Our organization operates in a Microsoft 365 environment, but all our staff are using Samsung phones that require Google accounts. Currently, people are utilizing personal Google accounts for their devices (which I know is not ideal and I'm looking to change that) and we have also started creating new Google accounts for them. While this seems like a decent plan, these new accounts still resemble personal accounts and can't be remotely managed when an employee leaves. I'm wondering if there's a better approach here. Should we consider getting Google Workspace subscriptions for our staff in addition to the M365 ones?
4 Answers
You might want to look into Google Cloud Identity federated with Entra ID. This could simplify management by allowing you to integrate identity controls across your Microsoft and Google environments. It provides a path to balancing both systems effectively.
Yes, for Google services like Ads, you can set up a minimal Google Workspace subscription for your domain. This allows you to implement MFA and configure it to work with Entra. Users can be added to an Entra Group, which auto-licenses them in Google Workspace, letting them sign in with their work email. Just keep in mind that email and other traditional services will still be handled in Azure.
An important thing to consider is that if the only account on the device is a managed Google account, users may have restrictions on self-installing apps from the Play Store. Are the devices enrolled in your MDM? If so, a Google account isn't critical. However, you need a Google Workspace tenant to connect to managed Google Play for MDM app installations.
If those are company-owned devices, you should enroll them in Office365. This will create a Google Play store account for them and allow them to download apps. Using something like a Microsoft Business Premium license or Intune can facilitate a smoother setup. However, if people are using personal Google accounts, you could just link that to the phone. Alternatively, you can create accounts tied to corporate emails directly using Google’s sign-up process, which definitely helps with management later on.
I agree with you—it’s much simpler to establish a free Cloud Identity with federation and SCIM. That way, if you deactivate the M365 account, the Google account access goes down right away too.