User Support for the SCIM and SSO for Google Workspace for Internal Staff
π Service Desk Guide: Google / YouTube Login Issues with Microsoft 365 MFA
Purpose
This guide helps Service Desk staff quickly identify when login failures to Google/YouTube are due to Microsoft 365 MFA problems, not SCIM provisioning or Google account issues.
How to provision Teach First users from Entra ID to Google
- Ensure the user is added to either AD-SG-Azure-SSO-Google in Active Directory, or AAD-SG-Azure-SSO-Google in Entra ID
- If you have just added the user, either wait 1 to 2 hours, or ask the Infrastructure team to manually run a sync.
- Entra ID connect syncs every 30 minutes, but the SCIM job from Entra ID to Google runs every few hours, so please give it some time
- After this is done, the user account should be created in the Google workspace in the Staff-SSO OU
π How Login Works
User signs in to Google/YouTube.
Login request is redirected to Microsoft 365 (Azure AD).
Azure AD checks account status and MFA.
If MFA fails, login to Google is blocked, even though the Google account still exists.
β οΈ Common Symptoms (MFA Issue)
User: βI canβt log into YouTube.β
User: βIt keeps asking me for a code I canβt provide.β
In Google Admin Console β account is active.
In Azure AD β account is enabled.
In Azure AD sign-in logs β MFA failure or conditional access denied.
β
What SCIM Does (and Doesnβt Do)
β SCIM does: Create, update, suspend Google accounts when Microsoft account status changes.
β SCIM does not: Care about MFA problems.
β‘ If Microsoft account is enabled, the Google account stays enabled.
π§ Troubleshooting Checklist for Service Desk
Step
Where to Check
What to Do
1
Google Admin Console
Is account suspended?
Yes β SCIM issue.
No β Go to step 2.
2
Azure AD (M365 Admin)
Is account disabled?
Yes β SCIM issue.
No β Go to step 3.
3
User Feedback
Ask if they see MFA prompt / cannot complete MFA.
Yes β MFA issue.
4
Azure AD Sign-in Logs
Look for MFA error codes (e.g., 53003).
Confirms MFA issue.
π How to Help the User (MFA Issues)
Guide user to re-enroll in MFA (via self-service portal if available).
If user lost their device β escalate to IT Security / Identity team to reset MFA.
β Do not reset or delete the Google account β the issue is with Microsoft authentication.
π‘ Quick Reference
Google account suspended β SCIM (user disabled in Microsoft).
Google account active but login fails β MFA issue in Microsoft.
Fix MFA in Microsoft β restores Google access.
βοΈ For Service Desk:
When in doubt, remember:
π If the Google account exists but login fails, itβs almost always MFA.