens to users' existing personal Google accounts when you create
Workspace ones.

Thanks,

--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

[Alistair Baird]

Hi Matt,

We are a Google school, with Azure SSO. I am on leave this week, but happy to help next week if you get stuck.

Just be aware that Google OU's aren't the same as AD OU's. You can keep Google pretty simple. It's all in the way you set up the link mapping.

You have to set up a domain in your school's name, then use Google AD sync to set your accounts up in Google. You need to set up OU's in Google, but don't replicate AD, keep it simple. We just use Students and Teachers for users in Google, with several rule sets in GADS to populate the two. This may cause issues with existing users, not sure. Then set SSO from Azure, using your major AD groups (we use all-students and all-staff) for the major groups, leavers and BOT etc, to allow access to the Google Application in Azure. Once that's done, you can then use Google admin to set up your policies for Chromebooks (we have another two Organisational Units in Google for devices, one for school owned, the other for BYOD.)

Then students can either just log on to their CB using a school email address, or better still, enrol the device. I found some parents try and set up a child account and link it to an adult account (they can't use the school domain) but this causes problems on CB when using mail app etc if they've been too restrictive, so I just reset and enrol it as student device, takes over ownership and those problems go away.

It works well, and Google Classroom works well too. I recommend Google Meet over MSTeams as it is a more simpler interface for non-tech savvy students and teachers alike, but you can use teams etc as this all gets done thru o365 anyway.

--
You received this message because you are subscribed to the Google Groups "Techies for schools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-schools+unsubscribe...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/techies-for-schools/ac1d39f9-6d26-e230-b96a-bc531a936ea7%40ccgs.wa.edu.au.

--

Kind regards,
Alistair Baird
IT Manager

P  06 354 4198 stpeterspn.school.nz   @stpeterspn 1 Holdsworth Avenue, Milson Palmerston North, 4414

[Jonathan Churton]

Hi Matt,

We are a Google school and have Students + Staff authenticate through Azure.

Users/Groups: AD > Azure AD Connect > Azure

Users/Groups: AD > GCDS > Google

SSO: Azure > SSO > Google

Everything uses u...@example.domain as primary login usernames etc. We enterprise manage "school issued" equity chromebooks which pushes students through the Azure Login. Happy to provide more information off-list.

Cheers,

Jonathan. 

To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/techies-for-schools/ac1d39f9-6d26-e230-b96a-bc531a936ea7%40ccgs.wa.edu.au.

--

Kind regards,
Alistair Baird
IT Manager

P  06 354 4198 stpeterspn.school.nz   @stpeterspn 1 Holdsworth Avenue, Milson Palmerston North, 4414

--
You received this message because you are subscribed to the Google Groups "Techies for schools" group.

To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/techies-for-schools/CAKQ0vHpx4QvoJA07kJV2f_4dAvKz-uJg426qo26iSHnLvoHddg%40mail.gmail.com.

--

Jonathan Churton

ICT Systems Engineer

Lighting and Sound Technician

Wellington High School

Work: 02825508921 or Ext 887

[Matt Strickland]

Thanks everyone,

I'm still waiting on getting licenses.

Tried a user sync from Azure and they are populating in Google (although now suspended). Scoped to all staff/students.

Not syncing groups, but will just separate staff and students, we don't need any more granularity.

We don't intend to purchase chromebooks - but I assume I will also need Chrome Education Upgrade for BYOD (if they wanted to enroll them?)

I see in the obligations we need to deploy a CEU within 3 months, do I need to just guess how many we might need?

My intention to start with, is for those students who arrive with a CB and have never created a gmail, can log on with a school supplied google account, or enroll the device if that makes provisioning easier (WiFi settings etc)

Matt

[Jono Green]

Hi Matt,

Please let us know if you're getting stuck with getting licenses for Microsoft 365 A3/A5. 

Cheers,

Jono (Microsoft)

[Matt Strickland]

Hey all,

Ok finally I think we're licenced... and attached to a reseller.

First hiccup - I followed the Azure -> GC Sync document, created a AD Provisioning account and started syncing users.

But all users, including the AD Provisioning account were Automatically suspended - Unverified Sign-in

"The user's account was added along with many other accounts within a short period, such as when you add multiple users at once using a CSV file or manually add many accounts quickly."

I cant reactivate the account - the user has to sign in and provide SMS (which I want to avoid, one of the reasons is to create accounts without requiring mandatory SMS as some students don't have a phone number)

Do I delete these accounts and sync again? - Or will I need to contact support already?

Matt

[Matt Strickland]

Can anyone here confirm if our Google licensing is setup correctly?

I initially created a trial workspace for 60days with Education Fundamentals and Teaching/Learning upgrade, then applied for licensing by transferring to one of the approved resellers.

But I've had to go through some hoops to get verified as an institution. I can't really proceed much further until I know our licensing is setup correctly.

Matt

[Alistair Baird]

No, that isn't correct. Once you have your roll confirmed etc, it will show you the allocated EDUCATION PLUS student and teacher licences.

--
You received this message because you are subscribed to the Google Groups "Techies for schools" group.

To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/techies-for-schools/ed881e9d-b56e-4144-b78d-abcd8d3820c2n%40googlegroups.com.

[Matt Strickland]

Thanks Alistair,

Seems we are still stuck on getting Education status approved for the trial (before the licenses are upgraded/applied)

Hopefully another 24 hours or so and it might be sorted.

Matt

[Steve Smith]

Morena Matt,

If you  need backup with your Workspace fundamentals (free version) application please let me know as I can give the approvals team a nudge if needed.

Just send me the domain you are setting up and I can check for you.

The normal workflow is ; 

Procure a domain

Get the trial of workspace

Fill in the education upgrade request at this link

Upgrade to workspace plus via a reseller/service provider 

Let me know if you need support

Nga Mihi

Steve

nzs...@google.com

[Matt Strickland]

Thanks Steve,

I keep getting the confirm status as a qualified applicant / accreditation as a K-12 or higher institute (3 times now)...

(I've already sent them our education counts / Ministry ERO statistics + our website) and ask our Principal for anything else we can provide as evidence.

Our workspace is registered as:   karamu.school.nz

I already have Azure sync sorted and a few other things but waiting on the licenses before proceeding further.

I emailed them again this morning so hopefully I might have something by midday before they close.

Matt

[Steve Smith]

Hi Matt,

I have had a look and can see that your fundamentals (free edition) account is active for 100,000 users.

If you can forward me the email you got from the application team I can check that is all correct too 

Were you wanting to upgrade to education plus next ? 

Please feel free to email me direct if you like

Nga Mihi

Steve

You received this message because you are subscribed to a topic in the Google Groups "Techies for schools" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/techies-for-schools/az0CcP4LMMk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to techies-for-sch...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/techies-for-schools/e24d0531-61ea-4b2c-ae01-b603d2fe67dcn%40googlegroups.com.

[Sam McNeill]

Matt,

I know you're waiting on licensing etc, but I also saw this video from Jono Green now showing how to get the sync working so dropping it here for anyone else that is wanting to go down this route:

https://vimeo.com/698849476/416d2e5095

Cheers

Sam

[Matt Strickland]

Thanks Sam,

Yes still waiting on approval. Had to have the principal reply today to support.

I initially created a new App Registration with the intention of modifying the JSON Manifest to assign and return appRoles per group (so I could use SingleAppRoleAssignment) as an expression to assign the value OrgUnit, but I just couldn't get it formatted right - kept getting Invalid_OU_ID errors, even though I had /Staff and /Student (Staff and Student Organization Units) setup.

Basically following this example

So I went back to my initial plan and just created two separate provisioning applications, one for staff, one for students scoped to each group and just setting a constant. It seems to be reliable enough, and I don't intend at this point to have any more OU's. I'm not sure if there's an issue with duplicate provisioning happening at the same time? (but for different users)

In any case, I have staff/students in different OU's syncing from Azure. At this point I plan to keep it simple.

Matt

[Matt Strickland]

Finally, we are licensed!

Now the questions start: (I'm behind in Google world so will watch some of the recent videos)

I have staff and students syncing, and they are in separate OU's. (I assume this is useful for global Off/On control to specific apps?)

I can also create dynamic groups too, eg I've created a Staff group based on the Staff OU as a test. But I wasn't wanting it mail-enabled (ie I'm thinking Azure Security Group)

So how for example, can I auto add every teacher to be a member of the Classroom Teachers group? (can I assign the OU, or the dynamic group?)

Haven't yet enabled SSO so no one can log in at this point.

Matt

[Jono Green]

The main service that likes Mail-enabled SGs would be Microsoft Information Protection as if you're deploying that to a group of users, the group must have an email address.

I would go for a Dynamic SG but bear in mind you need to be able to keep membership consistent across Microsoft and Google for users. If you can't maintain consistency across both then manual assignment is the way to go otherwise you'll potentially have a long tail of issues.

[Steve Smith]

Morena Matt,

Either OU or Dynamic group will work.

If you dont want your teacher group to be email enabled just go to gmail and select the ou and switch off or choose the top OU and switch it off for all OUs and the setting will be inherited down the OU tree. You can sync your groups from your SMS too I will send you our setup guide if you havent found what you need in our support community or help center

A couple of admin focused webinars are in the playlist here

Have a great friday 

Steve

[Matt Strickland]

Thanks Steve,

Yes ill check out the webinars as I missed out sitting in other classes. If you have a setup guide please send through too. Yes I already have Gmail disabled from the top OU (but groups will still call for an email address even if not used)

Ill do some research on a wet Sunday from what it looks :)

Matt

[Steve Smith]

Mōrena Matt,

The setup guides and best practice advice can be found at https://edu.google.com/intl/ALL_nz/get-started/setup-products/

This gives advice for the free Fundamentals edition and the paid editions too.

There are also product guides for all our core products at the bottom of the page.

Ka pai tō ra

Steve

To view this discussion on the web visit https://groups.google.com/d/msgid/techies-for-schools/39f9094d-9db7-48e7-9a02-e40f32ef93c5n%40googlegroups.com.

[Matt Strickland]

Awesome, ill take a look. Still just working with users that created personal accounts with the same domain that now have temporary accounts (and have registered other applications using this account too).

One simple thing I'm stuck on, or I'm thinking about this the wrong way - I wanted to add allstaff (a dynamic google group), to the 'classroom_teachers" group (which is auto-created).

ie I want to have all teachers as members so they don't sit in "pending" and them having to be manually approved, when they first open Google Classroom.

But when I try to add a group I get a nondescript error....

But then in the community someone posted the same thing - with the answer that you can't do that? Link

Can you not add a group to a group? Or just this specific auto-created group?

Do other schools delegate managers to approve new teachers?

Matt

[Richard Johnson]

Hey Matt,

You cannot add a group to a dynamic group or add a dynamic group to any other group. See here

Richard