We are using Google Workspace as a source of truth for all our users and groups, and would like to synchronize our Microsoft Entra ID (formerly Azure AD) tenant with users and groups from Google Workspace.
We've already configured federation between Google Workspace and Microsoft Entra ID, and users are being synced using Microsoft Office 365 auto-provisioning. Our Google Workspace users can log into Office 365/azure just fine, however we would like to use Azure AD groups for permissions etc.
The problem is that that doesn't sync user groups, Google also doesn't seem to be much help here. Has anyone have idea how is this normally achieved?
Thanks!
Note: The sync direction we are after is (from) Google workspace -> (to) Microsoft Entra ID. There's bunch of ways doing this the other way around (like GCDS), but that's not applicable in our case.
We had a similar need recently, and ended up using Microsoft Office 365 auto-provisioning feature in GWS to sync users into Azure Entra ID, same as you, both creation and deletion are supported out of the box.
The only caveat, as you found, is that it only sync users, not the groups they belong to. So you would need to create the security groups on Azure first, and then after having the GWS users synced into Entra ID directory, use another method to assign users to groups.
We approeached this with SDK/APIs, built a python script that reads GWS groups to see which members/owners they have using google SDK, and then using Graph API through a service principal in Azure with the right permissions (Directory readwrite all,etc) assign those users to the same groups in Entra ID they were in GWS. This took a bit of time but works.