Azure Active Directory business-to-business, otherwise known as Azure AD B2B, allows organizations who use Azure AD to securely give access to applications, files, and resources to users outside of their organization. Up until now, this feature was only available to users on Azure AD or who have a Microsoft account, but has recently been expanded to include users who have a Google Gmail account.
According to Microsoft, being able to establish trust between different organizations over the Internet, called a federation, was a highly requested feature. While external users previously were able to create a Microsoft account in order to access an organization's resources, by enabling a Google federation it allows Gmail users to access invited resources without making a new account.
"Enabling Google federation makes your invited Gmail user’s experience more seamless," stated Alex Simons, Vice President of Program Management, Microsoft Identity Division, in an announcement. "After you have set up B2B Google federation for your organization, invited Gmail users can use their Google identity to sign in and collaborate. They no longer need to create an Azure AD account or Microsoft Account to access the apps and resources you’re sharing with them!"
When BleepingComputer asked Microsoft if they planned on extending the Google Federation to G Suite users, we were told that integrating G Suite is more complex and that they are working on methods to do so.
"Our goal is to support all Google ID users – GSuite possess some challenges in that we have no way to figure out from the username what IDP the user should be sent to, except in the case that the extension is @gmail.com," Microsoft told BleepingComputer via email. "GSuite users have custom URL’s, so we are still working to come up with a method for identifying them and letting them login using their Google ID’s."
In order to use this feature, Azure AD admins will need to configure Google as a new Identity Provider in Azure AD. This requires them to create a Google Developer project using these instructions to generate a client ID and secret, which will be used to configure the Identity Provider in Azure AD. Using this project, Azure AD will use Google OAuth API to authenticate Gmail users who login to shared resources or applications.
Once a Google project has been created and an administrator has the required the ID and secret, they can login to their Azure AD console and create the new Google Federation. To do this, they should access their Azure console, go into "Azure Active Directory", and then select "Organizational Relationships" as shown below.
To create the Google Federation, click on the "+Google" option at the top of the page as shown above. The administrator will then be prompted to enter the Client ID and secret obtained after they created the Google project.
Once this is saved, the organization's resources can now be shared seamlessly with Google Gmail addresses.
We have also recently reported that Google is quietly developing a Windows credential provider that will allow users with Google accounts to login to Windows 10.
Using this feature, users will be able to install this "Google Credential Provider for Windows" to allow Google users to authenticate to Windows 10 as a new sign-in option.
This new feature is currently under peer review on Chrome's Gerrit site, and like all experimental projects, may not ever make it into production.