windows google-workspace microsoft-365 security single-sign-on

Logging in to Entra-joined Windows PC with a Google Workspace Federated Identity

If you've federated Microsoft Entra ID with Google Workspace as your SAML IdP, getting Windows login working on Entra-joined devices requires more than just the federation config. This post covers the exact MDM policies needed to enable Web Sign-In, and two easy-to-miss configuration pitfalls.

I have a configured Microsoft Entra ID federated logins with Google Workspace as the SAML IdP for a client of mine. Generally this works well for SSO logins to web-based apps, but getting Windows login working on Entra-joined laptops requires some additional configuration that isn’t well documented. Here’s what’s needed.

Enable Web Sign-In via MDM

For federated tenants using an external IdP, Windows requires the Web Sign-In feature to redirect authentication through the SAML flow. Without it, Windows presents a standard password field that can never complete a federated login. Push the following OMA-URI policies via your MDM:

OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Authentication/EnableWebSignIn
Data type: Integer
Value: 1
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Authentication/ConfigureWebSignInAllowedUrls
Data type: String
Value: login.microsoftonline.com;accounts.google.com/o/saml2/idp?idpid=YOURIDPID;samlidp.google.com;google.com;mobile-redirector.google.com;accounts.google.com;accounts.youtube.com;accounts.youtube.com/accounts/SetSID;ocsp.pki.goog
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Authentication/PreferredAadTenantDomainName
Data type: String
Value: example.com.au
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Authentication/EnablePasswordlessExperience
Data type: Integer
Value: 1

Two things that caught me out:

Use ./Device/Vendor/MSFT/... not ./Vendor/MSFT/...: the device scope prefix is required. Without it the policy applies to the wrong scope and the Web Sign-in host ignores it. No https:// prefixes in the URL allowlist: the Web Sign-in browser does bare hostname matching. Including https:// causes all URL matching to silently fail.

Verifying Policy Application

To confirm the MDM policies have applied correctly before rebooting:

reg query "HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\Authentication"

EnableWebSignIn should show 0x1 and ConfigureWebSignInAllowedUrls should show the full URL string. If values are missing or zero, check that atomic execution isn’t enabled on the MDM policy profile — if any single OMA-URI fails, atomic execution rolls back the entire policy.

Related Services

Need support with this in your environment?

These services cover the same kinds of issues discussed in this article.

Keep This Useful

Spotted something outdated or unclear?

If a step has changed, a screenshot no longer matches, or something here just does not work the way it should, get in touch and we will take a look.