News

Azure AD B2B Now Officially Supports Google IDs

• By Kurt Mackie
• November 20, 2019

A feature that lets users of the Google identity and access service use their personal log-in IDs with Microsoft's Azure Active Directory B2B service is now generally available, Microsoft announced on Wednesday.

The idea behind this Google ID federation approach, which had been in preview since August 2018, is that business partners can access organizational resources using their existing Google IDs, and no Azure AD identity needs to be created beforehand.

Microsoft also added a few new features since the preview. The Azure AD B2B service also now works with @googlemail.com accounts, rather than just with @gmail.com accounts.

In addition, Microsoft Teams permits Google ID sign-ins for collaborations, which works with "desktop, web browser, iOS and Android" Teams clients, as well as tenant authentication portals, such as "teams.microsoft.com."

Google ID Federation
To permit Google ID federation for guest access, organizations using the Azure AD B2B service have to carry out some setup steps, as described in this Microsoft document. An organization's conditional access policies will apply to the guests, so if multifactor authentication (MFA) is used by an organization for employees, it'll apply to guests, as well.

There's a licensing caveat that applies to guests with the Azure B2B service when they touch paid Azure AD services. Organizations need to have the licenses to cover guests beyond a certain number, as explained in this Microsoft document:

With Azure Active Directory (Azure AD) business-to-business (B2B) collaboration, you can invite External Users (or "guest users") to use your paid Azure AD services. Some features are free, but for any paid Azure AD features, you can invite up to five guest users for each Azure AD edition license that you own for an employee or a non-guest user in your tenant.

MFA has been a paid Azure AD option. Microsoft, though, announced earlier this month that it planned to turn on MFA by default starting November for all new Azure AD tenants, making MFA a "free" option. 

Under the Azure AD B2B guest scenario, the granting of access to shared resources is carried out via an invitation-only process. Prospective users get sent an e-mail invitation with a PIN, which is used to gain network access. Guests don't get all of the access privileges of employees, though. For instance, they don't get their own OneDrive storage or Exchange mailbox, and they don't have licensing permissions to use Office client applications.

Outlook.com and Google Apps?
On top of that Google ID news, Microsoft may be planning to allow Google apps to appear in its browser-based Outlook.com e-mail service.

According to this article by Tom Warren of The Verge, Google apps such as Google Calendar, Google Drive and Gmail can be used within Outlook.com, although the capability is said to be currently at the test level. It's done by linking a Google account with an Outlook.com account, according to the article.