This document shows you how you can extendMicrosoft Entra ID (formerly Azure AD) user provisioning and single sign-on to enable single sign-on (SSO) forMicrosoft Entra ID B2B collaboration users.

The document assumes that you use Microsoft Office 365 or Microsoft Entra ID in yourorganization and that you've already configuredMicrosoft Entra ID user provisioning and single sign-on as in the following diagram.

In this diagram, users from external identity providers (IdPs) and from otherMicrosoft Entra ID tenants sign on to the Microsoft Entra ID tenant through B2B sign-on.

Objectives

• Extend the Microsoft Entra ID user provisioning configuration to cover Microsoft Entra B2Bguest users.
• Extend the Microsoft Entra ID SSO configuration to cover Microsoft Entra B2B guest users.
• Configure Cloud Identity to limit session lengths for guest users.

Before you begin

Make sure you've set upMicrosoft Entra ID user provisioning and single sign-on.

Note: This document refers to theGoogle Cloud/Google Workspace Connector by Microsoft gallery app from the Microsoft Azure Marketplace.This app is a Microsoft product and is not maintained or supported by Google.

Microsoft Entra B2B guest users

Microsoft Entra ID lets you invite external users as guests to your Microsoft Entra ID tenant. Whenyou invite an external user, Microsoft Entra ID creates a guest user account in yourtenant. These guest user accounts differ from regular Microsoft Entra ID user accounts inmultiple ways:

• Guest users don't have a password. To sign on, guest users areautomatically redirected to their home tenant or to the external identityprovider (IdP) that they've been invited from.
• The user principal name (UPN) of the guest user account uses a prefixderived from the invitee's email address, combined with the tenant'sinitial domain—for example:prefix#EXT#@tenant.onmicrosoft.com.
• If you invite a user from a different Microsoft Entra ID tenant and the user islater deleted in its home tenant, then the guest user account remainsactive in your Microsoft Entra ID tenant.

These differences affect the way you configure user provisioning and singlesign-on:

• Becauseonmicrosoft.com is a Microsoft-owned DNS domain, you cannotaddtenant.onmicrosoft.com as a secondary domain toyour Cloud Identity or Google Workspace account. This caveatmeans that you cannot use the guest user's UPN as primary email addresswhen provisioning the user to Cloud Identity orGoogle Workspace.

  To provision guest users to Cloud Identity orGoogle Workspace, you must set up a mapping that transforms theguest user's UPN into a domain used by your Cloud Identity orGoogle Workspace account.

  In this document, you set up a UPN mapping as indicated in the followingtable.

  	Original UPN in Microsoft Entra ID	Primary email address in Cloud Identity or Google Workspace
  Regular user	alice@example.com	alice@example.com
  Microsoft Entra ID guest	charlie@altostrat.com	charlie_altostrat.com@example.com
  External guest	user@hotmail.com	user_hotmail.com@example.com

  Note: The primary email address used for guest users must use the primarydomain of your Cloud Identity or Google Workspace account.

• When a user is deleted in its home tenant, Microsoft Entra ID won't suspend thecorresponding user in Cloud Identity or Google Workspace.This poses a security risk: Although any attempts to use single sign-on willfail for such a user, existing browser sessions and refresh tokens(including those used by the Google Cloud CLI) might remain activefor days or weeks, allowing the user to continue accessing resources.

  Using the approach presented in this document, you can mitigate this risk byprovisioning guest users to a dedicated organizational unit inCloud Identity or Google Workspace, and by applying a policythat restricts the session length to 8 hours. The policy ensures thatbrowser sessions and existing refresh tokens are invalidated at most 8 hoursafter the user has been deleted in its home tenant, effectively revoking allaccess. The user in Cloud Identity or Google Workspace staysactive, however, until you delete the guest user from your Microsoft Entra ID account.

Prepare your Cloud Identity or Google Workspace account

Create an organizational unit in your Cloud Identity orGoogle Workspace account that all guest users will be provisioned to.

1. Open theAdmin Console and sign in using the super-admin user created when you signed up forCloud Identity or Google Workspace.
2. In the menu, go toDirectory > Organizational units.
3. ClickCreate organizational unit and provide a name and description for the OU:
   1. Name of organizational unit:guests
   2. Description:Microsoft Entra B2B guest users
4. ClickCreate.

Apply a policy to the organizational unit that limits the session length to 8hours. The session length not only applies to browser sessions, but alsorestricts the lifetime of OAuth refresh tokens.

1. In the Admin Console, go toSecurity > Access and data control> Google Cloud session control.

2. Select the organizational unitguests and apply the following settings:

   • Reauthentication policy:Require reauthentication

   • Reauthentication frequency:8 hours.

     This durationreflects the maximum amount of time a guest user might still be able toaccess Google Cloud resources after it has been suspended in Microsoft Entra ID.

   • Reauthentication method:Password.

     This setting ensuresthat users have to re-authenticate by using Microsoft Entra ID after a session hasexpired.

3. ClickOverride.

Note: The configuration change can take up to 24 hours to take effect.

Configure Microsoft Entra ID provisioning

You are now ready to adjust your existing Microsoft Entra ID configuration to supportprovisioning of B2B guest users.

1. In theAzure portal,go toMicrosoft Entra ID > Enterprise applications.
2. Select the enterprise applicationGoogle Cloud (Provisioning), whichyou use for user provisioning.
3. ClickManage > Provisioning.
4. ClickEdit provisioning.
5. UnderMappings, clickProvision Microsoft Entra ID Users.
6. Select the rowuserPrincipalName.

7. In theEdit Attribute dialog, apply the following changes:

   1. Mapping type: Change fromDirect toExpression.

   2. Expression:

      Replace([originalUserPrincipalName], "#EXT#@TENANT_DOMAIN", , , "@PRIMARY_DOMAIN", , )

      Replace the following:

      • TENANT_DOMAIN: the.onmicrosoft.com domainof your Microsoft Entra ID tenant, such astenant.onmicrosoft.com.
      • PRIMARY_DOMAIN: the primary domain name usedby your Cloud Identity or Google Workspace account,such asexample.org.

8. ClickOK.

9. SelectAdd new mapping.

10. In theEdit Attribute dialog, configure the following settings:

    1. Mapping type:Expression.

    2. Expression:

       IIF(Instr([originalUserPrincipalName], "#EXT#", , )="0", "/", "/guests")

    3. Target attribute:OrgUnitPath

11. ClickOK.

12. ClickSave.

13. ClickYes to confirm that saving changes will result in users andgroups being resynchronized.

14. Close theAttribute Mapping dialog.

Configure Microsoft Entra ID for single sign-on

To ensure that guest users can authenticate by using single sign-on, you nowextend your existing Microsoft Entra ID configuration to enable single sign-on forguests:

1. In the Azure portal, go toMicrosoft Entra ID > Enterpriseapplications.
2. Select theGoogle Cloud enterprise application, whichyou use for single sign-on.
3. ClickManage > Single sign-on.
4. On the ballot screen, click theSAML card.
5. On theUser Attributes & Claims card, clickEdit.
6. Select the row labeledUnique User Identifier (Name ID).
7. SelectClaim conditions.
8. Add a conditional claim for external guests:
   • User type:External guests
   • Source:Transformation
   • Transformation:RegexReplace()
   • Parameter 1:Attribute
   • Attribute:user.userprincipalname
   • Regex pattern:(?'username'^.*?)#EXT#@(?i).*\.onmicrosoft\.com$
   • Replacement pattern:{username}@PRIMARY_DOMAIN,replacingPRIMARY_DOMAIN with the primary domainname used by your Cloud Identity or Google Workspace account.
9. ClickAdd.

10. Add a conditional claim for Microsoft Entra ID guests from different tenants:

    • User type:Microsoft Entra guests
    • Source:Transformation
    • Transformation:RegexReplace()
    • Parameter 1:Attribute

    • Attribute:user.localuserprincipalname

      Note: Make sure to selectuser.localuserprincipalname instead ofuser.userprincipalname

    • Regex pattern:(?'username'^.*?)#EXT#@(?i).*\.onmicrosoft\.com$

    • Replacement pattern:{username}@PRIMARY_DOMAIN,replacingPRIMARY_DOMAIN with the primary domainname used by your Cloud Identity or Google Workspace account.

11. ClickAdd.

12. Add a conditional claim for regular Microsoft Entra ID users:

    • User type:Members
    • Source:Attribute
    • Value:user.userprincipalname

13. ClickSave.

Test single sign-on

To verify that the configuration works correctly, you need three test users inyour Microsoft Entra ID tenant:

• A regular Microsoft Entra ID user.
• A Microsoft Entra ID guest user. This is a user that has been invited from adifferent Microsoft Entra ID tenant.
• An external guest user. This is a user that has been invited using anon–Microsoft Entra ID email address such as a@hotmail.com address.

For each user, you perform the following test:

1. Open a new incognito browser window and go to thehttps://console.cloud.google.com/.

2. In the Google Sign-In page that appears, enter the email address of the useras it appears in thePrimary email address in Cloud Identity orGoogle Workspace column of theearlier table.Refer to that table to see how the email address in Cloud Identityor Google Workspace derives from the user principal name.

   You are redirected to Microsoft Entra ID where you see another sign-in prompt.

3. At the sign-in prompt, enter the UPN of the user and follow theinstructions to authenticate.

   After successful authentication, Microsoft Entra ID redirects you back to GoogleSign-In. Because this is the first time you've signed in using this user,you are asked to accept the Google Terms of Service and privacy policy.

4. If you agree to the terms, clickAccept.

   You are redirected to the Google Cloud console, which asks you to confirmpreferences and accept the Google Cloud Terms of Service.

5. If you agree to the terms, chooseYes, and then clickAgree andcontinue.

6. Click the avatar icon, and then clickSign out.

   You are redirected to a Microsoft Entra ID page confirming that you have beensuccessfully signed out.

What's next

• Learn more aboutfederating Google Cloud with Microsoft Entra ID.
• Read aboutbest practices for planning accounts and organizations andbest practices for federating Google Cloud with an external IdP.

Contributors

Author:Johannes Passing | Cloud Solutions Architect