From 101175c5d58c699bf9886b4b1332cc80e5af693b Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Tue, 4 Apr 2023 16:00:16 -0400
Subject: [PATCH 1/3] update to use new PowerShell module

---
 .../windows/configure-aad-google-trust.md     | 71 ++++++++++++++++---
 1 file changed, 62 insertions(+), 9 deletions(-)

diff --git a/education/windows/configure-aad-google-trust.md b/education/windows/configure-aad-google-trust.md
index b6d4229e8f..d0141944c1 100644
--- a/education/windows/configure-aad-google-trust.md
+++ b/education/windows/configure-aad-google-trust.md
@@ -86,15 +86,15 @@ $LogOffUri = "https://accounts.google.com/logout"
 $brand = "Google Workspace Identity"
 Connect-MsolService
 $DomainAuthParams = @{
-    DomainName = $DomainName
-    Authentication = "Federated"
-    IssuerUri = $issuerUri
-    FederationBrandName = $brand
-    ActiveLogOnUri = $logOnUri
-    PassiveLogOnUri = $logOnUri
-    LogOffUri = $LogOffUri
-    SigningCertificate = $cert
-    PreferredAuthenticationProtocol = "SAMLP"
+  DomainName = $DomainName
+  Authentication = "Federated"
+  IssuerUri = $issuerUri
+  FederationBrandName = $brand
+  ActiveLogOnUri = $logOnUri
+  PassiveLogOnUri = $logOnUri
+  LogOffUri = $LogOffUri
+  SigningCertificate = $cert
+  PreferredAuthenticationProtocol = "SAMLP"
 }
 Set-MsolDomainAuthentication @DomainAuthParams
 ```
@@ -119,6 +119,59 @@ SigningCertificate                     : <BASE64 encoded certificate>
 SupportsMfa                            : 
 ```
 
+```powershell
+Install-Module Microsoft.Graph
+Import-Module Microsoft.Graph
+
+$domainId = "<your domain name>"
+
+$xml = [Xml](Get-Content GoogleIDPMetadata.xml)
+
+$cert = -join $xml.EntityDescriptor.IDPSSODescriptor.KeyDescriptor.KeyInfo.X509Data.X509Certificate.Split()
+$issuerUri = $xml.EntityDescriptor.entityID
+$signinUri = $xml.EntityDescriptor.IDPSSODescriptor.SingleSignOnService | ? { $_.Binding.Contains('Redirect') } | % { $_.Location }
+$signoutUri = "https://accounts.google.com/logout"
+$displayName = "Google Workspace Identity"
+Connect-MGGraph -Scopes "Domain.ReadWrite.All", "Directory.AccessAsUser.All"
+
+$domainAuthParams = @{
+  DomainId = $domainId
+  IssuerUri = $issuerUri
+  DisplayName = $displayName
+  ActiveSignInUri = $signinUri
+  PassiveSignInUri = $signinUri
+  SignOutUri = $signoutUri
+  SigningCertificate = $cert
+  PreferredAuthenticationProtocol = "saml"
+  federatedIdpMfaBehavior = "acceptIfMfaDoneByFederatedIdp"
+}
+
+New-MgDomainFederationConfiguration @domainAuthParams
+```
+
+To verify that the configuration is correct, you can use the following PowerShell command:
+
+```powershell
+Get-MgDomainFederationConfiguration -DomainId $domainId |fl
+```
+
+```output
+ActiveSignInUri                       : https://accounts.google.com/o/saml2/idp?idpid=<GUID>
+DisplayName                           : Google Workspace Identity
+FederatedIdpMfaBehavior               : acceptIfMfaDoneByFederatedIdp
+Id                                    : 3f600dce-ab37-4798-9341-ffd34b147f70
+IsSignedAuthenticationRequestRequired :
+IssuerUri                             : https://accounts.google.com/o/saml2?idpid=<GUID>
+MetadataExchangeUri                   :
+NextSigningCertificate                :
+PassiveSignInUri                      : https://accounts.google.com/o/saml2/idp?idpid=<GUID>
+PreferredAuthenticationProtocol       : saml
+PromptLoginBehavior                   :
+SignOutUri                            : https://accounts.google.com/logout
+SigningCertificate                    : <BASE64 encoded certificate>
+AdditionalProperties                  : {}
+```
+
 ## Verify federated authentication between Google Workspace and Azure AD
 
 From a private browser session, navigate to https://portal.azure.com and sign in with a Google Workspace account:

From 163b726a22e8abf2dc5b34f895592a5244b6efe4 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Tue, 4 Apr 2023 17:11:17 -0400
Subject: [PATCH 2/3] updates

---
 .../windows/configure-aad-google-trust.md     | 48 -------------------
 1 file changed, 48 deletions(-)

diff --git a/education/windows/configure-aad-google-trust.md b/education/windows/configure-aad-google-trust.md
index d0141944c1..a1adf8c6bc 100644
--- a/education/windows/configure-aad-google-trust.md
+++ b/education/windows/configure-aad-google-trust.md
@@ -71,54 +71,6 @@ Now that the app is configured, you must enable it for the users in Google Works
 The configuration of Azure AD consists of changing the authentication method for the custom DNS domains. This configuration can be done using PowerShell.\
 Using the **IdP metadata** XML file downloaded from Google Workspace, modify the *$DomainName* variable of the following script to match your environment, and then run it in an elevated PowerShell session. When prompted to authenticate to Azure AD, use the credentials of an account with the *Global Administrator* role.
 
-```powershell
-Install-Module -Name MSOnline
-Import-Module MSOnline
-
-$DomainName = "<your domain name>"
-
-$xml = [Xml](Get-Content GoogleIDPMetadata.xml)
-
-$cert = -join $xml.EntityDescriptor.IDPSSODescriptor.KeyDescriptor.KeyInfo.X509Data.X509Certificate.Split()
-$issuerUri = $xml.EntityDescriptor.entityID
-$logOnUri = $xml.EntityDescriptor.IDPSSODescriptor.SingleSignOnService | ? { $_.Binding.Contains('Redirect') } | % { $_.Location }
-$LogOffUri = "https://accounts.google.com/logout"
-$brand = "Google Workspace Identity"
-Connect-MsolService
-$DomainAuthParams = @{
-  DomainName = $DomainName
-  Authentication = "Federated"
-  IssuerUri = $issuerUri
-  FederationBrandName = $brand
-  ActiveLogOnUri = $logOnUri
-  PassiveLogOnUri = $logOnUri
-  LogOffUri = $LogOffUri
-  SigningCertificate = $cert
-  PreferredAuthenticationProtocol = "SAMLP"
-}
-Set-MsolDomainAuthentication @DomainAuthParams
-```
-
-To verify that the configuration is correct, you can use the following PowerShell command:
-
-```powershell
-Get-MsolDomainFederationSettings -DomainName $DomainName
-```
-
-```output
-ActiveLogOnUri                         : https://accounts.google.com/o/saml2/idp?<GUID>
-DefaultInteractiveAuthenticationMethod : 
-FederationBrandName                    : Google Workspace Identity
-IssuerUri                              : https://accounts.google.com/o/saml2?idpid=<GUID>
-LogOffUri                              : https://accounts.google.com/logout
-MetadataExchangeUri                    : 
-NextSigningCertificate                 : 
-OpenIdConnectDiscoveryEndpoint         : 
-PassiveLogOnUri                        : https://accounts.google.com/o/saml2/idp?idpid=<GUID>
-SigningCertificate                     : <BASE64 encoded certificate>
-SupportsMfa                            : 
-```
-
 ```powershell
 Install-Module Microsoft.Graph
 Import-Module Microsoft.Graph

From acfa47630644e0fc1eeca3083c765bf1554ff272 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Tue, 4 Apr 2023 17:32:31 -0400
Subject: [PATCH 3/3] date update

---
 education/windows/configure-aad-google-trust.md | 2 +-
 education/windows/federated-sign-in.md          | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/education/windows/configure-aad-google-trust.md b/education/windows/configure-aad-google-trust.md
index a1adf8c6bc..d96b7414ca 100644
--- a/education/windows/configure-aad-google-trust.md
+++ b/education/windows/configure-aad-google-trust.md
@@ -1,7 +1,7 @@
 ---
 title: Configure federation between Google Workspace and Azure AD
 description: Configuration of a federated trust between Google Workspace and Azure AD, with Google Workspace acting as an identity provider (IdP) for Azure AD.
-ms.date: 02/24/2023
+ms.date: 04/04/2023
 ms.topic: how-to
 appliesto:
 ---
diff --git a/education/windows/federated-sign-in.md b/education/windows/federated-sign-in.md
index 28ba477eec..7eccc722a0 100644
--- a/education/windows/federated-sign-in.md
+++ b/education/windows/federated-sign-in.md
@@ -1,7 +1,7 @@
 ---
 title: Configure federated sign-in for Windows devices
 description: Description of federated sign-in feature for the Education SKUs of Windows 11 and how to configure it via Intune or provisioning packages.
-ms.date: 03/15/2023
+ms.date: 04/04/2023
 ms.topic: how-to
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>