Entra ID + Google Cloud Identity & existing mails
Posted by No_Maize7277@reddit | sysadmin | View on Reddit | 6 comments
Henlo everyone
In our current setup, we use Azure/Entra ID (remove the one you don't like) for SSO, wherever we can.
We also rely on Google accounts for accessing Google services, like Tag Manager, Firebase, Google Cloud etc., and this is the only purpose of Google accounts in our company. We do not use Google calc, writer etc. — so far so good.
Every google account we have is not managed by anything. Just a note: we do not use [at]gmail.com domain, but our own, so if userB@ourdomain.com have his Google account created, it's reachable via mentioned mail, not by userB@gmail.com.
Initially, I thought about Google Workspace, but discovered that there's also a thing called Google Cloud Identity, which could be a better solution for us, as we just really need a user management here, nothing more.
Here comes the problematic part — is that possible to use Entra ID as an IDP for GCI? I believe so, but would be nice to have someone to confirm this. Also, — how problematic is the limit of 50 seats? Do I have to buy a premium version to have it unlimited, or if I contact google they may extend that number to — say — 150 seats (which would be totally enough for us) for free?
And what will happen with mentioned accounts? Will this integration automatically detect that it's the same domain, and it will “claim” them with no problems (just like in Apple Business Manager, just as an example)? What is the user experience there? Are they informed about it somehow?
For example: when doing something similar with Apple Business Manager, users are informed that their accounts are “incorporated” into a domain, and their actual accounts are modified. So if user userB@ourdomain.com had his Apple Account created using this email, after claiming it, it's changed to (something like) userB.ourdomain.com@apple.com?
Thanks in advance!
0xmerp@reddit
Yes, that’s what we do.
You can increase the limit by contacting support. It won’t be unlimited but they will increase it for you within reasonable justification.
You have to have a paid Workspace subscription to contact support though, but buying a single license for 1 month counts too, so spend like $12 and buy the cheapest Essentials license, then contact support and ask for your Cloud Identity cap to be increased, then cancel the paid subscription.
No it won’t be automatic. There is a tool that will let you see a list of all unmanaged accounts in your domain and you can then send invitations to merge those accounts in your org. You can also create an account with that email in your org, which will result in the original consumer account being asked to change their account email the next time they log in.
No_Maize7277@reddit (OP)
Thanks!
So I assume that old accounts to which I have no access (simply, because employee does not work in a company anymore) will leave unmanaged? I suspect that I can't force it by any means?
0xmerp@reddit
You can force the user to rename their old consumer account.
In your Workspace tenant, create an account with a username matching the consumer account you want to rename (then if you have no use for it and want to clear up your Cloud Identity seats, you can immediately delete it).
You can’t force take-over of the contents of the consumer account though.
No_Maize7277@reddit (OP)
Ah, I get it now. Kinda bummers it won't work similarly to a mechanism used in ABM. Nevertheless, thanks for the answer!
0xmerp@reddit
Isn’t it almost the same in ABM? The user is forced to rename their account, you don’t get to take over the contents of the account without user consent (because the account could contain personal info).
Except in Google Workspace, you get to have a list of users. ABM won’t even give you that.
No_Maize7277@reddit (OP)
I may be wrong here, but in case of ABM user actually must transfer his account into a new name and release the company's name he's using:
While, if it comes to Google, they state that:
So that's why I'm asking