Merge pull request #8119 from paolomatarazzo/pm-20230404-federated-signin-updates

[EDU] Google workspace federation - update to use new PowerShell module
2025-05-13 05:47:23 +00:00 · 2023-04-04 16:02:45 -06:00 · 2023-04-04 16:02:45 -06:00 · c44ddaae89
commit c44ddaae89
parent 1f56c28c3b 753f3d1b3b
2 changed files with 37 additions and 32 deletions
--- a/education/windows/configure-aad-google-trust.md
+++ b/education/windows/configure-aad-google-trust.md
@ -1,7 +1,7 @@
 ---
 title: Configure federation between Google Workspace and Azure AD
 description: Configuration of a federated trust between Google Workspace and Azure AD, with Google Workspace acting as an identity provider (IdP) for Azure AD.
-ms.date: 02/24/2023
+ms.date: 04/04/2023
 ms.topic: how-to
 appliesto:
 ---
@ -72,51 +72,56 @@ The configuration of Azure AD consists of changing the authentication method for
 Using the **IdP metadata** XML file downloaded from Google Workspace, modify the *$DomainName* variable of the following script to match your environment, and then run it in an elevated PowerShell session. When prompted to authenticate to Azure AD, use the credentials of an account with the *Global Administrator* role.

 ```powershell
-Install-Module -Name MSOnline
-Import-Module MSOnline
+Install-Module Microsoft.Graph
+Import-Module Microsoft.Graph

-$DomainName = "<your domain name>"
+$domainId = "<your domain name>"

 $xml = [Xml](Get-Content GoogleIDPMetadata.xml)

 $cert = -join $xml.EntityDescriptor.IDPSSODescriptor.KeyDescriptor.KeyInfo.X509Data.X509Certificate.Split()
 $issuerUri = $xml.EntityDescriptor.entityID
-$logOnUri = $xml.EntityDescriptor.IDPSSODescriptor.SingleSignOnService | ? { $_.Binding.Contains('Redirect') } | % { $_.Location }
-$LogOffUri = "https://accounts.google.com/logout"
-$brand = "Google Workspace Identity"
-Connect-MsolService
-$DomainAuthParams = @{
-    DomainName = $DomainName
-    Authentication = "Federated"
-    IssuerUri = $issuerUri
-    FederationBrandName = $brand
-    ActiveLogOnUri = $logOnUri
-    PassiveLogOnUri = $logOnUri
-    LogOffUri = $LogOffUri
-    SigningCertificate = $cert
-    PreferredAuthenticationProtocol = "SAMLP"
+$signinUri = $xml.EntityDescriptor.IDPSSODescriptor.SingleSignOnService | ? { $_.Binding.Contains('Redirect') } | % { $_.Location }
+$signoutUri = "https://accounts.google.com/logout"
+$displayName = "Google Workspace Identity"
+Connect-MGGraph -Scopes "Domain.ReadWrite.All", "Directory.AccessAsUser.All"
+
+$domainAuthParams = @{
+  DomainId = $domainId
+  IssuerUri = $issuerUri
+  DisplayName = $displayName
+  ActiveSignInUri = $signinUri
+  PassiveSignInUri = $signinUri
+  SignOutUri = $signoutUri
+  SigningCertificate = $cert
+  PreferredAuthenticationProtocol = "saml"
+  federatedIdpMfaBehavior = "acceptIfMfaDoneByFederatedIdp"
 }
-Set-MsolDomainAuthentication @DomainAuthParams
+
+New-MgDomainFederationConfiguration @domainAuthParams
 ```

 To verify that the configuration is correct, you can use the following PowerShell command:

 ```powershell
-Get-MsolDomainFederationSettings -DomainName $DomainName
+Get-MgDomainFederationConfiguration -DomainId $domainId |fl
 ```

 ```output
-ActiveLogOnUri                         : https://accounts.google.com/o/saml2/idp?<GUID>
-DefaultInteractiveAuthenticationMethod : 
-FederationBrandName                    : Google Workspace Identity
-IssuerUri                              : https://accounts.google.com/o/saml2?idpid=<GUID>
-LogOffUri                              : https://accounts.google.com/logout
-MetadataExchangeUri                    : 
-NextSigningCertificate                 : 
-OpenIdConnectDiscoveryEndpoint         : 
-PassiveLogOnUri                        : https://accounts.google.com/o/saml2/idp?idpid=<GUID>
-SigningCertificate                     : <BASE64 encoded certificate>
-SupportsMfa                            : 
+ActiveSignInUri                       : https://accounts.google.com/o/saml2/idp?idpid=<GUID>
+DisplayName                           : Google Workspace Identity
+FederatedIdpMfaBehavior               : acceptIfMfaDoneByFederatedIdp
+Id                                    : 3f600dce-ab37-4798-9341-ffd34b147f70
+IsSignedAuthenticationRequestRequired :
+IssuerUri                             : https://accounts.google.com/o/saml2?idpid=<GUID>
+MetadataExchangeUri                   :
+NextSigningCertificate                :
+PassiveSignInUri                      : https://accounts.google.com/o/saml2/idp?idpid=<GUID>
+PreferredAuthenticationProtocol       : saml
+PromptLoginBehavior                   :
+SignOutUri                            : https://accounts.google.com/logout
+SigningCertificate                    : <BASE64 encoded certificate>
+AdditionalProperties                  : {}
 ```

 ## Verify federated authentication between Google Workspace and Azure AD
--- a/education/windows/federated-sign-in.md
+++ b/education/windows/federated-sign-in.md
@ -1,7 +1,7 @@
 ---
 title: Configure federated sign-in for Windows devices
 description: Description of federated sign-in feature for the Education SKUs of Windows 11 and how to configure it via Intune or provisioning packages.
-ms.date: 03/15/2023
+ms.date: 04/04/2023
 ms.topic: how-to
 appliesto:
  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>