Signing into Minecraft: Education Edition on Chromebooks Using Single Sign-On

If you are currently using managed Google Account credentials to sign into Chromebooks, there are a couple of different ways to make it easier for students and teachers to sign into Minecraft: Education Edition using their Microsoft 365 Azure Active Directory (AAD) credentials. This guide will walk you through the options for single sign-on as well as how to link, or federate, your Google and Microsoft accounts together using Security Assertion Markup Language (SAML) so that the same credentials can be used for both Google and Microsoft products.

Note that due to the highly complex and custom nature of account configurations, the Minecraft: Education Edition team will be unable to provide help desk support for setup or troubleshooting of SAML federation.

Option 1: Use Minecraft: Education Edition’s In-App Single Sign-On Feature
Summary
In this option, teachers and students can enable Minecraft to remember their login information, so that Microsoft 365 credentials don’t have to be typed each time Minecraft is opened. This requires no IT Administrator work after the accounts are created in both systems, but does require teachers and students to know both their Google and Microsoft credentials.

  1. Benefits
    Easiest to set up, no work required by IT Administrators once both accounts are created
    Considerations

Students will need to know both Google Account credentials to sign into the Chromebooks and Microsoft 365 credentials to sign in to Minecraft: Education Edition the first time they sign in or if there are problems when signing in.
Accounts will need to be provisioned in both Google and Microsoft systems to access all products.
Minecraft: Education Edition license assignment will be tied to the Microsoft accounts.
Setup In-Application Single Sign-On

The enable single sign-on within Minecraft: Education Edition: 

  1. Sign into Minecraft: Education Edition using your Microsoft 365 Azure Active Directory credentials 
  2. Once signed in to Minecraft: Education Edition, make sure that the Single Sign On is turned on by checking Settings -> Profile -> Enable Single Sign On 
  3. Optional: Automate setup, provisioning, syncing and licensing of accounts in both systems

Option 2: Enabling SAML Federation to use a Microsoft 365 Azure Active Directory Account to Sign into a Chromebook
Summary
In this option, an IT Administrator will need to link the Microsoft accounts to the Google accounts using SAML. This will mean that the teachers and students will use their Microsoft 365 credentials for all Microsoft products and their Google Workspace for Education products. This setup does require significant work by the IT Administrator to setup and manage and there are some things to consider (listed below). However, once fully set up, especially if configured with auto-provisioning and auto-license assignment, there is limited ongoing effort required to keep the two accounts in sync.

Sign into the Chromebook using your managed Google Account credentials 

Benefits

  • Teachers and students will only need to remember one account, their Microsoft 365 account, to access most products and services that support SAML, including both Chromebook sign in and Minecraft sign in.  
  • Existing Microsoft 365 Active Directory accounts can be used to access Google products and services without adding a second account that teachers and students need to use. 

Considerations

  • Some Google services and products do not support sign in using SAML federated accounts. See the FAQ section in Googles’ SAML SSO for Chrome devices article and the SSO Troubleshooting FAQ for more details. 
  • SAML is optimized for Google Workspace for Education web applications. See the SAML SSO FAQ for more information about web applications, including possible errors. 
  • Microsoft also has an FAQ, which includes Known Issues with SAML federation, in the Azure Active Directory SSO guide 
  • Accounts will need to be provisioned in both Google and Microsoft systems and linked together to access all products. Setup, configuration, syncing and testing of these accounts and linking will require significant work by IT Administrators. 
  • Minecraft: Education Edition license assignment will be tied to the Microsoft accounts. 
  • Due to the highly complex and custom nature of account configurations, the Minecraft: Education Edition team will be unable to provide help desk support for setup or troubleshooting of SAML federation.

Setup Microsoft IdP + Google SP SAML Federation

  1. Configure Microsoft as the SAML IdP by following Microsoft’s guide: Azure Active Directory single sign-on (SSO) integration with Google Cloud Connector 
  2. Reference Google’s guides as needed to configure Google as the SP:
  3. Optional: Automate setup, provisioning, syncing and licensing of accounts in both systems

Option 3: Enabling SAML Federation to use a managed Google Account to Sign into Minecraft: Education Edition
Summary
In this option, an IT Administrator will need to link the Google accounts to the Microsoft accounts using SAML. This will mean that the teachers and students will use their Google credentials for all Google products and most Microsoft products. This setup does require significant work by the IT Administrator to setup and manage and there are some limitations to the functionality of some Microsoft products after the accounts are linked. However, once fully set up, especially if configured with auto-provisioning and auto-license assignment, there is limited ongoing effort required to keep the two accounts in sync.

Benefits

  • Teachers and students will only need to remember one account, their Google account, to access most products and services that support SAML, including both Chromebook sign in and Minecraft sign in.  
  • Existing Google accounts can be used to access Microsoft products and services without adding a second account that teachers and students need to use. 

Considerations

  • Some Microsoft services and products do not fully support SAML federated Google accounts, you may encounter the following problems with these accounts:
    • Not possible to signing into Windows devices  
    • Can’t use Intune to manage the accounts 
    • Teams may lose authentication (signing in again should resolve this) 
    • Emails may not be received for @mentions or share notifications within Office documents 
    • In Outlook, email address may not match the Google email address and unexpected email behavior may occur due to Exchange settings  
    • Teams calendars may not match the Google calendar and invites and scheduling may not work as expected 
    • Many of the more complex account management and Active Directory features (such as Active Directory federation, password sync, access to AD-connected resources like printers and file shares) may not work with SAML federated accounts 
  • There are limits to the type and flexibility of the domain configurations when enabling SAML, such as:
    • Can’t enable for only parts of the domain (must be enabled for the whole domain) 
    • Can’t link multiple AAD tenants to the same Google organization 
    • Can’t link multiple domains to the same Google organization 
  • Accounts will need to be provisioned in both Google and Microsoft systems and linked together to access all products. Setup, configuration, syncing and testing of these accounts and linking will require significant work by IT Administrators. 
  • Minecraft: Education Edition license assignment will be tied to the Microsoft accounts. 
  • Due to the highly complex and custom nature of account configurations, the Minecraft: Education Edition team is unable to provide help desk support for setup or troubleshooting of SAML federation. 

How to Enable Google IdP + Microsoft SP SAML Federation
Configure Google as the SAML IdP by following Google’s guide: Set up SSO via SAML for Microsoft Office 365
Configure Microsoft as the SAML SP using PowerShell by following Microsoft’s guide: Configure your SAML 2.0 compliant identity provider
Optional: Automate setup, provisioning, syncing and licensing of accounts in both systems
Google: Configure Microsoft Office 365 auto-provisioning, Automate user provisioning across cloud apps
Microsoft: Plan an automatic user provisioning deployment, Auto-assign Minecraft licenses

Enabling SAML Federation for Other Identity Management Configuration
If you are using a different system to manage identities, such as on-premise Active Directory, Active Directory Federation Services or any other non-Google or non-Microsoft Identity Management system, it may be more difficult to federate it to either a managed Google Account or Microsoft 365 Azure Active Directory system. Please consult your identity provider’s documentation for SAML federation to determine what may be possible.