Integrating Azure AD and G-Suite – Google API Integration Part 1

Posted on February 3, 2018 by mattfeltonma

Hi everyone,

Welcome to the second post in my series on the integration between Azure Active Directory (Azure AD) and Google’s G-Suite (formally named Google Apps). In my first entry I covered the single sign-on (SSO) integration between the two solutions. This included a brief walkthrough of the configuration and an explanation of how the SAML protocol is used by both solutions to accomplish the SSO user experience. I encourage you to read through that post before you jump into this.

So we have single sign-on between Azure AD and G-Suite, but do we still need to provision the users and group into G-Suite? Thanks to Google’s Directory Application Programming Interface (API) and Azure Active Directory’s (Azure AD) integration with it, we can get automatic provisioning into G-Suite . Before I cover how that integration works, let’s take a deeper look at Google’s Cloud Platform (GCP) and its API.

Like many of the modern APIs out there today, Google’s API is web-based and robust. It was built on Google’s JavaScript Object Notation (JSON)-based API infrastructure and uses Open Authorization 2.0 (OAuth 2.0) to allow for delegated access to an entities resources stored in Google. It’s nice to see vendors like Microsoft and Google leveraging standard protocols for interaction with the APIs unlike some vendors… *cough* Amazon *cough*. Google provides software development kits (SDKs) and shared libraries for a variety of languages.

Let’s take a look at the API Explorer. The API Explorer is a great way to play around with the API without the need to write any code and to get an idea of the inputs and outputs of specific API calls. I’m first going to do something very basic and retrieve a listing of users in my G-Suite directory. Once I access the API explorer I hit the All Versions menu item and select the Admin Directory API.

On the next screen I navigate down to the directory.users.list method and select it. On the screen that follows I’m provided with a variety of input fields. The data I input into these fields will affect what data is returned to me from the API. I put the domain name associated with my G-Suite subscription and hit the Authorize and Execute button. A new window pops up which allows me to configure which scope of access I want to grant the API Explorer. I’m going to give it just the scope of https://www.googleapis.com/auth/admin.directory.user.readonly.

I then hit the Authorize and Execute button and I’m prompted to authenticate to Google and delegate API Explorer to access data I have permission to access in my G-Suite description. Here I plug in the username and password for a standard user who isn’t assigned to any G-Suite Admin Roles.

After successfully authenticating, I’m then prompted for consent to delegate API Explorer to view the users configured in the user’s G-Suite directory.

I hit the allow button, the request for delegated access is complete, and a listing of users within my G-Suite directory are returned in JSON format.

Easy right? How about we step it up a notch and create a new user. For that operation I’ll be delegating access to API Explorer using an account which has been granted the G-Suite User Management Admin role. I navigate back to the main list of methods and choose the directory.users.insert method. I then plug in the required values and hit the Authorize and Execute button. The scopes menu pops up and I choose the https://www.googleapis.com/auth/admin.directory.user scope to allow for provisioning of the user and then hit the Authorize and Execute button. The request is made and a successful response is returned.

Navigating back to G-Suite and looking at the listing of users shows the new user Marge Simpson as appearing as created.

Now that we’ve seen some simple samples using API Explorer let’s talk a bit about how you go about registering an application to interact with Google’s API as well as covering some basic Google Cloud Platform (GCP) concepts.

First thing I’m going to do is navigate to Google’s Getting Started page and create a new project. So what is a project? This took a bit of reading on my part because my prior experience with GCP was non-existent. Think of a Google Project like an Amazon Web Services (AWS) account or a Microsoft Azure Subscription. It acts as a container for billing, reporting, and organization of GCP resources. Projects can be associated with a Google Cloud Organization (similar to how multiple Azure subscriptions can be associated with a single Microsoft Azure Active Directory (Azure AD) tenant) which is a resource available for a G-Suite subscription or Google Cloud Identity resource. The picture below shows the organization associated with my G-Suite subscription.

Now that we have the concepts out of the way, let’s get back to the demo. Back at the Getting Started page, I click the Create a new project button and authenticate as the super admin for my G-Suite subscription. I’ll explain why I’m using a super admin later. On the next screen I name the project JOG-NET-CONSOLE and hit the next button.

The next screen prompts me to provide a name which will be displayed to the user when the user is prompted for consent in the instance I decide to use an OAuth flow which requires user consent.

Next up I’m prompted to specify what type of application I’m integrated with Google. For this demonstration I’ll be creating a simple console app, so I’m going to choose Web Browser simply to move forward. I plug in a random unique value and click Create.

After creation is successful, I’m prompted to download the client configuration and provided with my Client ID and Client Secret. The configuration file is in JSON format that provides information about the client’s registration and information on authorization server (Google’s) OAuth endpoints. This file can be consumed directly by the Google API libraries when obtaining credentials if you’re going that route.

For the demo application I’m building I’ll be using the service account scenario often used for server-to-server interactions. This scenario leverages the OAuth 2.0 Client Credentials Authorization Grant flow. No user consent is required for this scenario because the intention of the service account scenario is it to access its own data. Google also provides the capability for the service account to be delegated the right to impersonate users within a G-Suite subscription. I’ll be using that capability for this demonstration.

Back to the demo…

Now that my application is registered, I now need to generate credentials I can use for the service account scenario. For that I navigate to the Google API Console. After successfully authenticating, I’ll be brought to the dashboard for the application project I created in the previous steps. On this page I’ll click the Credentials menu item.

The credentials screen displays the client IDs associated with the JOG-NET-CONSOLE project. Here we see the client ID I received in the JSON file as well as a default one Google generated when I created the project.

Next up I click the Create Credentials button and select the Service Account key option. On the Create service account key page I provide a unique name for the service account of Jog Directory Access.

The Role drop down box relates to the new roles that were introduced with Google’s Cloud IAM.

You can think of Google’s Cloud IAM as Google’s version of Amazon Web Services (AWS) IAM or Microsoft’s Azure Active Directory in how the instance is related to the project which is used to manage the GCP resources. When a new service account is created a new security principal representing the non-human identity is created in the Google Cloud IAM instance backing the project.

Since my application won’t be interacting with GCP resources, I’ll choose the random role of Logs Viewer. When I filled in the service account name the service account ID field was automatically populated for me with a value. The service account ID is unique to the project and represents the security principal for the application. I choose the option to download the private key as a PKCS12 file because I’ll be using the System.Security.Cryptography.X509Certificates namespace within my application later on. Finally I click the create button and download the PKCS12 file.

The new service account now shows in the credential page.

Navigating to the IAM & Admin dashboard now shows the application as a security principal within the project.

I now need to enable the APIs in my project that I want my applications to access. For this I navigate to the API & Services dashboard and click the Enable APIs and Services link.

On the next page I use “admin” as my search term, select the Admin SDK and click the Enable button. The API is now enabled for applications within the project.

From here I navigate down to the Service accounts page and edit the newly created service account.

At this point I’ve created a new project in GCP, created a service account that will represent the demo application, and have given that application the right to impersonate users in my G-Suite directory. I now need to authorize the application to access the G-Suite’s data via Google’s API. For that I switch over to the G-Suite Admin Console and authenticate as a super admin and access the Security dashboard. From there I hit the Advanced Setting option and click the Manage API client access link.

On the Manage API client access page I add a new entry using the client ID I pulled previously and granting the application access to the https://www.googleapis.com/auth/admin.directory.user.readonly scope. This allows the application to impersonate a user to pull a listing of users from the G-Suite directory.

Whew, a lot of new concepts to digest in this entry so I’ll save the review of the application for the next entry. Here’s a consumable diagram I put together showing the relationship between GCP Projects, G-Suite, and a GCP Organization. The G-Suite domain acts as a link to the GCP projects. The G-Suite users can setup GCP projects and have a stub identity (see my first entry LINK) provisioned in the project. When an service account is created in a project and granted G-Suite Domain-wide Delegation, we use the Client ID associated with the service account to establish an identity for the app in the G-Suite domain which is associated with a scope of authorized access.

In this post I covered some basic GCP concepts and saw that the concepts are very similar to both Microsoft and AWS. I also covered the process to create a service account in GCP and how all the pieces come together to programmatic access to G-Suite resources. In my next entry I’ll demo some simple .NET applications and walk through the code.

Have a great weekend and go Pats!

Integrating Azure AD and G-Suite – Single Sign-On

Posted on January 24, 2018 by mattfeltonma

Hi everyone,

After working through the Azure Active Directory (AD) and Amazon Web Services (AWS) integration I thought it’d be fun to do the same thing with Google Apps. Google provides a generic tutorial for single sign-on that is severely lacking in details. Microsoft again provides a reasonable tutorial for integrating Azure AD and Google Apps for single sign-on. Neither gives much detail about what goes on behind the scenes or provides the geeky details us technology folk love. Where there is a lack of detail there is a blogging opportunity for Journey Of The Geek.

In my previous post I covered the benefits of introducing Azure AD as an Identity-as-a-Service (IDaaS) component to Software-as-a-Service (SaaS) integrations. Read the post for full details but the short of it is the integration gives you value-added features such as multifactor authentication with Azure Multifactor Authentication (MFA), adaptive authentication with Azure AD Identity Protection, contextual authorization with Azure AD Conditional Access, and cloud access security broker (CASB) functionality through Cloud App Security. Supplementing Google Apps with these additional capabilities improves visibility, security, and user experience. Wins across the board, right?

I’m going to break the integration into a series of posts with the first focusing on single sign-on (SSO). I’ll follow up with a post exploring the provisioning capabilities Azure AD introduces as well as playing around with Google’s API. In a future post I’ll demonstrate what Cloud App Security can bring to the picture.

Let’s move ahead with the post, shall we?

The first thing I did was to add the Google Apps application to Azure AD through the Azure AD blade in the Azure Portal. Once the application was added successfully I navigated to the Single sign-on section of the configuration. Navigate to the SAML Signing Certification section and click the link to download the certificate. This is the certificate Azure AD will be using to sign the SAML assertions it generates for the SAML trust. Save this file because we’ll need it for the next step.

I next signed up for trial subscription of Google’s G Suite Business. This plan comes with a identity store, email, cloud storage, the Google productivity suite, and a variety of other tools and features. Sign up is straightforward so I won’t be covering it. After logging into the Google Admin Console as my newly minted administrator the main menu is displayed. From here I select the Security option.

Once the Security page loads, I select the Set up single sign-on (SSO) menu to expand the option. Google will be playing the role of the service provider, so I’ll be configuring the second section. Check the box to choose to Setup SSO with third party identity provider. Next up you’ll need to identify what your specific SAML2 endpoint is for your tenant. The Microsoft article still references the endpoint used with the old login experience that was recently replaced. You’ll instead want to use the endpoint https://login.microsoftonline.com/<tenantID>/saml2. You’ll populate that endpoint for both the Sign-In and Sign-Out URLs. I opted to choose the domain specific issuer option which sets the identifier Google identifies itself as in the SAML authentication request to include the domain name associated with the Google Apps account. You would typically use this if you had multiple subscriptions of Google Apps using the same identity provider. The final step is upload the certificate you downloaded from Azure AD. At this point Google configured to redirect users accessing Google Apps (exempting the Admin Console) to Azure AD to authenticate.

Now that Google is configured, we need to finish the configuration on Azure AD’s end. If you follow the Microsoft tutorial at this point you’re going to run into some issues. In the previous step I opted to use a domain specific issuer, so I’ll need to set the identifier to google.com/a/geekintheweeds.com. For the user identifier I’ll leave the default as the user’s user principal name since it will match the user’s identifier in Google. I also remove the additional attributes Azure AD sends by default since Google will discard them anyway. Once the settings are configured hit the Save button.

Now that both the IdP and SP have been created, it’s time to create a user in Google App to represent my user that will be coming from Azure AD. I refer to this as a “stub user” as it is a record that represents my user who lives authoritatively in Azure Active Directory. For that I switch back to the Google Admin console, click the User’s button, and click the button to create a new user.

Earlier I created a new user in Azure AD named Michael Walsh that has a login ID of michael.walsh@geekintheweeds.com. Since I’ll be passing the user’s user principal name (UPN) from Azure AD, I’ll need to set the user’s Google login name to match the user’s UPN.

I then hit the Create button and my new user is created. You’ll need that Google assigns the user a temporary password. Like many SaaS solutions Google maintains a credential associated with the user even when the user is configured to use SSO via SAML. Our SP and IdP are configured and the stub user is created in Google, so we’re good to test it out.

I open up Edge and navigate to the Google Apps login page, type in my username, and click the Next button.

I’m then redirect to the Microsoft login page where I authenticate using my Azure AD credentials and hit the sign in button.

After successfully authenticating to Azure AD, I’m redirected back to Google and logged in to my newly created account.

So what happened in the background to make the magic happen? Let’s take a look at a diagram and break down the Fiddler conversation.

The diagram above outlines the simple steps used to achieve the user experience. First the user navigates to the Google login page (remember SP-initiated SSO), enters his or her username, and is sent back an authentication request seen below extracted from Fiddler with instructs to deliver it back to the Azure AD endpoint for our tenant.

The user then authenticates to Azure AD and receives back a SAML response with instructions to deliver it back to Google. The user’s browser posts the SAML assertion to the Google endpoint and the user is successfully authenticated to Google.

Simple right? In comparison to the AWS integration from an SSO-perspective, this was much more straightforward. Unlike the AWS integration, it is required to have a stub user for the user in Google Apps prior to using SSO. This means there is some provisioning work to perform… or does it? Azure AD’s integration again offers some degree of “provisioning”. In my next post I’ll explore those capabilities and perform some simple actions inside Google’s API.

See you next post!

Office 365 Group Naming Policies – Part 2

Posted on January 17, 2018 by mattfeltonma

Welcome back.

In my first post I covered some of the methods organizations use to enforce a naming standard for groups, such as Active Directory groups, that are used to authorize access to data. I also covered the challenges that are introduced when a mechanism for enforcing the naming standard doesn’t exist or isn’t effective and how this problem is becoming more prevalent with the increase in consumption of software-as-a-service applications.

Office 365 Groups are a core foundational component of Office 365 helping to enable simple, fast, and efficient collaboration within an organization. For an organization to take full advantage of this, its end users need to be empowered to spin up Office 365 groups for mail-based collaboration or create new Teams for real-time collaboration. To make this work, IT can’t get in the way of the business and needs to let the business spin up and down Office 365 Groups as it needs them. Microsoft has introduced a number of solutions to help with this including group expiration, integration with Office 365 retention policies, and the feature I’ll cover today, naming policies.

The naming policy feature is still in private preview but today I’m going to show you how to test the feature in your own tenant. As a point of reference, I’m using a set of trial O365 E5 and Azure AD Premium P2 licenses within the commercial offering of Office 365 for my testing. I can’t speak to whether or not the instructions below will work for Office 365 GCC or Office 365 Government.

The first thing I needed to do was install the Azure AD Preview module. To do this I had to first remove the existing Azure AD module I had installed on my system and then install the Azure AD Preview module as seen below.

Comparing the modules using a get-command shows that the preview module has the new cmdlets below.

Add-AzureADAdministrativeUnitMember
Add-AzureADApplicationPolicy
Add-AzureADMSLifecyclePolicyGroup
Add-AzureADScopedRoleMembership
Add-AzureADServicePrincipalPolicy
Get-AzureADAdministrativeUnit
Get-AzureADAdministrativeUnitMember
Get-AzureADApplicationPolicy
Get-AzureADDirectorySetting
Get-AzureADDirectorySettingTemplate
Get-AzureADMSDeletedDirectoryObject
Get-AzureADMSDeletedGroup
Get-AzureADMSGroup
Get-AzureADMSGroupLifecyclePolicy
Get-AzureADMSLifecyclePolicyGroup
Get-AzureADObjectSetting
Get-AzureADPolicy
Get-AzureADPolicyAppliedObject
Get-AzureADScopedRoleMembership
Get-AzureADServicePrincipalPolicy
New-AzureADAdministrativeUnit
New-AzureADDirectorySetting
New-AzureADMSGroup
New-AzureADMSGroupLifecyclePolicy
New-AzureADObjectSetting
New-AzureADPolicy
Remove-AzureADAdministrativeUnit
Remove-AzureADAdministrativeUnitMember
Remove-AzureADApplicationPolicy
Remove-AzureADDirectorySetting
Remove-AzureADMSDeletedDirectoryObject
Remove-AzureADMSGroup
Remove-AzureADMSGroupLifecyclePolicy
Remove-AzureADMSLifecyclePolicyGroup
Remove-AzureADObjectSetting
Remove-AzureADPolicy
Remove-AzureADScopedRoleMembership
Remove-AzureADServicePrincipalPolicy
Reset-AzureADMSLifeCycleGroup
Restore-AzureADMSDeletedDirectoryObject
Set-AzureADAdministrativeUnit
Set-AzureADDirectorySetting
Set-AzureADMSGroup
Set-AzureADMSGroupLifecyclePolicy
Set-AzureADObjectSetting
Set-AzureADPolicy

The cmdlets we’re interested in for this demonstration are the used to create and manage a new Graph API resource type called a directorySetting. The resource type is used to configure settings within Azure Active Directory. The directorySetting resource types are created from a template of configuration settings called a directorySettingTemplate resource type. Running the cmdlet Get-AzureADDirectorySettingTemplate displays the available to build a custom directorySetting from.

After connection to Azure AD using the Connect-AzureAD cmdlet, I can take a look at the templates available. The template I’m interested in for this blog is the Group.Unified template because it contains the settings for the naming policy as seen below.

Now that I’ve identified the template I want to draw from for a new directorySetting, I’m going to create a variable named $template and assign the Group.Unified template to it. Running a quick Get-Member on the newly assigned displays a method named CreateDirectorySetting. I’ll use this method to create a new instance of a directorySetting resource type based off the template and assign it to a variable named $setting.

If I run a Get-Member on $setting I can see that I’ve created a new instance of the directorySetting resource type which has the settings inherited from the Group.Unified template with some of those settings being configured with default values.

You’ll want to pay attention to these default values because once the settings become active for the tenant and seem to override settings configured within the GUI. For example, if you are denying users the ability to create new Office 365 groups via the configuration setting in the Azure Active Directory blade in the Azure Portal, leaving the EnableGroupCreation setting as true will override that. I’m not sure that is the intended behavior, but hey this is still preview right?

The next step is to configure the PrefixSuffixNamingRequirement setting with the naming convention I want enforced across my tenant. This Microsoft article does a good job explaining your options and the syntax. I went with a simple naming convention of including the fixed string “JOG” along with the value from the user’s department attribute in Azure Active Directory followed by the string value the user chooses for the group name.

Checking the values property of the $setting shows that the PrefixSuffixNamingRequirement is now populated with the value I entered above.

Now that the settings has been configured I make it active by using the New-AzureADDirectorySetting cmdlet and including the $setting directory object as input.

I then log into the Office 365 portal as a standard user and navigate to Outlook Web App and attempt to create a new Office 365 group. All new groups are now created using the naming convention I defined and it’s displayed clearly to the end users.

Hopefully Microsoft will refine the documentation as the feature moves out of preview and into general availability. I also think this is a simple and static setting that would make sense to configurable from the GUI. I’d also like to see the settings configurable with the directorySetting resource type be in sync with any corresponding settings in the GUI to avoid confusion.

That’s all there is to it. Overall it’s a very simple yet elegant solution that solves naming convention woes while giving the business freedom to collaborate without having to go through IT. You can’t beat that.

Thanks!

Office 365 Groups Naming Policies – Part 1

Posted on January 15, 2018 by mattfeltonma

Groups… It’s a term every business user consuming technology has heard at some point in time. Most users only experience groups when they’re unable to access a specific application or file and the coworker sitting next to them informs them they need to call IT and get added to the department group. Those of us who work on the technology side of the fence are very familiar with the benefits groups bring to the table when controlling access to data. We are also quite familiar with the challenges they can bring when managing them at scale.

Something as simple as a lack of an enforced naming convention can create serious pain for an organization if it relies heavily upon the naming convention to determine the function and owner of a group. The pain bleeds through IT and into the business as workers struggle with long wait times for on-boarding new employees due to IT trying to determine which groups the users need to be in. When it comes time to perform an access review, business owners may waste valuable time trying to determine if removing an employee from a specific group will impact that employee’s ability to fulfill their job responsibilities.

In the on-premises world organizations deal with the challenge of naming conventions in different ways. Most rely upon first or second level help desk to create groups according to the organization’s naming standard. This method introduces the risk of human error and presents challenges when the group information for a particular application is sourced from a variety of different identity backends which force the staff to learning multiple tools. Others make use of identity management (IDM) systems that automate the creation of groups and enforce the naming convention. This method is very effective but also very costly due to high costs in implementing and operating an IDM. A very small minority of organizations have evolved to the point where the naming conventions are no longer important due to robust reporting systems and entitlement databases.

Very few organizations are able to successfully execute the third method, which leaves them with the first or second. The introduction of the software-as-a-service (SaaS) has made the first and second methods of enforcing a naming convention much more complicated. Using the first method of leveraging help desk staff to create the groups manually is no longer scalable and the second method of using a centralized IDM system is often limited by the vendor’s ability to write connectors to the wide variety of APIs in use across the thousands of SaaS vendors. All is not lost, as it seems some vendors have begun to recognize the challenge this can introduce to their customers.

If your organization is a consumer of Office 365, you’ve more than likely begun to use Office 365 Groups. Office 365 groups offer a variety of features not found in the traditional security/distribution group or shared mailbox. Take a look at this link for a comparison chart that documents the features. One important thing to note is Office 365 Groups can only be only created in Azure Active Directory (AAD). You cannot synchronize an on-premises Active Directory Domain Services security or distribution group to AAD and convert it to an Office 365 Group. This means you can’t leverage an existing solution for enforcing naming conventions unless that solution has a connector into Azure AD. Given features Office 365 provide and that they are the construct used by Microsoft Teams, you may make the decision to allow your users to create Office 365 Groups on the fly in order to allow them to take full advantage of collaboration tools available in Office 365. To quote Peter Venkman, “Human sacrifice, dogs and cats living together… mass hysteria!”.

Calm down my friend. Microsoft has a solution coming in the pipeline that will solve your Office 365 Groups naming convention woes. In my next post I’ll demonstrate the feature and walkthrough how to test the feature out while it is in preview.

Journey Of The Geek

The chronicles of a Bostonian tech geek navigating through life and technology

Tag Archives: Microsoft

Integrating Azure AD and G-Suite – Single Sign-On

Office 365 Group Naming Policies – Part 2

Office 365 Groups Naming Policies – Part 1