Intune

How to Setup the new 'Managed Google Domains' in Intune

By
Sebastiaan Smits
This is some text inside of a div block.

This is the first blogpost about Managed Google Domains. This blogpost will focus on the steps to setup Managed Google Domains. Other blogposts will focus on Securing Admin accounts for Managed Google Domains, Creating extra Admin Accounts in Managed Google Domains, Setting up multiple bindings for Managed Google Domains (for example for test Tenants).

Introduction

You need Managed Google Domains if you want to manage Android devices in Intune. It establishes a connection between your Intune tenant and Google Play (specifically, a part of Google Play designed for your enterprise, which you can access by going to https://play.google.com/work and logging in with your Managed Google Domain account). This connection—often called a binding—is used for provisioning Google Accounts for your users and distributing apps to your Android devices.

Starting in mid-2024, Google introduced a new way of binding Managed Google Play to your EMM (MDM). This new method is called Managed Google Domains and replaces the previous method, Managed Google Play accounts enterprise, which required you to create your organization’s Google Account manually. This method is still possible, and you can read how to set it up in the blog post on Managed Google Play.

Managed Google Domain has several benefits compared to Managed Google Play accounts enterprise, a couple are:

  •  You can use a Entra Account that follows your security practices. This account needs a mailbox.
  • Google Admin Console is the place where you can manage your admin account, setup federation, add new admin accounts etc.
  • Ability to setup SSO for Google Admin Console.

Prerequisites

Create an Entra account that you will use as the Admin account in the Google Admin Console to manage Managed Google Play. Set this up in Entra with your normal admin account security settings. This account needs a mailbox (no other permissions or settings are required). Microsoft’s advice is to log in to the Intune Admin Portal with the same credentials you are going to use for Managed Google Domains. In this scenario, the account also needs permission for Intune. In my testing, I found no difference, and this step is not necessary.

Note: You will need appropriate permissions to add the Google Workspace app to Entra, such as Global Administratoror Application Administrator. Additionally, whether regular users can add applications depends on the settings in Entra, specifically the User Settings for app registration.

How to set this up

  1. Start by going to the Intune Admin Portal and navigate to:DevicesAndroidEnrollmentManaged Google Play.

"Screenshot showing navigation to Devices → Android → Enrollment → Managed Google Play in the Intune Admin Portal."

  1. Now click ‘Launch Google to connect now’.

"Image showing the 'Launch Google to connect now' button within the Intune Admin Portal."

  1. The Google Admin Console will start and prefill with your Intune Admin account that you're currently logged in with. You can change this if needed. Simply fill in the Entra account you want to use for the binding (this account only needs a mailbox).

"Screenshot of the Google Admin Console sign-in page with the email address field visible."

  1. The system will detect that the account is an Entra (Microsoft) account. Press ‘Sign in with Microsoft’.

"Screenshot showing the 'Sign in with Microsoft' button on the Google Admin Console sign-in page."

  1. An Enterprise App called Google Workspace will be created in Entra. This app is used to enable you to log in with your Entra account into the Google Admin Console.

Google Workspace screenshot that add subscriptions. The Free Android Enterprise subscription is the only one included.

  1. There are a couple of steps after this that will create the account in the Google Admin Console and establish the binding. When finished, the setup will look like this:

"Screenshot of a successful binding confirmation between Intune and Google Admin Console."

  1. You are now able to log in to the Google Admin Console by going to https://admin.google.com.
    • Navigate to DevicesMobile & endpointsSettingsThird-party integrations to find the newly created binding to Intune.

"Image showing the path to Devices → Mobile & endpoints → Settings → Third-party integrations in the Google Admin Console."

Secure the Google Admin Console with Conditional Access

Once the Google Workspace app has been added to Entra (Azure AD), you can use Conditional Access to secure the authentication process for the Google Admin Console. This enables you to apply additional security policies, such as requiring Multi-Factor Authentication (MFA) or enforcing access only from trusted locations or compliant devices, ensuring that only authorized admins can access the Google Admin Console.

To configure Conditional Access, go to Azure ADSecurityConditional Access, and create a new policy or edit an existing one (for example if you already have a policy targeted at All Apps) that targets the Google Workspace app. You can specify the conditions under which access is allowed, such as requiring compliant devices or enforcing MFA for sensitive actions in the Google Admin Console.

Conclusion

In this blog post, we’ve walked through the new setup flow for Managed Google Play called Managed Google Domains(introduced in mid-2024). With this new approach, you can integrate your Intune tenant with Google Play, manage your Android devices, and take advantage of enhanced security practices through Entra accounts and the Google Admin Console. Future blog posts will cover additional topics related to managing Google domains, including securing admin accounts and setting up multiple bindings for different environments.

READ MORE

February 3, 2025

Use Cloud PKI with Intune – Part 2: Device Configurations

This blog post, part two of the Cloud PKI series, guides you through deploying a Root Certificate and configuring SCEP in Intune to ensure devices receive client certificates for secure authentication.

June 8, 2025

Knox Mobile Enrollment with Intune: Streamlining Android Device Provisioning

Master seamless Android device provisioning. See how to integrate Knox Mobile Enrollment (KME) with Microsoft Intune for efficient, zero-touch enterprise deployments. Your guide to simplified mobile device management starts here.

June 15, 2025

Enhancing Script Security: Implementing Multi-Admin Approval for Intune Scripts

Strengthen your Intune environment against unauthorized or accidental actions across your Windows, iOS and Android fleets. Learn to implement multi-admin approval for critical device commands, adding a vital layer of security and accountability.

June 17, 2025

Automate & Secure: How Intune's DDM Ensures Latest iOS Versions on Your Devices

Master Intune DDM for iOS software updates. This guide shows IT admins how to automatically enforce the latest iOS versions, ensuring devices are secure and compliant. Read more!

In-depth blog posts on Intune, PowerShell, and Mobile Device Management—driven by real-world enterprise experience managing iOS, Android, and Windows devices at scale.
Menu
AboutContact UsPrivacy Policy
External
AppleAndroidWindows
Follow us
© SecureSein by Sebastiaan Smits. Powered by Webflow