iamfrench / gsuite-as-identity-provider-idp-for-office-365-or-azure-active-directory Goto Github PK

Following the instruction, I found I input a wrong google idP (XML) when after I submit all the code, how can I change it?

I'm trying to federate 2 top level domain names abc.co.uk & def.co.uk and this script only appears to allow 1, I can select either but not both and I can't re-run the script twice.

I've came across "Update-MsolFederatedDomain -domainname abc.co.uk -SupportMultipleDomain" but as I'm not running a server either onsite or in the cloud I'm getting the error "Failed to connect to Active Directory Federation Services 2.0 on the local machine."

Can this script be adapted to allow for more domains to be listed.

Many Thanks, Brian

Minor change. I believe this needs to be same as PassiveLogonURL or SP initiated login via login.microsoft.com will fail with "User not known in directory" error

I followed your instructions but I am getting this error. Do you have an idea what is the issue?

The user account name@domain does not exist in the f66996c8-d353-2342-8465-6f7705dc5cf8 directory. To sign into this application, the account must be added to the directory.

ImmutableID is needed for all this to work. Most documentation indicates you get ImmutableIDs when you set up ADFS Sync -which is especially challenging to make work if you aren't running AD infrastructure to sync with :p

If you don't have local AD for your domain (O365/AzureAD-only), you will need to manually set your users' ImmutableID to be the same value as their GSuite primary identity. If their UPN in AD is this value, you can script this change with the below-listed steps.

This is assuming you still have an active Powershell connection with AzureAD

You can check with
Get-AzureADUser which will list output:
ObjectId DisplayName UserPrincipalName UserType

If UserPrincipalName = Google primary email, enter these 2 commands:

$user=get-msoluser -all
$user |Select userprincipalname ,displayname,immutableid

This should output your directory list so you can verify it worked as expected.

Bonus thanks to the MS support agent who helped sort this out!