Hey everyone! Currently, we're utilizing Entra ID for SSO wherever possible. We also depend on Google accounts exclusively for accessing services like Tag Manager, Firebase, etc. We don't use Google services like Docs or Sheets, so these accounts only serve this specific purpose. Just a note, we don't use @gmail.com for our accounts; we have our own domain. For instance, a user like [email protected] accesses their account using that email, not through [email protected].
Initially, I considered Google Workspace but found Google Cloud Identity (GCI) might fit better as we only need user management without additional features. Here's where I need some clarity: Can Entra ID function as an identity provider (IDP) for GCI? I suspect this is possible, but confirmation would be appreciated.
Also, I'm curious about the 50-seat limit: Is it possible to contact Google to expand that limit to around 150 for free, or would I need a premium version? Lastly, how does the integration handle existing accounts? Will it recognize the same domain and merge them automatically, similar to how Apple Business Manager works? Will users be notified of this change? For example, when merging with Apple Business Manager, users see a notification that their accounts are being incorporated into a domain. What's the experience like on the Google side? Thanks in advance!
1 Answer
Yes, you can absolutely use Entra ID as an identity provider for Google Cloud Identity! That's actually a pretty common setup.
For the 50-seat limit, you can get in touch with Google support to ask for an increase. They usually don't give unlimited seats, but if you provide a solid reason, they might bump your limit. You'll need to have a paid Workspace subscription to go that route, though. You could get the cheapest Essentials plan for about $12 for a month just to access support, request the increase, and then cancel the subscription afterward.
Regarding your existing accounts, the integration isn't entirely automatic. You'll have to use a tool to view the unmanaged accounts within your domain. Then you can send invites to those accounts, allowing users to merge them into your organization. If you create an account with the same email in your org, the original user must change their email the next time they log in.
Thanks for the info! So, if there are old accounts from former employees that I can't access, they will stay unmanaged, right? I can't force those to merge, can I?