I’ve got a client for whom I’ve set up federation between their Google Workspace and Microsoft Entra ID tenancies.

Google Workspace is their primary platform, and their Identity Provider (IdP). They also use Microsoft 365 Apps for Business and/or Microsoft Teams subscriptions and maintaining two user directories, potentially with different authentication credentials is a pain.

I had an issue however where a particular user couldn’t log in to any Microsoft properties, even though the user account existed in both Google Workspace and Entra ID. It’s possible that this account was an account that existed in Entra before federation was enabled however, and may not have had the ImmutableID set correctly.

I deleted the user from Entra, but could not get the account to sync over from Google Workspace no matter what I tried – I tried suspending and enabling the account, I tried turning sync off and on again and I tried waiting for 24 hours to see if a regular sync cycle would fix it. Nope.

I couldn’t create a new user via the Microsoft 365 admin console, nor via the Entra ID console with the correct domain name for the User Principal Name as this domain is federated with Google.

As is usually the case with these things, PowerShell came to the rescue.

First up, I needed to install the correct PowerShell modules, and it’s worth noting that this module works on macOS as well as Windows and other platforms.

Install-Module -Name Microsoft.Entra -Repository PSGallery

Then, I needed to connect to Microsoft Graph, but with the correct scope set

Connect-MgGraph -scope Directory.ReadWrite.All

After logging in as a Global Admin, I could then run the New-MgUser command to create the user account, and set the Immutable ID as per the requirements for Google Workspace – in this case the Immutable ID is the email address however when linking Entra ID with on-prem AD, it will be a Base64 encoded value that you’ll need to calculate. The command below needs to be entered all on one line.

New-MgUser -DisplayName 'Example User' -UserPrincipalName 'user@example.com.au' -OnPremisesImmutableId 'user@example.com.au' -AccountEnabled

Note that I didn’t set a password – this isn’t necessary as the user is authenticated via Google Workspace.

After assigning a licence via the Microsoft 365 admin centre, the user is able to log in successfully and activate Microsoft Office.