Recently I was configuring federation between a customer’s Azure AD tenant and Google Workspace (formerly G-Suite). The customer required automatic user and group provisioning.
Following the Microsoft documentation, I had this set up relatively easily for automatic user provisioning, however when it came to groups, my in-scope groups would not sync.
Looking further into the documentation from Microsoft and Google, I found that Google requires all synced objects have an email address. As there is no email attribute on Azure AD security groups, they would not sync.
So, what to do? We could use mail-enabled security groups, but the only way to manage them is from Exchange Online, and I did not want the customer to have to manage auto-provisioned groups in this way.
The solution was relatively simple – modify attribute mappings to automatically create an email attribute of “firstname.lastname@example.org” when we sync AD groups to Google Workspace.
- In Azure AD, select Enterprise Applications, Google Cloud / G Suite Connector by Microsoft.
- Under Users and Groups, ensure you have added the users and groups you want to sync.
- Under Provisioning, Edit attribute mappings for Group Provisioning.
- Select the “email” mapping and change mapping type to “Expression”.
- For expression enter Join(“@”, StripSpaces([displayName]), “customerdomain.com”) and save changes.
Start the sync, and the AAD Security Groups you have scoped in the application will now be provisioned into Google Workspace. No need for mail-enabled groups!