This cheatsheet depicts the identity federation between Azure Active Directory (AAD) and Google Workspace leveraging AAD as the source of truth for all users and group membership. The diagram illustrates Google Cloud permissions being assigned at various points of the hierarchy to synced identities and cascade to downstream resources.
The SANS SEC549 course materials are built around the fictional company, Delos International Management and its phased journey to the cloud. In course labs, students play the role of Delos Security Architects, tasked with helping them navigate their transformation into a cloud-first organization.
This architecture was created to support a specific business use case. The Delos Robotics team is centralizing their datasets and operations into the Google Cloud BigQuery service. This necessitated the syncing of users and groups from Azure Active Directory to Google Workspace and federation - allowing members of the Robotics team to use their corporate credentials when accessing Google Cloud resources.
An initial Google Cloud hierarchy has been created binding roles at different levels to scope permissions. Identities and managed boundaries are depicted in this diagram with Separate projects for identity federation containing OIDC connections and the Robotics team BigQuery instance.