Share on facebook
Share on twitter
Share on linkedin
Share on email

Automatic Group Provisioning with Azure AD and Google Workspace Federation

Recently I was configuring federation between a customer’s Azure AD tenant and Google Workspace (formerly G-Suite). The customer required automatic user and group provisioning.

Following the Microsoft documentation, I had this set up relatively easily for automatic user provisioning, however when it came to groups, my in-scope groups would not sync.

Looking further into the documentation from Microsoft and Google, I found that Google requires all synced objects have an email address. As there is no email attribute on Azure AD security groups, they would not sync.

So, what to do? We could use mail-enabled security groups, but the only way to manage them is from Exchange Online, and I did not want the customer to have to manage auto-provisioned groups in this way.

The solution was relatively simple – modify attribute mappings to automatically create an email attribute of “” when we sync AD groups to Google Workspace.

  1. In Azure AD, select Enterprise Applications, Google Cloud / G Suite Connector by Microsoft.
  2. Under Users and Groups, ensure you have added the users and groups you want to sync.
  3. Under Provisioning, Edit attribute mappings for Group Provisioning.
  4. Select the “email” mapping and change mapping type to “Expression”.
  5. For expression enter Join(“@”, StripSpaces([displayName]), “”) and save changes.

Start the sync, and the AAD Security Groups you have scoped in the application will now be provisioned into Google Workspace. No need for mail-enabled groups!

[mailpoet_form id="1"]

Other Recent Blogs

Arinco trades as Arinco (VIC) Pty Ltd
and Arinco (NSW) Pty Ltd

All Rights Reserved


Level 9, 360 Collins Street, 
Melbourne VIC 3000

Level 3, 19 Bridge Street
Sydney NSW 2000

Get started on the right path to cloud success today. Our Crew are standing by to answer your questions and get you up and running.