topic Re: Azure as IDP for Workspace in Peer-Peer Topics

Azure as IDP for Workspace

E8419 — Mon, 18 Dec 2023 22:57:59 GMT

Hello

How many of you currently use Azure as your IDP for Workspace?

How many use Google Login stand alone?

Anyone using the new web sign in with Google Federated Azure to SSO with Google Creds into Windows Intune managed laptops or desktops?

I am trying to decide which way to go - currently a heavy GCPW user.

Re: Azure as IDP for Workspace

Bill_Gibson — Mon, 18 Dec 2023 23:54:05 GMT

Anyone using Google as Azure IdP?

Re: Azure as IDP for Workspace

E8419 — Tue, 19 Dec 2023 00:04:44 GMT

I am currently but I'm an unsure if this is the right route to take long term

Re: Azure as IDP for Workspace

Kim_Nilsson — Tue, 19 Dec 2023 08:27:02 GMT

Yup, our district/county/municipality has a Sharepoint intranet, which requires all staff login to access it.

So we have a SAML set up for that. The one described in Google's support documents.

Since we already had on-prem AD federation set up for one domain, it was a bit painful as that had to be temporarily disabled, so we could add the edu subdomain.

It works perfectly fine, but a definite recommendation is to not disable unused accounts in Workspace, as that will cause their accounts in O365 to be permanently deleted after 30 days, and not able to be automatically recreated if the user then suddenly starts using their Workspace account again.

Typical issue with substitutes who only work rarely.

Re: Azure as IDP for Workspace

Kim_Nilsson — Tue, 19 Dec 2023 08:36:52 GMT

Google login only for access to Workspace.

Really don't want to change that. Mainly because managing passwords and, to some extent, accounts elsewhere is a pain. Now we do have fully automatic sync of user accounts and groups, so very few accounts are manual, even groups. But we do have them, and I don't quite have the hang of managing incoming SSO for separate OUs.

If people who do use SSO says it's fine, and easy to use incoming SSO only in certain OUs, and it doesn't mess up login to Chromebooks, then maaaybe in the future I'll look into it. So far I'm not convinced.

Also, why would I want to pay for third-party SSO? Using Google Sign-in to (curriculum) services is awesome.

We do not use GCPW. Would be cool, but we're instead investing quite heavily in Intune for Windows 11, with forced MFA for login to O/M365 accounts, which effectively means forced MFA for login to Windows devices.

Now, that only affects administrative and non-teaching staff, as all our teachers have Apple Macbooks!

For them we just recently started using Mosyle MDM, and with their Auth 2 feature we will be able to have them log into their Macbooks with the Google accounts!!! Really happy about that! Will implement that during 2024, as we're replacing the remaining 350 old MBAs next year.