September 3, 2025
Blog
Overview (Goal)
You may be using Google Workspace for email and collaboration, but prefer Microsoft Entra ID as your identity and security foundation. This post outlines how to:
Use Entra ID as the IdP for Google Workspace via SAML SSO + SCIM provisioning.
Apply Conditional Access with Authentication Context for step‑up rules.
Incorporate Microsoft Defender for Cloud Apps (MDCA) to enforce real‑time, in‑session step‑up authentication for risky actions across any SAML/OIDC app.
CA + AC handles access control at login; MDCA adds dynamic, in–session enforcement. For example, if a user changes IP mid-session or initiates a sensitive download, MDCA can trigger step-up immediately.
Architecture & Licensing
Identity: Entra ID as IdP; users/groups provisioned to Google via SCIM.
Access: Conditional Access baseline policies, plus Authentication Context labels like High‑Impact‑Download.
Session: MDCA operates as a reverse‑proxy via Conditional Access App Control, mediating traffic to enforce real‑time controls.
Google: Configured to use Entra ID for SSO, optionally paired with Google’s own Context‑Aware Access.
Licence requirements:
Entra ID Premium P1+
Microsoft Defender for Cloud Apps
Step-by-Step Summary (High-Level):
SSO Setup: Add the Google Cloud / G Suite Connector by Microsoft in Entra ID and configure SAML SSO; mirror this setup in Google Admin .
SCIM Provisioning: Enable automatic user provisioning from Entra ID to Google Workspace.
Authentication Context Labels: In Entra ID, define labels used to trigger step‑up, e.g., High‑Impact‑Download.
Conditional Access Baseline: Enforce MFA, block legacy authentication, configure policies.
Note: CAE (Continuous Access Evaluation) offers limited real‑time enforcement for Microsoft apps (e.g., location changes), but not for Google/SAML apps.
Overview: CAE concept
Route Through MDCA: Configure a Conditional Access policy to route the Google SAML app (and others) through MDCA using Conditional Access App Control.
Define MDCA Session Policies: In MDCA, create session-level rules such as:
Condition: unmanaged device, untrusted IP, or sensitive file label.
Action: Require step‑up authentication using your AC label.
More details: Creating session policies  
Validate: From an unmanaged device or new IP, attempt a sensitive action (e.g., download). MDCA should intercept and trigger the AC step-up in real time.
Why MDCA Makes a Difference:
CA + AC alone only applies at login or token refresh. SAML/OIDC apps don’t typically re-evaluate policies mid-session.
MDCA adds per-request enforcement, enabling real-time decision-making even mid-session.
Example Scenarios:
Scenario | Without MDCA | With MDCA |
|---|---|---|
IP/network change mid-session (Google app) | No re-evaluation until token refresh | MDCA intercepts and forces step-up |
Unmanaged device downloads data | Session continues post-MFA | MDCA requires step-up or blocks download immediately |
Consistent policy across apps | Separate logic for each app | Reuse Authentication Context labels across Microsoft and Google apps |
Key Takeaways
Entra ID can serve as your centralized identity and security platform—even if you’re a Google Workspace customer.
SCIM provisioning and SAML SSO ensure identity consistency.
Authentication Context labels provide standardized step-up triggers.
MDCA closes the gaps by enforcing mid-session controls in real time—especially for non-Microsoft apps like Google Workspace.
Resources