I’ve got a few clients who use Google Workspace as their main platform, but also need to use Microsoft Office or Teams, so have a Microsoft 365 tenancy as well.

It gets to be a pain managing two sets of user credentials, so fortunately you can set up user provisioning and sync between Google Workspace and Microsoft 365, using Google Workspace as the Identity Provider (IdP).

Google has some articles on how to do this:

Office 365 cloud application

Using Security Assertion Markup Language (SAML), your users can use their Google Cloud credentials to sign in to enterprise-cloud applications.
https://support.google.com/a/answer/6363817

Configure Microsoft Office 365 auto-provisioning

You can set up automated user provisioning (autoprovisioning) so that any changes you make to user accounts in Google Workspace are automatically synced with this third-party app.
https://support.google.com/a/answer/7365072

Immutable ID

The main way that everything matches up in Microsoft 365 is via an attribute that users can have called Immutable ID, or onPremisesImmutableId

When you’re syncing Entra ID with Active Directory, the onPremisesImmutableId will be a Base64 encoded version of the user’s SID. When you’re syncing with Google Workspace however, this needs to be the email address.

This isn’t a problem for any users that Google Workspace creates in Microsoft 365 as the app ensures that the onPremisesImmutableId is set up correctly. It is however a problem for syncing any users that already exist in Microsoft 365. If you’ve created users via the Microsoft 365 admin console, then the onPremisesImmutableId will be blank. If the users were previously synced from Active Directory, then the onPremisesImmutableId will be a string value.

Most of the instructions you’ll find that say how to set the onPremisesImmutableId will use the MS Online or Azure AD PowerShell modules, which are now EOL and don’t work.

The way to do it is via the Microsoft Graph PowerShell module – which, by the way, works perfectly in PowerShell on macOS arm64.

Install Microsoft Graph PowerShell

Install-Module Microsoft.Graph -Scope CurrentUser

Connect to Microsoft Graph

Connect-MgGraph -Scopes "User.ReadWrite.All"

Make sure you’re connected

Get-MgContext

Update all users in Entra

# Get all users (you may want to filter with -All or -Filter if needed)
$users = Get-MgUser -All

foreach ($user in $users) {
    $userId = $user.Id
    $email = $user.Mail

    if (-not [string]::IsNullOrEmpty($email)) {
        Write-Host "Updating $($user.DisplayName) ($userId) to ImmutableId: $email"

        # Set the Immutable ID
        Update-MgUser -UserId $userId -OnPremisesImmutableId $email
    } else {
        Write-Warning "User $($user.DisplayName) has no email. Skipping."
    }
}

Then check that it has updated. For some reason this doesn’t work for me:

Get-MgUser -UserId [email protected] -Property OnPremisesImmutableId

But instead this does work

Get-MgUser -UserId [email protected] -Property OnPremisesImmutableId | select OnPremisesImmutableId

I’m not sure why I need to use the second form, but this confirmed that all my users now have an Immutable ID that matches their email address, and I can now sync them with Google Workspace.

Edit: In a tenancy with a number of users that hadn’t been used for email or Teams, a large number of the user accounts didn’t have an email address ($user.Mail) however as they had all been set up so that the username was the email address, they all had a valid UPN set.

I was able to change the line $email = $user.Mail to $email = $user.UserPrincipalName and re-ran the script to update everyone.