News

Google IDs on Azure Active Directory B2B Service Now at 'General Availability'

• By Kurt Mackie
• 11/20/2019

Microsoft announced on Wednesday that users of the Google identity and access service can use their personal log-in IDs with the Azure Active Directory B2B (Business to Business) service to access resources as "guests."

That capability is now at the "general availability" commercial-release stage for organizations using the Azure AD B2B service. Back in August 2018, the ability to use Google IDs was just available at the preview stage for testing. The idea behind this Google ID federation approach is that business partners can access organizational resources using their existing Google IDs, and no Azure AD identity needs to be created beforehand.

Microsoft also added a few new features since the preview. The Azure AD B2B service also now works with @googlemail.com accounts, rather than just with @gmail.com accounts.

In addition, Microsoft Teams permits Google ID sign-ins for collaborations, which works with "desktop, web browser, iOS and Android" Teams clients, as well as tenant authentication portals, such as "teams.microsoft.com."

Google ID Federation
To permit Google ID federation for guest access, organizations using the Azure AD B2B service have to carry out some setup steps, as described in this Microsoft document. An organization's conditional access policies will apply to the guests, so if multifactor authentication (MFA) is used by an organization for employees, it'll apply to guests, as well.

There's a licensing caveat that applies to guests with the Azure B2B service when they touch paid Azure AD services. Organizations need to have the licenses to cover guests beyond a certain number, as explained in this Microsoft document:

With Azure Active Directory (Azure AD) business-to-business (B2B) collaboration, you can invite External Users (or "guest users") to use your paid Azure AD services. Some features are free, but for any paid Azure AD features, you can invite up to five guest users for each Azure AD edition license that you own for an employee or a non-guest user in your tenant.

MFA has been a paid Azure AD option. Microsoft, though, announced earlier this month that it planned to turn on MFA by default starting November for all new Azure AD tenants, making MFA a "free" option. 

Under the Azure AD B2B guest scenario, the granting of access to shared resources is carried out via an invitation-only process. Prospective users get sent an e-mail invitation with a PIN, which is used to gain network access. Guests don't get all of the access privileges of employees, though. For instance, they don't get their own OneDrive storage or Exchange mailbox, and they don't have licensing permissions to use Office client applications.

Outlook.com and Google Apps?
On top of that Google ID news, Microsoft may be planning to allow Google apps to appear in its browser-based Outlook.com e-mail service.

According to this article by Tom Warren of The Verge, Google apps such as Google Calendar, Google Drive and Gmail can be used within Outlook.com, although the capability is said to be currently at the test level. It's done by linking a Google account with an Outlook.com account, according to the article.