Does your organization use G Suite or Google Apps? Do you have these requirements?
- Audit activity occurring in G Suite (user logons/logoffs, settings changed, files modified, etc)
- Audit file activity? (what files are being accessed, from where, how they are being accessed, etc)
- Govern how G Suite is accessed? (Only from a managed device? Only from a managed network? Don’t allow download from a non-managed computer?)
- Scan files in G Suite for sensitive data?
- And more!
In this blog we will explore how Microsoft Cloud App Security (CAS) part of Microsoft 365, can help you meet these requirements. For more information on connecting G Suite to CAS see this article. Let’s get started!
Note: Microsoft nor Matt Soseman nor this blog assumes no responsibilities and offers no warranties as a result of following the instructions in this blog. This requires enabling and modifying APIs. Use at your own risk.
Configure G Suite within Microsoft Cloud App Security:
From within Cloud App Security, click Investigate then select Connected Apps:
Click the + sign and select G Suite:
Type in a name and click Connect G Suite:
We need to pull the appropriate details from G Suite. Open a new browser instance and navigate to your G Suite admin portal using your admin credentials:
Once signed in, navigate to https://cloud.google.com/console/project
and click Create Project:
Give the project a name and click Create Project
Click Google Cloud Platform then click Go To APIs Overview:
Click API Library and enable the following APIs:
Back on the APIs and Services screen, click Credentials click the OAuth Consent Screen then in Application Name type Microsoft Cloud App Security and click Save:
Back on the Credentials tab click Create Credentials and select Service Account Key:
Configure the Service Account Key and click Create. Copy the secret to a scratchpad area. Download the certificate.
Back on the Credentials screen click Manage Service Accounts
Edit the Service Account:
Check the box next to Enable G Suite Domain Wide Delegation and click Save:
In the search box at the top type Google Drive API and press Enter
Click on Drive UI Integration, and configure using the following parameters (you can get the icons from here) and click Save Changes when finished:
In the search box type G Suite Marketplace
SDK and press Enter
On the Configuration tab, copy the Project Number to a scratch pad area:
Upload the same icons you used previously, and configure the following URLs:
Configure the following URL scopes:
Under Visibility select My Domain and click Save Changes:
Browse back to
Did you know Azure Active Directory can provide Single Sign-On (SSO) to G-Suite (Google Apps)? In this blog, we will explore how to set this up from both the Azure AD side and also the G-Suite side.
Once SSO is configured, consider creating policies for Conditional Access to govern how G-Suite is accessed (e.g. only from a managed device, specific network, monitor for threats of the credentials such as for sale on the dark web, etc). For more information on G-Suite and Azure AD integration for SSO, see Tutorial: Azure Active Directory integration with G Suite
Note: SSO for up to 10 apps comes with the free version of AzureAD. For additional capability, P1 or P2 may be required. See Azure Active Directory pricing for more information.
Also Important: Once SSO is enabled in G-Suite only Azure AD credentials will be authorized and all legacy credentials (i.e. G-Suite credentials) will not be authorized for sign-in. If the user is using a Windows 10 device that is AADJ, then they will not need to type in their password to access G-Suite, SSO from Win 10 will automatically be available.
Add G-Suite to Azure AD and configure it:
From within the Azure portal navigate to Azure Active Directory -> Enterprise Applications -> New Application and search for G Suite then click Add:
Once added, click Single Sign-on and click SAML
Edit the Basic SAML Configuration by clicking the pencil icon:
Configure using the following parameters:
Click Save. For User Attributes & Claims click the pencil icon:
Add a new claim:
Go back to the main SAML SSO configuration page, and download the base64 certificate for SAML Signing Certificate:
Copy the following URLs to a scratch pad, we’ll use these to configure G-Suite:
Setup G-Suite for SSO:
See this article for more information on configuring G-Suite for SSO. From within G-Suite navigate to Admin –> Security -> Setup SSO. Paste the URLs you copied in the last step, into the SSO configuration, upload the certificate you downloaded previously, check the box for use a domain specific issuer and then click Save:
Assign the user to G Suite
Back in the Azure portal, click Users & Groups from within the G-Suite Enterprise Application:
Add a new user to G-Suite:
Turn on Provisioning:
Click on Provisioning and go through the steps on the blade. Starting with changing Provisioning Mode to Automatic.
Then click Authorize and type in your G-Suite credentials to go through the authorization process. Grant consent:
Back in the Azure portal, click Save to save your provisioning configuration. Once saved, you can opt to enable automatic synchronization of identities from Azure AD to G-Suite by clicking On for Provisioning Status:
Side bar, I could configure self service for end-users!
Back in G-Suite, you will notice the assigned users will start to sync:
Time to test!
I’m going to navigate to http://mail.google.com/a/soseman.org:
Notice this will redirect to Azure Active Directory:
Notice it challenges me for multi-factor authentication!
And I respond to the challenge using my Apple Watch 🙂
Once authenticated, accept the terms and conditions:
Now, I’m logged in and ready to use G-Suite!
Browsing to myapps.microsoft.com – G-Suite is added to the launcher!
As you can see, configuring Single Sign On for G-Suite using Azure Active Directory is a rather easy and simple process – and probably can be completed within 15 minutes or less. Once configured, don’t forget using Azure AD Conditional Access to govern how G-Suite is accessed, such as requiring a managed device (mobile or PC), monitoring the credentials for being compromised (impossible travel, up for sale on dark web, coming from atypical locations,etc), requiring MFA, and more!