Last Updated on February 4, 2019 by Dishan M. Francis

In on-premises Active Directory environments, we use “trusts” to establish identity infrastructure collaboration between businesses. In that way, partner organization can use their own user accounts to authenticate in to trusted organization resources. When it comes to cloud/hybrid identity, Azure AD B2B allow organizations to establish cross-organization identity connections. Unlike on-premises, it is not required additional infrastructure changes. In my previous article about Azure B2B explains how we can allow external users to authenticate in to cloud app using their own accounts. You can find it here . However, when external user’s sign up process it is asking to create “Microsoft Account” to continue. 

If users are having Google Accounts, now Azure AD B2B can initiate federation with google to allow users to use their own google accounts to authenticate instead of Microsoft Accounts. In this demo I am going to demonstrate how we can initiate federation with google. 


Valid Azure AD B2B Subscription – If the guest users are going to use Azure AD paid services, make sure you have enough licenses allocated. More info about licensing can find here

Shared Google Account – During the setup we need to create credentials at Google APIs. To do that we need to use existing google account. It is recommended to use separate google account for this instead of existing user account. 

To start the configuration,

1. Go to and log in with the Google account you have selected for the task. 

2. In Dashboard, Click on Create to start new project. 

3. Then in new window, give unique name to project and click on Create.

4. Once project is created, select it from the project drop down box. 

5. Then click on Credentials

6. In new window, select OAuth consent screen

7. Then type a name for the application

8. Go to Authorized domains section and type

9. Then click on Save to apply settings. 

10. Once settings are saved, go back to Credentials tab. Then click on Create Credentials drop down and select OAuth client ID

11. Then in new window, click on Web Application option. Go to Name section and define name for the application. 

12. Go to Authorized redirect URIs section and type, and,<azuread id>/oauth2/authresp


in above url, <azuread id> value is related to Azure AD. It can be find using,

Azure Portal | Azure Active Directory | Properties | Directory ID

Once URLs are ready, type them and click on Create

13. Then it issues a client id and client secret. Copy it and save it.

14. To configure it in Azure AD end, log in to as Global Administrator

15. Then go to Azure Active Directory | Organizational relationships 

16. Go to Identity providers 

17. Then click on + Google 

18. In new window paste the copied client id and client secret from the Google web app. Then click on Save to complete. 

19. This completes the configuration. next step is to test it. 

20. In Azure AD I already have a group called sg-Finance and I like to add external user to it. so, he also can access the apps belongs to group members. 

To do that, I go to Azure Active Directory | Groups | sg-Finance | Members | + Add members

21. In new window, type the google user and click on Select.  

22. Then go to as the google user. In here is the verified domain for my subscription. Google authentication is not working if you use the direct link such as

23. Then it will go to login page. Type the google account we just invited and click on Next

24. Then it goes to Google authentication page as expected, click on Next to continue. 


25. In next window, type the password and click on Next.

26. Voila! User is authenticated to myapp portal as expected with out creating Microsoft Account. 

This marks the end of this blog post. If you have any questions feel free to contact me on also follow me on twitter @rebeladm to get updates about new blog posts.