This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(64, 95%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAA%3C/text%3E%3C/svg%3E)
Hi!
I'm trying to implement "federation between Google Workspace and Microsoft Entra ID" following this link:
https://video2.skills-academy.com/en-us/education/windows/configure-aad-google-trust
but I keep getting the error :
Get-MgDomainFederationConfiguration_List: Unable to find target address
Status: 500 (InternalServerError)
ErrorCode: InternalServerError
Date: 2023-11-24T08:47:52
Headers:
Transfer-Encoding : chunked
Vary : Accept-Encoding
Strict-Transport-Security : max-age=31536000
request-id : aa60df35-81be-41ad-81ec-eed6e2cee7ce
client-request-id : cff7f6ae-af41-4b29-83ad-6b3cb266e6fd
x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"Switzerland North","Slice":"E","Ring":"5","ScaleUnit":"002","RoleInstance":"ZR2PEPF000000D0"}}
Date : Fri, 24 Nov 2023 08:47:52 GMT
Any idea what am I doing wrong or how to debug?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 45%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Thank you for posting your query on Q&A.
could you please confirm have you verified and added your domain in the Microsoft Entra ID with the TXT or MX record type.
If not, please add and verify your domain by following this document and check if getting any error.
Yes, the domain has been verified. It's not primary and it is not federated though.
@Ammar Aganovic
Could please share the configured steps what you have followed. Also, may I know have you followed the correct configuration steps by using PowerShell.
Using the IdP metadata XML file downloaded from Google Workspace, modify the $DomainName variable in PowerShell script to match your environment, and then run it in a PowerShell session. Which as shows in the document.
https://video2.skills-academy.com/en-us/education/windows/configure-aad-google-trust#configure-microsoft-entra-id-as-a-service-provider-sp-for-google-workspace
OK, so I do have some progress. If my finding is right, only the primary domains can have a federation set up. I was trying to setup the federation on a domain that is secondary on google and non-primary on Azure side. And it failed. The test with the domain which is primary on both sides worked. So I guess that was the problem in the first place. Documentation doesn't mention anything about primary domains, so I'm still trying to find what the requirement is: primary only on google side, only on Azure side or on both sides.
And do you have any idea what Entra ID licenses auto provisioning triggers? So creating a user on Google triggers a user creation in Entra ID, but is it the free Entra ID license or is it the paid one? We will be using Power BI and Office for some users eventually, so I guess those users will have the required Entra ID license included, but what about the users without any additional licenses?
@Ammar Aganovic
Thank you for posting your query on Q&A.
I’m glad that you have some progress with the federation setup. the primary domain in Google Workspace is the one that is used to exchange the SAML token with Microsoft Entra ID. You need to make sure that the primary domain in Google Workspace matches the domain that you want to federate in Microsoft Entra ID.
If you have multiple domains in Google Workspace, you can change it to primary domain. Post which you would need to federate the new primary domain with Microsoft Entra ID. However, changing the primary domain might affect other Google services kindly check the documents from Google Workspace.
Auto-provisioning of users from external sources like Google to Entera ID did not require any license and it includes identity and access management free features.
However, features such as conditional access policies, self-service password reset, and other security reporting, may require licenses.
Users who need to use Power BI or Office applications will require additional licenses assigned to them in Entra ID.
I hope this answer helps! If you have any further questions, please feel free to ask.
Thanks,
Akhilesh.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
OK, thank you. So the domain needs to be primary in Google, but doesn't have to be primary in Azure, correct? Is there any reason this is not listed as a requirement? I wasted some 10 hours trying to figure out why it's not working.
In my case it is not possible to switch the required domain to primary because there is some meet hardware attached to the primary domain. I'm trying to solve it through tickets and loosing money on the meet license I now want to ditch before it expires just so I can make the primary domain switch, but it's a Google thing.
So if I understand the concept, if I don't turn auto-provisioning on, then I need to make sure to manually keep the accounts on both sides in sync (existing with matching unique attribute), right?
Yes, that’s correct. The domain needs to be primary in Google Workspace, but it does not have to be primary in Azure Active Directory. You can use any verified domain in Azure Active Directory as the federated domain for Microsoft Entra ID. However, you need to make sure that the domain is also verified in Google Workspace and that the users have email addresses with that domain.
The other side your understanding is correct, if you don’t turn on auto-provisioning, you will need to manually keep the accounts on both sides in sync. This means that you will need to ensure that the accounts exist on both sides with matching unique attributes. It is recommended to use auto-provisioning to automate the process of creating and updating user accounts in Microsoft Entra ID
Hi!
Are you sure the federation should work if initial domain (directory domain) doesn't match the primary Google and primary Azure domain?
I got an error message saying something about user not found in a domain that used to be a primary and is still a Azure Directory domain (I believe it's called "initial domain"). And I read something about not being able to change that domain.
I believe I figured it out. My problem is, there is an existing sync between onprem AD and Entra ID, and the sync fills in the parameter called "On-premises immutable ID" (with some unique value), and actually, it should be filled with Google workspace name. So it works with users provisioned from Google Workspace, but for all existing users I need to fix it with a powershell script.
Yes, the primary domain in Google Workspace is indeed used to exchange the SAML token with Microsoft Entra ID. It’s essential that the primary domain in Google Workspace matches the domain you want to federate in Microsoft Entra ID the domain needs to be primary in Google Workspace for federation with Microsoft Entra ID.
Reference: https://video2.skills-academy.com/en-us/education/windows/configure-aad-google-trust
https://cloud.google.com/architecture/identity/federating-gcp-with-azure-active-directory