RM Cloud Service Delivery can assist you with your Microsoft® 365™ and Google Workspace™ federation. For further information, please speak to your Sales representative on 01235 645 316 or email getintouch@rm.com, quoting this article.

Federating a single RM Unify establishment to Microsoft 365 and/or Google Workspace

1. You can federate your RM Unify establishment to Microsoft 365 and/or Google Workspace using the same domain. For example, you can federate the RM Unify establishment MySchool to schoolA.com in Microsoft 365 and schoolA.com in Google Workspace.
2. You can also federate the RM Unify establishment to Microsoft 365 and/or Google Workspace using different domain names. For example, you can federate the RM Unify establishment MySchool to schoolA.com in Microsoft 365 and Aschool.com in Google Workspace.
3. RM Unify does not support federating users from a single RM Unify establishment to multiple domains in Microsoft 365 or Google Workspace. For example, you cannot federate to Microsoft 365 and have students using @students.schoolA.com and teachers using @staff.schoolA.com. 

If you are planning to dual-federate an RM Unify establishment to both Microsoft 365 and Google Workspace then there is particular user matching behaviour to consider. Please read the Procedure section below 'Matching RM Unify users to existing accounts in Microsoft 365 and Google Workspace'.

Single establishment to M365 and/or Google Workspace

Federating multiple RM Unify establishments to different domains in the same Microsoft 365 tenancy

1. You federate each RM Unify establishment to their respective domain as if they were a single RM Unify establishment. For example, you can federate RM Unify MySchool to schoolA.com and RM Unify YourSchool to schoolB.com, where schoolA.com and schoolB.com domains exist in the same Microsoft 365 tenancy.

Multiple establishments to different domains in shared M365

Federating multiple RM Unify establishments to different domains in the same Google Workspace organisation

1. This is supported for multi-academy trusts. You can federate multiple RM Unify establishments to different domains in the same Google Workspace organisation with the creation (by RM) of an additional trust parent RM Unify establishment. This can be created free of charge and before any Google Workspace federation occurs.
2. The trust parent is then used to federate to Google Workspace first, choosing the option in the federation wizard to 'Allow my child establishments to link to a domain in my Google Workspace account'. Once federated, any child establishment linked to the trust parent establishment can have Google Workspace installed using the 'Install for my child establishments' option within the app.
3. Be aware that federating any domain in a Google Workspace organisation will enable the SSO settings for any and all other domains in that tenancy; SSO will be either 'on or off' for all. Unless the domains are federated to RM Unify, or another third-party IdM for access, all users will be 'locked out' of their Google Workspace accounts\domain (excluding Google super admins).

Multiple establishments to different domains in same Google Workspace

Federating multiple RM Unify establishments to the same domain in Microsoft 365 or Google Workspace

1. You can federate multiple RM Unify establishments to the same domain in Microsoft 365. For example, federate three RM Unify establishments to schoolA.com in Microsoft 365 so all the users have an email address with the format user@schoolA.com.
2. This is supported for multi-academy trusts: you can federate multiple RM Unify establishments to the same domain in Google Workspace with the creation (by RM) of an additional trust parent RM Unify establishment. This can be created free of charge and before any Google Workspace federation occurs. The trust parent is then used to federate to Google Workspace first, choosing the option in the federation wizard to 'Allow my child establishments to link to a domain in my Google Workspace account'. Once federated, any child establishment linked to the trust parent establishment can have Google Workspace installed using the 'Install for my child establishments' option within the app.

Multiple establishments to same domain in shared M365 or Google Workspace

Dual-federating multiple RM Unify establishments to Microsoft 365 and Google Workspace

1. In the same way as a single RM Unify establishment can be dual-federated to Microsoft 365 and Google Workspace using the same or different domains, multi-academy trusts also have this option. For example, three RM Unify establishments can federate to different domains in Microsoft 365 (whether shared or separate tenancies) and the same domain in Google Workspace. 

If you are planning to dual-federate an RM Unify establishment to both Microsoft 365 and Google Workspace then there is a particular user matching behaviour to consider. Please read the Procedure section 'Matching RM Unify users to existing accounts in Microsoft 365 and Google Workspace' below.

Dual-federating multi-academy trust establishments

You can match RM Unify users to their existing Microsoft 365 and Google Workspace accounts, regardless of which connector (which of the two services) you add first, provided that the existing email accounts match the userid part of the current RM Unify email address and, in the case of Microsoft 365, the ImmutableID attribute is null. For example, RM Unify user Joe.Smith@MySchool with RM Unify email address of Joe.Smith@SchoolA.com will successfully match to existing Joe.Smith@SchoolA.com in Microsoft 365 and Joe.Smith@SchoolTrust.com in Google Workspace because the Microsoft 365 and Google accounts match the userid part of the RM Unify email address ie. Joe.Smith.

If the existing account in Microsoft 365 or Google Workspace differs from the userid part of the RM Unify email address then user matching to a different account name is only possible with the first connector. The first connector can be Microsoft 365 or Google Workspace. For example, Joe.Smith@MySchool is linked to JSmith@SchoolA.com in Microsoft 365. He also has an existing account in Google Workspace Joe.Smith@SchoolTrust.com. If you federate to Google Workspace (i.e. Google Workspace is your second connector) then his RM Unify account will not be linked to Joe.Smith@SchoolTrust.com because it doesn't match the userid part of his RM Unify email address ie.JSmith. Instead, a new Google Workspace account with name JSmith@SchoolTrust.com will be created and the existing Joe.Smith@SchoolTrust.com will not linked to any RM Unify user.

The solution to this is to change the username on the destination account prior to federation. In this example, change the existing Google Workspace account name from Joe.Smith@SchoolTrust.com to JSmith@SchoolTrust.com and then federate to Google Workspace. In this way, Joe.Smith@MySchool will be matched to his existing Google Workspace account JSmith@SchoolTrust.com, while also retaining his match to JSmith@SchoolA.com in Microsoft 365.

Here is a summary of expected outcomes:

RM Unify username	Microsoft 365 federated domain	RM Unify email address	Desired Google Workspace federated domain	Email address RM Unify will send to Google Workspace after federation
Joe.Smith@MySchool	SchoolA.com	Joe.Smith@SchoolA.com	SchoolA.com	Joe.Smith@SchoolA.com
Joe.Smith@MySchool	SchoolA.com	JSmith@SchoolA.com	SchoolA.com	JSmith@SchoolA.com
Joe.Smith@MySchool	SchoolA.com	Joe.Smith@SchoolA.com	SchoolTrust.com	Joe.Smith@SchoolTrust.com
Joe.Smith@MySchool	SchoolA.com	JSmith@SchoolA.com	SchoolTrust.com	JSmith@SchoolTrust.com

For RM Unify establishments that are federated to both the Microsoft 365 and Google Workspace services using different domains, if you wish to use the 'mail' attribute functionality of AD Sync, then you must ensure that the email address that is synced for users is on the domain of the first federated service. For example:

• RM Unify establishment The George Floyd School - @georgefloyd
• Microsoft 365 federated first using the domain thegeorgefloyd.sch.uk
• Google Workspace federated second using the domain georgefloyd.org
• AD/RM Unify account name format for users is <firstname>.<lastname>, e.g. Daunte.Wright
• Desired email address format, however, is <first_initial><lastname>, e.g. DWright
• Therefore, for the example AD/RM Unify user, Daunte.Wright, the email address override to be synced from AD to RM Unify must be in the format DWright@thegeorgefloyd.sch.uk
• Once the correct email address is synced, RM Unify will update the Microsoft 365 and Google Workspace accounts according to the roles they are installed for

Important: If either Microsoft 365 or Google Workspace is not installed for the users' RM Unify role, any override synced from AD must still be an email address on the domain which was federated first to RM Unify. If you are unsure which service was federated first, please contact RM Support for advice.

Alternative solution: if the above requirements do not suit your needs, it is possible to move away from using RM Unify AD Sync to set email address overrides and, to instead, use the RM Unify Management Console. Please see TEC8279830 in the Other Useful Articles section below.

When an Microsoft 365 or Google Workspace domain is unfederated from RM Unify, we cache some of the configuration settings in the RM Unify data centre in order to allow a quick and easy re-federation. However, currently, the presence of these cached settings will prevent brownfield user matching being presented during any subsequent federation.

If you do not currently have either Microsoft 365 or Google Workspace federated and are finding that the brownfield user matching option is not being presented to you when attempting to federate either Microsoft 365 or Google Workspace, please log a call with RM Support.