Lately, I noticed that many companies still use a shared or even personal Gmail account as a linked account for Managed Google Play in Microsoft Intune.
Since 2024, Microsoft has enabled you to use your Microsoft Entra ID account for this connection. Since the end of 2024, it has also been possible to upgrade your “old” connection to Managed Google Play with a Microsoft Entra ID account.
In this blog post, I will take you through the advantages of using a Microsoft Entra ID account instead of keeping your Google account, as well as the upgrade path you need to follow to switch from a Google Account to a Microsoft Entra ID account without breaking the connection.
What are the advantages?
So what are the advantages of using a Microsoft Entra account instead of a Google Account?
- No personal Gmail accounts needed; use a corporate Microsoft Entra ID account instead.
- Microsoft‑recommended approach for new Microsoft Intune tenants (since 2024)
- Simpler onboarding with “Sign in with Microsoft.”
- Centralized identity management in Microsoft Entra (RBAC, lifecycle control)
- Stronger security with MFA and Conditional Access
- Clear ownership & auditability tied to a corporate identity
- Future‑proof setup aligned with Microsoft Intune & Android Enterprise roadmap
IMPORTANT
The Microsoft Entra ID account must be mailbox‑enabled to complete Google’s verification flow. Do not disconnect an existing Gmail‑based connection lightly; this can break app assignments and require device re‑enrollment.
Upgrade
Requirements
First, let me give an overview of the requirements of the Microsoft Entra ID account to connect to Managed Google Play:
- Microsoft Entra user account: The account must exist in your Microsoft Entra tenant and be used to administer the Intune connection.
- Mailbox‑enabled account: The Microsoft Entra ID account must have an active mailbox to complete Google’s email verification during onboarding.
- Sufficient Intune permissions: The account must have permissions to configure Android enrollment (for example, Intune Administrator or Global Administrator).
- Ability to consent to Google permissions: The admin must be allowed to approve Google’s required permissions to create and manage the Android Enterprise / Managed Google Play binding.
- Interactive sign‑in allowed: The account must be able to perform interactive sign‑in (not a service account) to complete the “Sign in with Microsoft” flow.
- Not blocked by Conditional Access: Conditional Access policies must allow access to Google services (play.google.com / enterprise.google.com) during setup.
Upgrade path
Let’s first take a look at our connection. If we go to the Microsoft Intune admin center | Devices | Device Onboarding | Enrollment, and in the Android blade choose Managed Google Play underneath the Android Enterprise prerequisites.
When we look at the details of our connection, we see that it is currently still linked to a Google account. Please also note that there is an Upgrade button available, which is only there if your connection is still linked to a Google account.
WARNING
Don’t disconnect your Google Account; this will break everything. Meaning apps and enrollment profiles will be removed, meaning all devices will become useless.
Now let’s upgrade our connection. Select Upgrade. You’ll get the following pop-up.
INFORMATION
Make sure you use a generic admin account for the connection, instead of your personal admin account.
A pop-up will appear, fill in your Microsoft Entra ID admin account, and choose Next.
You’ll receive a message which states that your account is managed by Microsoft, select Sign in with Microsoft.
Make sure your account can grant permission to the Google Workspace app, or ask an admin to grant those permissions. You’ll need the Cloud Application Administrator role for this. Choose Accept.
Fill in the required information and choose Continue. Notice that First name and Last name are greyed out; this is because our Microsoft Entra ID account had those fields filled in.
WARNING
Make sure your Microsoft Entra ID account has a first and last name entered in the account properties. If this is not the case, the upgrade may fail.
In the Add subscriptions to your admin account just leave Android Enterprise checked and choose Next.
Choose Agree and continue on the Create account page.
Everything is ready to upgrade your account. Choose Upgrade to start.
Your account is being set up. Just wait a couple of seconds.
Your organization is now upgraded.
If we go back to the Microsoft Intune admin center, you’ll notice that the Linked account is now the one we’ve used during the upgrade. Also, notice that the Upgrade button is now greyed out.
Your Managed Google Play is now upgraded to a Microsoft Entra ID account without breaking your enrollment.
Conclusion
Switching the Managed Google Play linked account from a personal/shared Google account to a Microsoft Entra ID account gives you centralized identity and lifecycle control, single sign‑on, and the ability to apply tenant security policies (MFA, conditional access) to the account that manages Android Enterprise, which reduces orphaned or unmanaged admin access and improves auditability; Google and Microsoft have simplified the signup so Microsoft Entra ID accounts are now supported and recommended for new connections, while existing Gmail‑based links remain supported but carry longer‑term governance risk.
So if you are still using any “good old” Google accounts for your connection to the Managed Google Play, it’s time to upgrade! Till the next one!
