In this tutorial, you will set up a test lab and configure a SAML connection and SCIM
provisioning between Microsoft Entra ID and IAM Identity Center. During the initial preparation steps, you'll create a
test user (Nikki Wolf) in both Microsoft Entra ID and IAM Identity Center which you'll use to test the SAML connection in
both directions. Later, as part of the SCIM steps, you'll create a different test user (Richard
Roe) to verify that new attributes in Microsoft Entra ID are synchronizing to IAM Identity Center as expected.
Before you can get started with this tutorial, you'll first need to set up the
following:
The following are important considerations about Microsoft Entra ID that can affect how you plan to
implement automatic provisioning with IAM Identity Center
in your production environment using the SCIM v2 protocol.
Automatic Provisioning
Before you begin deploying SCIM, we recommend that you first review Considerations for using automatic
provisioning.
Attributes for access control
Attributes for access control is used in permission policies that determine who in your
identity source can access your AWS resources. If an attribute is removed from a user in
Microsoft Entra ID, that attribute will not be removed from the corresponding user in IAM Identity Center. This is a
known limitation in Microsoft Entra ID. If an attribute is changed to a different (non-empty) value on a
user, that change will be synchronized to IAM Identity Center.
Nested Groups
The Microsoft Entra ID user provisioning service can't read or provision users in nested groups.
Only users that are immediate members of an explicitly assigned group can be read and
provisioned. Microsoft Entra ID doesn't recursively unpack the group memberships of indirectly assigned
users or groups (users or groups that are members of a group that is directly assigned). For
more information, see Assignment-based scoping in the Microsoft documentation.
Alternatively, you can use IAM Identity Center ID AD Sync to integrate Active Directory groups with
IAM Identity Center.
Dynamic Groups
The Microsoft Entra ID user provisioning service can read and provision users in dynamic groups. See below for an example showing the users and groups structure
while using dynamic groups and how they are displayed in IAM Identity Center. These users and groups were
provisioned from Microsoft Entra ID into IAM Identity Center via SCIM
For example, if Microsoft Entra ID structure for dynamic groups is as follows:
-
Group A with members ua1, ua2
-
Group B with members ub1
-
Group C with members uc1
-
Group K with a rule to include members of Group A, B, C
-
Group L with a rule to include members Group B and C
After the user and group information is provisioned from Microsoft Entra ID into IAM Identity Center through SCIM,
the structure will be as follows:
-
Group A with members ua1, ua2
-
Group B with members ub1
-
Group C with members uc1
-
Group K with members ua1, ua2, ub1, uc1
-
Group L with members ub1, uc1
When you configure automatic provisioning using dynamic groups, keep the following
considerations in mind.
-
A dynamic group can include a nested group. However, Microsoft Entra ID provisioning service
doesn’t flatten the nested group. For example, if you have the following Microsoft Entra ID
structure for dynamic groups:
-
Group A is a parent of group B.
-
Group A has ua1 as a member.
-
Group B has ub1 as a member.
The dynamic group that includes Group A will only include the direct members of group A
(that is, ua1). It won’t recursively include members of group B.
In this step, you will walk through how to install and configure your AWS IAM Identity Center
enterprise application and assign access to a newly created Microsoft Entra ID test user.
- Step 1.1 >
-
Step 1.1: Set up the AWS IAM Identity Center enterprise application in
Microsoft Entra ID
In this procedure, you install the AWS IAM Identity Center enterprise application in Microsoft Entra ID. You
will need this application later to configure your SAML connection with AWS.
-
Sign in to the Microsoft Entra admin
center as at least a Cloud Application Administrator.
-
Navigate to Identity > Applications > Enterprise
applications, and then choose New
application.
-
On the Browse Microsoft Entra Gallery page, enter
AWS IAM Identity Center
in the search
box.
-
Select AWS IAM Identity Center from the results.
-
Choose Create.
- Step 1.2 >
-
Step 1.2: Create a test user in Microsoft Entra ID
Nikki Wolf is the name of your Microsoft Entra ID test user that you will create in this
procedure.
-
In the Microsoft Entra admin
center console, navigate to Identity > Users > All
users.
-
Select New user, and then choose Create new
user at the top of the screen.
-
In User principal name, enter
NikkiWolf
, and then select your
preferred domain and extension. For example,
NikkiWolf@example.org
.
-
In Display name, enter
NikkiWolf
.
-
In Password, enter a strong password or select the eye
icon to show the password that was auto-generated, and either copy or write down
the value that's displayed.
-
Choose Properties, in First name,
enter Nikki
. In Last
name, enter Wolf
.
-
Choose Review + create, and then choose
Create.
- Step 1.3
-
Step 1.3: Test Nikki's experience prior to assigning her
permissions to AWS IAM Identity Center
In this procedure, you will verify what Nikki can successfully sign into her
Microsoft My Account portal.
-
In the same browser, open a new tab, go to the My Account portal sign-in page,
and enter Nikki's full email address. For example,
NikkiWolf@example.org
.
-
When prompted, enter Nikki's password, and then choose Sign
in. If this was an auto-generated password, you will be prompted to
change the password.
-
On the Action Required page, choose Ask
later to bypass the prompt for additional security methods.
-
On the My account page, in the left navigation pane,
choose My Apps. Notice that besides
Add-ins, no apps are displayed at this time. You'll add an
AWS IAM Identity Center app that will appear here in a later step.
- Step 1.4
-
Step 1.4: Assign permissions to Nikki in
Microsoft Entra ID
Now that you have verified that Nikki can successfully access the My
account portal, use this procedure to assign her user to the
AWS IAM Identity Center app.
-
In the Microsoft Entra admin
center console, navigate to Identity > Applications >
Enterprise applications and then choose
AWS IAM Identity Center from the list.
-
On the left, choose Users and groups.
-
Choose Add user/group. You can ignore the message stating
that groups are not available for assignment. This tutorial does not use groups
for assignments.
-
On the Add Assignment page, under
Users, choose None Selected.
-
Select NikkiWolf, and then choose
Select.
-
On the Add Assignment page, choose
Assign. NikkiWolf now appears in the list of users who are
assigned to the AWS IAM Identity Center app.
In this step, you'll walk through how to use IAM Identity Center to configure access permissions (via permission set),
manually create a corresponding Nikki Wolf user, and assign her the necessary permissions to
administer resources in AWS.
- Step 2.1 >
-
Step 2.1: Create a RegionalAdmin permission set in
IAM Identity Center
This permission set will be used to grant Nikki the necessary AWS account
permissions required to manage Regions from the Account page
within the AWS Management Console. All other permissions to view or manage any other information
for Nikki's account is denied by default.
-
Open the IAM Identity Center
console.
-
Under Multi-account permissions, choose
Permission sets.
-
Choose Create permission set.
-
On the Select permission set type page, select
Custom permission set, and then choose
Next.
-
Select Inline policy to expand it, and then create a
policy for the permission set using the following steps:
-
Choose Add new statement to create a policy
statement.
-
Under Edit statement, select
Account from the list, and then choose the following
checkboxes.
-
ListRegions
-
GetRegionOptStatus
-
DisableRegion
-
EnableRegion
-
Next to Add a resource, choose
Add.
-
On the Add resource page, under Resource
type, select All Resources, and then choose
Add resource. Verify that your policy looks like the
following:
{
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Action": [
"account:ListRegions",
"account:DisableRegion",
"account:EnableRegion",
"account:GetRegionOptStatus"
],
"Resource": [
"*"
]
}
]
}
-
Choose Next.
-
On the Specify permission set details page, under
Permission set name, enter
RegionalAdmin
, and then choose
Next.
-
On the Review and create page, choose
Create. You should see RegionalAdmin
displayed in the list of permission sets.
- Step 2.2 >
-
Step 2.2: Create a corresponding NikkiWolf user in
IAM Identity Center
Since the SAML protocol does not provide a mechanism to query the IdP (Microsoft Entra ID) and
automatically create users here in IAM Identity Center, use the following procedure to manually
create a user in IAM Identity Center that mirrors the core attributes from Nikki Wolfs user in
Microsoft Entra ID.
-
Open the IAM Identity Center
console.
-
Choose Users, choose Add user, and
then provide the following information:
-
For both Username and Email
address – Enter the same
NikkiWolf
@yourcompanydomain.extension
that you used when creating your Microsoft Entra ID user. For example,
NikkiWolf@example.org
.
-
Confirm email address – Re-enter the email
address from the previous step
-
First name – Enter
Nikki
-
Last name – Enter
Wolf
-
Display name – Enter
Nikki Wolf
-
Choose Next twice, then choose Add
user.
-
Select Close.
- Step 2.3
-
Step 2.3: Assign Nikki to the RegionalAdmin permission set
in IAM Identity Center
Here you locate the AWS account in which Nikki will administer Regions, and then
assign the necessary permissions required for her to successfully access the
AWS access portal.
-
Open the IAM Identity Center
console.
-
Under Multi-account permissions, choose
AWS accounts.
-
Select the checkbox next to the account name (for example,
Sandbox
) where you want to grant Nikki access to
manage Regions, and then choose Assign users and
groups.
-
On the Assign users and groups page, choose the
Users tab, find and check the box next to Nikki, and then
choose Next.
In this step, you configure your SAML connection using the AWS IAM Identity Center enterprise
application in Microsoft Entra ID together with the external IdP settings in IAM Identity Center.
- Step 3.1 >
-
Step 3.1: Collect required service provider metadata from
IAM Identity Center
In this step, you will launch the Change identity source
wizard from within the IAM Identity Center console and retrieve the metadata file and the AWS
specific sign-in URL you'll need to enter when configuring the connection with Microsoft Entra ID
in the next step.
-
In the IAM Identity Center
console, choose Settings.
-
On the Settings page, choose the Identity
source tab, and then choose Actions > Change identity
source.
-
On the Choose identity source page, select
External identity provider, and then choose
Next.
-
On the Configure external identity provider page, under
Service provider metadata, choose Download
metadata file to download the XML file.
-
In the same section, locate the AWS access portal sign-in URL
value and copy it. You will need to enter this value when prompted in the next
step.
-
Leave this page open, and move to the next step (Step 3.2
) to configure the AWS IAM Identity Center enterprise
application in Microsoft Entra ID. Later, you'll return to this page to complete the
process.
- Step 3.2 >
-
Step 3.2: Configure the AWS IAM Identity Center enterprise application in
Microsoft Entra ID
This procedure establishes one-half of the SAML connection on the Microsoft side
using the values from the metadata file and Sign-On URL you obtained in the last
step.
-
In the Microsoft Entra admin
center console, navigate to Identity > Applications >
Enterprise applications and then choose
AWS IAM Identity Center.
-
On the left, choose 2. Set up Single sign-on.
-
On the Set up Single Sign-On with SAML page, choose
SAML. Then choose Upload metadata
file, choose the folder icon, select the service provider metadata file
that you downloaded in the previous step, and then choose
Add.
-
On the Basic SAML Configuration page, verify that both
the Identifier and Reply URL values now
point to endpoints in AWS that start with
https://<REGION>
.signin.aws.amazon.com/platform/saml/
.
-
Under Sign on URL (Optional), paste in the
AWS access portal sign-in URL value you copied in the previous
step (Step 3.1
), choose
Save, and then choose X to close the
window.
-
If prompted to test single sign-on with AWS IAM Identity Center, choose No I'll
test later. You will do this verification in a later step.
-
On the Set up Single Sign-On with SAML page, in the
SAML Certificates section, next to Federation
Metadata XML, choose Download to save the
metadata file to your system. You will need to upload this file when prompted in
the next step.
- Step 3.3 >
-
Step 3.3: Configure the Microsoft Entra ID external IdP in
AWS IAM Identity Center
Here you will return to the Change identity source wizard in
the IAM Identity Center console to complete the second-half of the SAML connection in AWS.
-
Return to the browser session you left open from Step 3.1
in the IAM Identity Center console.
-
On the Configure external identity provider page, in the
Identity provider metadata section, under IdP
SAML metadata, choose the Choose file button,
and select the identity provider metadata file that you downloaded from Microsoft Entra ID in
the previous step, and then choose Open.
-
Choose Next.
-
After you read the disclaimer and are ready to proceed, enter
ACCEPT
.
-
Choose Change identity source to apply your
changes.
- Step 3.4 >
-
Step 3.4: Test that Nikki is redirected to the
AWS access portal
In this procedure, you will test the SAML connection by signing in to Microsoft's
My Account portal with Nikki's credentials. Once authenticated,
you'll select the AWS IAM Identity Center application which will redirect Nikki to the
AWS access portal.
-
Go to the My Account
portal sign in page, and enter Nikki's full email address. For example,
NikkiWolf
@example.org
.
-
When prompted, enter Nikki's password, and then choose Sign
in.
-
On the My account page, in the left navigation pane,
choose My Apps.
-
On the My Apps page, select the app named
AWS IAM Identity Center. This should prompt you for additional
authentication.
-
On Microsoft's sign in page, choose your NikkiWolf credentials. If prompted a
second time for authentication, choose your NikkiWolf credentials again. This
should automatically redirect you to the AWS access portal.
If you are not redirected successfully, check to make sure the
AWS access portal sign-in URL value you entered in Step 3.2
matches the value you copied from
Step 3.1
.
-
Verify that your AWS accounts display.
If the page is empty and no AWS accounts display, confirm that Nikki was successfully assigned to the
RegionalAdmin permission set (see Step 2.3
).
- Step 3.5
-
Step 3.5: Test Nikki's level of access to manage her
AWS account
In this step, you will check to determine Nikki's level of access to manage the
Region settings for her AWS account. Nikki should only have sufficient administrator
privileges to manage Regions from the Accounts page.
-
In the AWS access portal, choose the Accounts tab to display the list of accounts. The
account names, account IDs, and email addresses associated with any accounts where
you've defined permission sets appear.
-
Choose the account name (for example, Sandbox
)
where you applied the permission set (see Step
2.3
). This will expand the list of permission sets that
Nikki can choose from to manage her account.
-
Next to RegionalAdmin choose Management
console to assume the role you defined in the
RegionalAdmin permission set. This will redirect you to the
AWS Management Console home page.
-
In the upper-right corner of the console, choose your account name, and then
choose Account. This will take you to the
Account page. Notice that all other sections on this page
display a message that you don't have the necessary permissions to view or modify
those settings.
-
On the Account page, scroll down to the section
AWS Regions. Select a checkbox for any available Region
in the table. Notice that Nikki does have the necessary permissions to
Enable or Disable the list of Regions
for her account as was intended.
Steps 1 through 3 helped you to successfully implement and test your SAML
connection. Now, to complete the tutorial, we encourage you to move on to Step 4 to
implement automatic provisioning.
In this step, you will set up automatic
provisioning (synchronization) of user information from Microsoft Entra ID into IAM Identity Center using the
SCIM v2.0 protocol. You configure this connection in Microsoft Entra ID using your SCIM endpoint for
IAM Identity Center and a bearer token that is created automatically by IAM Identity Center.
When you configure SCIM synchronization, you create a mapping of your user attributes in
Microsoft Entra ID to the named attributes in IAM Identity Center. This causes the expected attributes to match
between IAM Identity Center and Microsoft Entra ID.
The following steps walk you through how to enable automatic provisioning of users that
primarily reside in Microsoft Entra ID to IAM Identity Center using the IAM Identity Center app in Microsoft Entra ID.
- Step 4.1 >
-
Step 4.1: Create a second test user in
Microsoft Entra ID
For testing purposes, you will create a new user (Richard Roe) in Microsoft Entra ID. Later,
after you set up SCIM synchronization, you will test that this user and all relevant
attributes were synced successfully to IAM Identity Center.
-
In the Microsoft Entra admin
center console, navigate to Identity > Users > All
users.
-
Select New user, and then choose Create new
user at the top of the screen.
-
In User principal name, enter
RichRoe
, and then select your
preferred domain and extension. For example,
RichRoe@example.org
.
-
In Display name, enter
RichRoe
.
-
In Password, enter a strong password or select the eye
icon to show the password that was auto-generated, and either copy or write down
the value that's displayed.
-
Choose Properties, and then provide the following
values:
-
First name - Enter
Richard
-
Last name - Enter
Roe
-
Job title - Enter Marketing
Lead
-
Department - Enter
Sales
-
Employee ID - Enter
12345
-
Choose Review + create, and then choose
Create.
- Step 4.2 >
-
Step 4.2: Enable automatic provisioning in
IAM Identity Center
In this procedure, you will use the IAM Identity Center console to enable automatic provisioning
of users and groups coming from Microsoft Entra ID into IAM Identity Center.
-
Open the IAM Identity Center
console, and choose Settings in the left navigation
pane.
-
On the Settings page, under the Identity
source tab, notice that Provisioning method is
set to Manual.
-
Locate the Automatic provisioning information box, and
then choose Enable. This immediately enables automatic
provisioning in IAM Identity Center and displays the necessary SCIM endpoint and access token
information.
-
In the Inbound automatic provisioning dialog box, copy
each of the values for the following options. You will need to paste these in the
next step when you configure provisioning in Microsoft Entra ID.
-
SCIM endpoint - For example,
https://scim.us-east-2
.amazonaws.com/11111111111-2222-3333-4444-555555555555
/scim/v2
-
Access token - Choose Show token
to copy the value.
This is the only time where you can obtain the SCIM endpoint and access token.
Ensure you copy these values before moving forward.
-
Choose Close.
-
Under the Identity source tab, notice that
Provisioning method is now set to
SCIM.
- Step 4.3 >
-
Step 4.3: Configure automatic provisioning in
Microsoft Entra ID
Now that you have your RichRoe test user in place and have enabled SCIM in IAM Identity Center,
you can proceed with configuring the SCIM synchronization settings in Microsoft Entra ID.
-
In the Microsoft Entra admin
center console, navigate to Identity > Applications >
Enterprise applications and then choose
AWS IAM Identity Center.
-
Choose Provisioning, under Manage,
choose Provisioning again.
-
In Provisioning Mode select
Automatic.
-
Under Admin Credentials, in Tenant
URL paste in the SCIM endpoint URL value you
copied earlier in Step 4.2
. In
Secret Token, paste in the Access
token value.
-
Choose Test Connection. You should see a message
indicating that the tested credentials were successfully authorized to enable
provisioning.
-
Choose Save.
-
Under Manage, choose Users and
groups, and then choose Add user/group.
-
On the Add Assignment page, under
Users, choose None Selected.
-
Select RichRoe, and then choose
Select.
-
On the Add Assignment page, choose
Assign.
-
Choose Overview, and then choose Start
provisioning.
- Step 4.4
-
Step 4.4: Verify that synchronization
occurred
In this section, you will verify that Richard's user was successfully provisioned
and that all attributes are displayed in IAM Identity Center.
-
In the IAM Identity Center
console, choose Users.
-
On the Users page, you should see your
RichRoe user displayed. Notice that in the
Created by column the value is set to
SCIM.
-
Choose RichRoe, under Profile,
verify that the following attributes were copied from Microsoft Entra ID.
-
First name -
Richard
-
Last name -
Roe
-
Department -
Sales
-
Title - Marketing
Lead
-
Employee number -
12345
Now that Richard's user has been created in IAM Identity Center, you can assign it to any
permission set so you can control the level of access he has to your AWS
resources. For example, you could assign RichRoe to the
RegionalAdmin
permission set you used earlier to grant
Nikki the permissions to manage Regions (see Step
2.3
) and then test his level of access using Step 3.5
.
You have successfully set up a SAML connection between Microsoft and AWS and
have verified that automatic provisioning is working to keep everything in sync. Now
you can apply what you've learned to more smoothly set up your production
environment.
If you are experiencing issues with Microsoft Entra ID users not synchronizing to IAM Identity Center, it
might be due to a syntax issue that IAM Identity Center has flagged when a new user is being added to
IAM Identity Center. You can confirm this by checking the Microsoft Entra ID audit logs for failed events, such as
an 'Export'
. The Status Reason for this event will
state:
{"schema":["urn:ietf:params:scim:api:messages:2.0:Error"],"detail":"Request is unparsable, syntactically incorrect, or violates schema.","status":"400"}
You can also check AWS CloudTrail for the failed event. This can be done by searching in
the Event History console of CloudTrail using the following
filter:
"eventName":"CreateUser"
The error in the CloudTrail event will state the following:
"errorCode": "ValidationException",
"errorMessage": "Currently list attributes only allow single item“
Ultimately, this exception means that one of the values passed from Microsoft Entra ID contained
more values than anticipated. The solution here is to review the attributes of the user
in Microsoft Entra ID, ensuring that none contain duplicate values. One common example of duplicate
values is having multiple values present for contact numbers such as
mobile, work, and fax.
Although separate values, they are all passed to IAM Identity Center under the single parent attribute
phoneNumbers.
For general SCIM troubleshooting tips, see Troubleshooting IAM Identity Center issues.
Now that you have successfully configured SAML and SCIM, you can optionally choose to
configure attribute-based access control (ABAC). ABAC is an authorization strategy that
defines permissions based on attributes.
With Microsoft Entra ID, you can use either of the following two methods to configure ABAC for use
with IAM Identity Center.
- Configure user attributes in Microsoft Entra ID for access control in IAM Identity Center
-
Configure user attributes in Microsoft Entra ID for access control in
IAM Identity Center
In the following procedure, you will determine which attributes in Microsoft Entra ID should
be used by IAM Identity Center to manage access to your AWS resources. Once defined, Microsoft Entra ID sends
these attributes to IAM Identity Center through SAML assertions. You will then need to Create a permission set in
IAM Identity Center to manage access based on the attributes you passed from Microsoft Entra ID.
Before you begin this procedure, you first need to enable the Attributes for access control
feature. For more information about how to do this, see Enable and configure attributes for access
control.
-
In the Microsoft Entra admin
center console, navigate to Identity > Applications >
Enterprise applications and then choose
AWS IAM Identity Center.
-
Choose Single sign-on.
-
In the Attributes & Claims section, choose
Edit.
-
On the Attributes & Claims page, do the
following:
-
Choose Add new claim
-
For Name, enter
AccessControl:AttributeName
.
Replace AttributeName
with the name of the
attribute you are expecting in IAM Identity Center. For example,
AccessControl:Department
.
-
For Namespace, enter
https://aws.amazon.com/SAML/Attributes
.
-
For Source, choose Attribute.
-
For Source attribute, use the drop-down list to
choose the Microsoft Entra ID user attributes. For example,
user.department
.
-
Repeat the previous step for each attribute you need to send to IAM Identity Center in the
SAML assertion.
-
Choose Save.
- Configure ABAC using IAM Identity Center
-
Configure ABAC using IAM Identity Center
With this method, you use the Attributes for access control feature in IAM Identity Center to pass an
Attribute
element with the Name
attribute set to
https://aws.amazon.com/SAML/Attributes/AccessControl:{TagKey}
.
You can use this element to pass attributes as session tags in the SAML assertion. For
more information about session tags, see Passing session tags
in AWS STS in the IAM User Guide.
To pass attributes as session tags, include the AttributeValue
element that specifies the value of the tag. For example, to pass the tag key-value
pair Department=billing
, use the following attribute:
<saml:AttributeStatement>
<saml:Attribute Name="https://aws.amazon.com/SAML/Attributes/AccessControl:Department">
<saml:AttributeValue>billing
</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
If you need to add multiple attributes, include a separate Attribute
element for each tag.