Microsoft My Apps portal integration

Last reviewed 2023-02-27 UTC

Refresh_date: 2023-03-01

This document shows how to add Google services and Identity-Aware Proxy (IAP) web-secured web applications to the Microsoft My Apps portal and how to enable automatic sign-on for these applications.

The document assumes that you have federated your Cloud Identity or Google Workspace account with Microsoft Entra ID by configuring Microsoft Entra ID for single sign-on.

Before you begin

Make sure you've completed the steps to federate your Cloud Identity or Google Workspace account with Microsoft Entra ID.

Initiating single sign-on from a portal

To support authenticating with an external identity provider (IdP) like Azure AD, Cloud Identity and Google Workspace rely on service provider–initiated sign-on. With this type of sign-on, authentication starts at the service provider, which then redirects you to the IdP—for example:

  1. You access a Google service such as the Google Cloud console or Looker Studio by opening a URL or bookmark. Google and its services take the role as the service provider in this scenario.
  2. The Google Sign-in screen appears, prompting you to enter the email address of your Google identity.
  3. You're redirected to Microsoft Entra ID, which serves as the IdP.
  4. You sign in to Microsoft Entra ID.
  5. Microsoft Entra ID redirects you back to the Google service that you originally attempted to access.

A benefit of service provider–initiated sign-on is that users can directly access Google services by opening a link or using a bookmark. If your organization uses Microsoft Entra ID, then you can use the Microsoft My Apps portal for this purpose. Not being forced to open applications through a portal is convenient for power users who bookmark specific sites or might memorize certain URLs. For other users, it can still be valuable to surface the links to relevant applications in a portal.

However, adding a link such as https://lookerstudio.google.com to the Microsoft My Apps portal reveals a shortcoming of the service provider–initiated sign-on process. Although a user that clicks the link in the portal has a valid Microsoft Entra ID session, they might still see the Google Sign-in screen and are prompted to enter their email address. This seemingly redundant sign-in prompt is a result of Google Sign-In not being made aware of the existing Microsoft Entra ID session.

You can avoid the additional Google Sign-in prompt by using special URLs when configuring the Microsoft My Apps portal. These URLs embed a hint about which Cloud Identity or Google Workspace account users are expected to use. The extra information enables authentication to be performed silently, resulting in an improved user experience.

The following table lists common Google services, the corresponding name in Microsoft Entra ID, and the link that you can use to implement SSO as outlined in the previous section.

Google service URL Logo
Google Cloud console https://www.google.com/a/DOMAIN/ServiceLogin?continue=https://console.cloud.google.com Google Cloud logo
Google Docs https://docs.google.com/a/DOMAIN Google Docs logo
Google Sheets https://www.google.com/a/DOMAIN/ServiceLogin?continue=https://sheets.google.com Google Sheets logo
Google Sites https://www.google.com/a/DOMAIN/ServiceLogin?continue=https://slides.google.com Google Sites logo
Google Drive https://drive.google.com/a/DOMAIN Google Drive logo
Gmail https://mail.google.com/a/DOMAIN Gmail logo
Google Groups https://www.google.com/a/DOMAIN/ServiceLogin?continue=https://groups.google.com Google Groups logo
Google Keep https://www.google.com/a/DOMAIN/ServiceLogin?continue=https://keep.google.com Google Keep logo
Looker Studio https://www.google.com/a/DOMAIN/ServiceLogin?continue=https://lookerstudio.google.com Looker Studio logo

For each Google service that you want to add to the Microsoft My Apps portal, create a new enterprise application:

  1. In the Azure portal, go to Microsoft Entra ID > Enterprise applications.
  2. Click New application.

  3. Click Create your own application and enter the following:

    • What's the name of your app: Enter the name of the Google service as indicated in the preceding table.
    • What are you looking to do with your application: Select Integrate any other application you don't find in the gallery (Non-gallery).

  4. Click Create.

  5. Select Properties.

  6. Change the logo to the file linked in the table.

  7. Click Save.

  8. In the menu on the left, select Single sign-on.

  9. Select Linked.

  10. Enter the URL listed in the table—for example, http://docs.google.com/a/DOMAIN.

    Replace DOMAIN with the primary domain name of your Cloud Identity or Google Workspace account such as example.com.

  11. Click Save.

Notice that you don't have to configure SAML-based SSO in the application. All single sign-on operations continue to be handled by the application that you previously created for single sign-on.

To assign the application to users, do the following:

  1. In the menu on the left, select Properties.
  2. Set User assignment required to Yes.
  3. Click Save.
  4. In the menu on the left, click Manage > Users and groups.
  5. Click Add user.
  6. Select Users.
  7. Select the users or groups that you want to provision. If you select a group, all members of the group are provisioned.
  8. Click Select.
  9. Click Assign.

It might take several minutes for a link to show up in the My Apps portal.

Controlling access

Assigning users and groups to individual applications in Microsoft Entra ID controls the visibility of the link, but it doesn't control access to a service. A service that isn't visible on a user's My Apps portal might still be accessible if the user opens the right URL. To control which users and groups are allowed to access a service, you must also turn the service on or off in the Google Admin Console.

You can simplify the process of controlling visibility and access by using groups:

  1. For each Google service, create a security group in Microsoft Entra ID—for example, Looker Studio users and Google Drive users.
  2. Assign the groups to the appropriate Microsoft Entra ID enterprise application as outlined in the previous section. For example, assign Looker Studio users to the Looker Studio application and Google Drive users to the Google Drive application.
  3. Configure the groups to be provisioned to your Cloud Identity or Google Workspace account.
  4. In the Admin Console, turn on the respective service for each group. For example, turn on Looker Studio for the Looker Studio users group and Google Drive for the Google Drive users group. Turn the service off for everybody else.

By adding and removing members to these groups, you now control both access and visibility in a single step.

IAP-protected web applications

If you're using Identity-Aware Proxy (IAP) to protect your web applications, you can add links to these applications to the Microsoft My Apps portal and enable a single sign-on experience for them.

The process for adding a link to the Microsoft My Apps portal is the same as for Google services, but you must use the URL of your IAP-protected web application.

As you can with Google services, you can prevent users from seeing a Google sign-in screen after following a link to a IAP-protected web application in the portal, but the process is different. Instead of using a special URL, you configure IAP to always use a specific Cloud Identity or Google Workspace account for authentication:

  1. In the Google Cloud console, activate Cloud Shell.

    Activate Cloud Shell

  2. Initialize an environment variable:

    PRIMARY_DOMAIN=primary-domain

    Replace primary-domain with the primary domain of your Cloud Identity or Google Workspace account—for example, example.com.

  3. Create a temporary settings file that instructs IAP to always use the primary domain of your Cloud Identity or Google Workspace account for authentication:

    cat << EOF > iap-settings.yaml
accessSettings:
  oauthSettings:
    loginHint: "$PRIMARY_DOMAIN"
EOF

  4. Apply the setting to all IAP web resources in the project:

    gcloud iap settings set iap-settings.yaml --resource-type=iap_web

  5. Remove the temporary settings file:

    rm iap-settings.yaml

Controlling access

Assigning users and groups to individual applications in Microsoft Entra ID controls the visibility of the link to your IAP-protected web application, but does not control access to the application. To control access, you also have to customize the IAM policy of the IAP-protected web application.

As with Google services, you can simplify the process of controlling visibility and access by using groups:

  1. For each application, create a security group in Microsoft Entra ID—for example, Payroll application users.
  2. Assign the group to the respective Microsoft Entra ID enterprise application.
  3. Configure the group to be provisioned to your Cloud Identity or Google Workspace account.
  4. Update the IAM policy of the IAP-protected web application to grant the IAP-Secured Web App User role to the Payroll application users group while disallowing access for other users

By adding and removing members to the Payroll application users group, you control both access and visibility in a single step.

What's next