Configure SAML and SCIM with Microsoft Entra ID and IAM Identity Center
AWS IAM Identity Center supports integration with Security Assertion Markup Language (SAML) 2.0 as well as
automatic
provisioning (synchronization) of user and group information from Microsoft Entra ID (formerly
known as Azure Active Directory or Azure AD) into IAM Identity Center using the
System for Cross-domain Identity
Management (SCIM) 2.0 protocol. For more information, see Using SAML and SCIM identity federation with external identity
providers.
Objective
In this tutorial, you will set up a test lab and configure a SAML connection and SCIM
provisioning between Microsoft Entra ID and IAM Identity Center. During the initial preparation steps, you'll create a
test user (Nikki Wolf) in both Microsoft Entra ID and IAM Identity Center which you'll use to test the SAML connection in
both directions. Later, as part of the SCIM steps, you'll create a different test user (Richard
Roe) to verify that new attributes in Microsoft Entra ID are synchronizing to IAM Identity Center as expected.
Prerequisites
Before you can get started with this tutorial, you'll first need to set up the
following:
Considerations
The following are important considerations about Microsoft Entra ID that can affect how you plan to
implement automatic provisioning with IAM Identity Center in
your production environment using the SCIM v2 protocol.
Automatic Provisioning
Before you begin deploying SCIM, we recommend that you first review Considerations for using automatic
provisioning.
Attributes for access control
Attributes for access control is used in permission policies that determine who in your
identity source can access your AWS resources. If an attribute is removed from a user in
Microsoft Entra ID, that attribute will not be removed from the corresponding user in IAM Identity Center. This is a
known limitation in Microsoft Entra ID. If an attribute is changed to a different (non-empty) value on a
user, that change will be synchronized to IAM Identity Center.
Nested Groups
The Microsoft Entra ID user provisioning service can't read or provision users in nested groups. Only
users that are immediate members of an explicitly assigned group can be read and provisioned.
Microsoft Entra ID doesn't recursively unpack the group memberships of indirectly assigned users or groups
(users or groups that are members of a group that is directly assigned). For more information,
see Assignment-based scoping in the Microsoft documentation.
Alternatively, you can use IAM Identity Center ID AD Sync to integrate Active Directory groups with
IAM Identity Center.
Dynamic Groups
The Microsoft Entra ID user provisioning service can read and provision users in dynamic groups. See below for an example showing the users and groups structure
while using dynamic groups and how they are displayed in IAM Identity Center. These users and groups were
provisioned from Microsoft Entra ID into IAM Identity Center via SCIM
For example, if Microsoft Entra ID structure for dynamic groups is as follows:
-
Group A with members ua1, ua2
-
Group B with members ub1
-
Group C with members uc1
-
Group K with a rule to include members of Group A, B, C
-
Group L with a rule to include members Group B and C
After the user and group information is provisioned from Microsoft Entra ID into IAM Identity Center through SCIM,
the structure will be as follows:
-
Group A with members ua1, ua2
-
Group B with members ub1
-
Group C with members uc1
-
Group K with members ua1, ua2, ub1, uc1
-
Group L with members ub1, uc1
When you configure automatic provisioning using dynamic groups, keep the following
considerations in mind.
-
A dynamic group can include a nested group. However, Microsoft Entra ID provisioning service
doesn’t flatten the nested group. For example, if you have the following Microsoft Entra ID structure
for dynamic groups:
-
Group A is a parent of group B.
-
Group A has ua1 as a member.
-
Group B has ub1 as a member.
The dynamic group that includes Group A will only include the direct members of group A
(that is, ua1). It won’t recursively include members of group B.
Step 1: Prepare your Microsoft tenant
In this step, you will walk through how to install and configure your AWS IAM Identity Center enterprise
application and assign access to a newly created Microsoft Entra ID test user.
- Step 1.1 >
-
Step 1.1: Set up the AWS IAM Identity Center enterprise application in
Microsoft Entra ID
In this procedure, you install the AWS IAM Identity Center enterprise application in Microsoft Entra ID. You
will need this application later to configure your SAML connection with AWS.
-
Sign in to the Microsoft Entra admin
center as at least a Cloud Application Administrator.
-
Navigate to Identity > Applications > Enterprise
applications, and then choose New
application.
-
On the Browse Microsoft Entra Gallery page, enter
AWS IAM Identity Center
in the search box.
-
Select AWS IAM Identity Center from the results.
-
Choose Create.
- Step 1.2 >
-
Step 1.2: Create a test user in Microsoft Entra ID
Nikki Wolf is the name of your Microsoft Entra ID test user that you will create in this
procedure.
-
In the Microsoft Entra admin
center console, navigate to Identity > Users > All
users.
-
Select New user, and then choose Create new
user at the top of the screen.
-
In User principal name, enter
NikkiWolf
, and then select your
preferred domain and extension. For example,
NikkiWolf@example.org
.
-
In Display name, enter
NikkiWolf
.
-
In Password, enter a strong password or select the eye icon
to show the password that was auto-generated, and either copy or write down the
value that's displayed.
-
Choose Properties, in First name,
enter Nikki
. In Last
name, enter Wolf
.
-
Choose Review + create, and then choose
Create.
- Step 1.3
-
Step 1.3: Test Nikki's experience prior to assigning her
permissions to AWS IAM Identity Center
In this procedure, you will verify what Nikki can successfully sign into her
Microsoft My Account portal.
-
In the same browser, open a new tab, go to the My Account portal sign-in page, and
enter Nikki's full email address. For example,
NikkiWolf@example.org
.
-
When prompted, enter Nikki's password, and then choose Sign
in. If this was an auto-generated password, you will be prompted to
change the password.
-
On the Action Required page, choose Ask
later to bypass the prompt for additional security methods.
-
On the My account page, in the left navigation pane, choose
My Apps. Notice that besides Add-ins, no
apps are displayed at this time. You'll add an AWS IAM Identity Center app
that will appear here in a later step.
- Step 1.4
-
Step 1.4: Assign permissions to Nikki in
Microsoft Entra ID
Now that you have verified that Nikki can successfully access the My
account portal, use this procedure to assign her user to the
AWS IAM Identity Center app.
-
In the Microsoft Entra admin
center console, navigate to Identity > Applications > Enterprise
applications and then choose AWS IAM Identity Center from the
list.
-
On the left, choose Users and groups.
-
Choose Add user/group. You can ignore the message stating
that groups are not available for assignment. This tutorial does not use groups for
assignments.
-
On the Add Assignment page, under
Users, choose None Selected.
-
Select NikkiWolf, and then choose
Select.
-
On the Add Assignment page, choose
Assign. NikkiWolf now appears in the list of users who are
assigned to the AWS IAM Identity Center app.
Step 2: Prepare your AWS account
In this step, you'll walk through how to use IAM Identity Center to configure access permissions (via permission set),
manually create a corresponding Nikki Wolf user, and assign her the necessary permissions to
administer resources in AWS.
- Step 2.1 >
-
Step 2.1: Create a RegionalAdmin permission set in
IAM Identity Center
This permission set will be used to grant Nikki the necessary AWS account
permissions required to manage Regions from the Account page within
the AWS Management Console. All other permissions to view or manage any other information for Nikki's
account is denied by default.
-
Open the IAM Identity Center
console.
-
Under Multi-account permissions, choose
Permission sets.
-
Choose Create permission set.
-
On the Select permission set type page, select
Custom permission set, and then choose
Next.
-
Select Inline policy to expand it, and then create a policy
for the permission set using the following steps:
-
Choose Add new statement to create a policy
statement.
-
Under Edit statement, select
Account from the list, and then choose the following
checkboxes.
-
ListRegions
-
GetRegionOptStatus
-
DisableRegion
-
EnableRegion
-
Next to Add a resource, choose
Add.
-
On the Add resource page, under Resource
type, select All Resources, and then choose
Add resource. Verify that your policy looks like the
following:
{
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Action": [
"account:ListRegions",
"account:DisableRegion",
"account:EnableRegion",
"account:GetRegionOptStatus"
],
"Resource": [
"*"
]
}
]
}
-
Choose Next.
-
On the Specify permission set details page, under
Permission set name, enter
RegionalAdmin
, and then choose
Next.
-
On the Review and create page, choose
Create. You should see RegionalAdmin
displayed in the list of permission sets.
- Step 2.2 >
-
Step 2.2: Create a corresponding NikkiWolf user in
IAM Identity Center
Since the SAML protocol does not provide a mechanism to query the IdP (Microsoft Entra ID) and
automatically create users here in IAM Identity Center, use the following procedure to manually create
a user in IAM Identity Center that mirrors the core attributes from Nikki Wolfs user in Microsoft Entra ID.
-
Open the IAM Identity Center
console.
-
Choose Users, choose Add user, and
then provide the following information:
-
For both Username and Email
address – Enter the same
NikkiWolf
@yourcompanydomain.extension
that you used when creating your Microsoft Entra ID user. For example,
NikkiWolf@example.org
.
-
Confirm email address – Re-enter the email
address from the previous step
-
First name – Enter
Nikki
-
Last name – Enter
Wolf
-
Display name – Enter Nikki
Wolf
-
Choose Next twice, then choose Add
user.
-
Select Close.
- Step 2.3
-
Step 2.3: Assign Nikki to the RegionalAdmin permission set in
IAM Identity Center
Here you locate the AWS account in which Nikki will administer Regions, and then
assign the necessary permissions required for her to successfully access the
AWS access portal.
-
Open the IAM Identity Center
console.
-
Under Multi-account permissions, choose
AWS accounts.
-
Select the checkbox next to the account name (for example,
Sandbox
) where you want to grant Nikki access to manage
Regions, and then choose Assign users and groups.
-
On the Assign users and groups page, choose the
Users tab, find and check the box next to Nikki, and then
choose Next.
Step 3: Configure and test your SAML connection
In this step, you configure your SAML connection using the AWS IAM Identity Center enterprise
application in Microsoft Entra ID together with the external IdP settings in IAM Identity Center.
- Step 3.1 >
-
Step 3.1: Collect required service provider metadata from
IAM Identity Center
In this step, you will launch the Change identity source wizard
from within the IAM Identity Center console and retrieve the metadata file and the AWS specific
sign-in URL you'll need to enter when configuring the connection with Microsoft Entra ID in the next
step.
-
In the IAM Identity Center
console, choose Settings.
-
On the Settings page, choose the Identity
source tab, and then choose Actions > Change identity
source.
-
On the Choose identity source page, select
External identity provider, and then choose
Next.
-
On the Configure external identity provider page, under
Service provider metadata, choose Download metadata
file to download the XML file.
-
In the same section, locate the AWS access portal sign-in URL
value and copy it. You will need to enter this value when prompted in the next
step.
-
Leave this page open, and move to the next step (Step 3.2
) to configure the AWS IAM Identity Center enterprise
application in Microsoft Entra ID. Later, you'll return to this page to complete the
process.
- Step 3.2 >
-
Step 3.2: Configure the AWS IAM Identity Center enterprise application in
Microsoft Entra ID
This procedure establishes one-half of the SAML connection on the Microsoft side
using the values from the metadata file and Sign-On URL you obtained in the last
step.
-
In the Microsoft Entra admin
center console, navigate to Identity > Applications > Enterprise
applications and then choose AWS IAM Identity Center.
-
On the left, choose 2. Set up Single sign-on.
-
On the Set up Single Sign-On with SAML page, choose
SAML. Then choose Upload metadata file,
choose the folder icon, select the service provider metadata file that you
downloaded in the previous step, and then choose Add.
-
On the Basic SAML Configuration page, verify that both the
Identifier and Reply URL values now
point to endpoints in AWS that start with
https://<REGION>
.signin.aws.amazon.com/platform/saml/
.
-
Under Sign on URL (Optional), paste in the
AWS access portal sign-in URL value you copied in the previous step
(Step 3.1
), choose
Save, and then choose X to close the
window.
-
If prompted to test single sign-on with AWS IAM Identity Center, choose No I'll test
later. You will do this verification in a later step.
-
On the Set up Single Sign-On with SAML page, in the
SAML Certificates section, next to Federation
Metadata XML, choose Download to save the metadata
file to your system. You will need to upload this file when prompted in the next
step.
- Step 3.3 >
-
Step 3.3: Configure the Microsoft Entra ID external IdP in
AWS IAM Identity Center
Here you will return to the Change identity source wizard in
the IAM Identity Center console to complete the second-half of the SAML connection in AWS.
-
Return to the browser session you left open from Step 3.1
in the IAM Identity Center console.
-
On the Configure external identity provider page, in the
Identity provider metadata section, under IdP SAML
metadata, choose the Choose file button, and
select the identity provider metadata file that you downloaded from Microsoft Entra ID in the
previous step, and then choose Open.
-
Choose Next.
-
After you read the disclaimer and are ready to proceed, enter
ACCEPT
.
-
Choose Change identity source to apply your changes.
- Step 3.4 >
-
Step 3.4: Test that Nikki is redirected to the
AWS access portal
In this procedure, you will test the SAML connection by signing in to Microsoft's
My Account portal with Nikki's credentials. Once authenticated,
you'll select the AWS IAM Identity Center application which will redirect Nikki to the
AWS access portal.
-
Go to the My Account
portal sign in page, and enter Nikki's full email address. For example,
NikkiWolf
@example.org
.
-
When prompted, enter Nikki's password, and then choose Sign
in.
-
On the My account page, in the left navigation pane, choose
My Apps.
-
On the My Apps page, select the app named
AWS IAM Identity Center. This should prompt you for additional
authentication.
-
On Microsoft's sign in page, choose your NikkiWolf credentials. If prompted a
second time for authentication, choose your NikkiWolf credentials again. This should
automatically redirect you to the AWS access portal.
If you are not redirected successfully, check to make sure the
AWS access portal sign-in URL value you entered in Step 3.2
matches the value you copied from
Step 3.1
.
-
Verify that your AWS accounts display.
If the page is empty and no AWS accounts display, confirm that Nikki was
successfully assigned to the RegionalAdmin permission set
(see Step 2.3
).
- Step 3.5
-
Step 3.5: Test Nikki's level of access to manage her
AWS account
In this step, you will check to determine Nikki's level of access to manage the
Region settings for her AWS account. Nikki should only have sufficient administrator
privileges to manage Regions from the Accounts page.
-
In the AWS access portal, choose the Accounts tab to display the
list of accounts. The account names, account IDs, and email addresses associated
with any accounts where you've defined permission sets appear.
-
Choose the account name (for example, Sandbox
) where
you applied the permission set (see Step
2.3
). This will expand the list of permission sets that Nikki
can choose from to manage her account.
-
Next to RegionalAdmin choose Management
console to assume the role you defined in the
RegionalAdmin permission set. This will redirect you to the
AWS Management Console home page.
-
In the upper-right corner of the console, choose your account name, and then
choose Account. This will take you to the
Account page. Notice that all other sections on this page
display a message that you don't have the necessary permissions to view or modify
those settings.
-
On the Account page, scroll down to the section
AWS Regions. Select a checkbox for any available Region in
the table. Notice that Nikki does have the necessary permissions to
Enable or Disable the list of Regions
for her account as was intended.
Steps 1 through 3 helped you to successfully implement and test your SAML
connection. Now, to complete the tutorial, we encourage you to move on to Step 4 to
implement automatic provisioning.
Step 4: Configure and test your SCIM
synchronization
In this step, you will set up automatic
provisioning (synchronization) of user information from Microsoft Entra ID into IAM Identity Center using the
SCIM v2.0 protocol. You configure this connection in Microsoft Entra ID using your SCIM endpoint for IAM Identity Center
and a bearer token that is created automatically by IAM Identity Center.
When you configure SCIM synchronization, you create a mapping of your user attributes in
Microsoft Entra ID to the named attributes in IAM Identity Center. This causes the expected attributes to match between
IAM Identity Center and Microsoft Entra ID.
The following steps walk you through how to enable automatic provisioning of users that
primarily reside in Microsoft Entra ID to IAM Identity Center using the IAM Identity Center app in Microsoft Entra ID.
- Step 4.1 >
-
Step 4.1: Create a second test user in
Microsoft Entra ID
For testing purposes, you will create a new user (Richard Roe) in Microsoft Entra ID. Later,
after you set up SCIM synchronization, you will test that this user and all relevant
attributes were synced successfully to IAM Identity Center.
-
In the Microsoft Entra admin
center console, navigate to Identity > Users > All
users.
-
Select New user, and then choose Create new
user at the top of the screen.
-
In User principal name, enter
RichRoe
, and then select your
preferred domain and extension. For example,
RichRoe@example.org
.
-
In Display name, enter
RichRoe
.
-
In Password, enter a strong password or select the eye icon
to show the password that was auto-generated, and either copy or write down the
value that's displayed.
-
Choose Properties, and then provide the following
values:
-
First name - Enter
Richard
-
Last name - Enter
Roe
-
Job title - Enter Marketing
Lead
-
Department - Enter
Sales
-
Employee ID - Enter
12345
-
Choose Review + create, and then choose
Create.
- Step 4.2 >
-
Step 4.2: Enable automatic provisioning in
IAM Identity Center
In this procedure, you will use the IAM Identity Center console to enable automatic provisioning
of users and groups coming from Microsoft Entra ID into IAM Identity Center.
-
Open the IAM Identity Center
console, and choose Settings in the left navigation
pane.
-
On the Settings page, under the Identity
source tab, notice that Provisioning method is set
to Manual.
-
Locate the Automatic provisioning information box, and then
choose Enable. This immediately enables automatic provisioning
in IAM Identity Center and displays the necessary SCIM endpoint and access token
information.
-
In the Inbound automatic provisioning dialog box, copy each
of the values for the following options. You will need to paste these in the next
step when you configure provisioning in Microsoft Entra ID.
-
SCIM endpoint - For example,
https://scim.us-east-2
.amazonaws.com/11111111111-2222-3333-4444-555555555555
/scim/v2
-
Access token - Choose Show token
to copy the value.
This is the only time where you can obtain the SCIM endpoint and access token.
Ensure you copy these values before moving forward.
-
Choose Close.
-
Under the Identity source tab, notice that
Provisioning method is now set to
SCIM.
- Step 4.3 >
-
Step 4.3: Configure automatic provisioning in
Microsoft Entra ID
Now that you have your RichRoe test user in place and have enabled SCIM in IAM Identity Center,
you can proceed with configuring the SCIM synchronization settings in Microsoft Entra ID.
-
In the Microsoft Entra admin
center console, navigate to Identity > Applications > Enterprise
applications and then choose AWS IAM Identity Center.
-
Choose Provisioning, under Manage,
choose Provisioning again.
-
In Provisioning Mode select
Automatic.
-
Under Admin Credentials, in Tenant URL
paste in the SCIM endpoint URL value you copied earlier in
Step 4.2
. In Secret
Token, paste in the Access token value.
-
Choose Test Connection. You should see a message indicating
that the tested credentials were successfully authorized to enable
provisioning.
-
Choose Save.
-
Under Manage, choose Users and groups,
and then choose Add user/group.
-
On the Add Assignment page, under
Users, choose None Selected.
-
Select RichRoe, and then choose
Select.
-
On the Add Assignment page, choose
Assign.
-
Choose Overview, and then choose Start
provisioning.
- Step 4.4
-
Step 4.4: Verify that synchronization
occurred
In this section, you will verify that Richard's user was successfully provisioned
and that all attributes are displayed in IAM Identity Center.
-
In the IAM Identity Center
console, choose Users.
-
On the Users page, you should see your
RichRoe user displayed. Notice that in the Created
by column the value is set to SCIM.
-
Choose RichRoe, under Profile, verify
that the following attributes were copied from Microsoft Entra ID.
-
First name -
Richard
-
Last name -
Roe
-
Department -
Sales
-
Title - Marketing
Lead
-
Employee number -
12345
Now that Richard's user has been created in IAM Identity Center, you can assign it to any
permission set so you can control the level of access he has to your AWS
resources. For example, you could assign RichRoe to the
RegionalAdmin
permission set you used earlier to grant
Nikki the permissions to manage Regions (see Step
2.3
) and then test his level of access using Step 3.5
.
You have successfully set up a SAML connection between Microsoft and AWS and
have verified that automatic provisioning is working to keep everything in sync. Now
you can apply what you've learned to more smoothly set up your production environment.
Step 5: Configure ABAC - Optional
Now that you have successfully configured SAML and SCIM, you can optionally choose to
configure attribute-based access control (ABAC). ABAC is an authorization strategy that
defines permissions based on attributes.
With Microsoft Entra ID, you can use either of the following two methods to configure ABAC for use
with IAM Identity Center.
- Configure user attributes in Microsoft Entra ID for access control in IAM Identity Center
-
Configure user attributes in Microsoft Entra ID for access control in
IAM Identity Center
In the following procedure, you will determine which attributes in Microsoft Entra ID should be
used by IAM Identity Center to manage access to your AWS resources. Once defined, Microsoft Entra ID sends these
attributes to IAM Identity Center through SAML assertions. You will then need to Create a permission set in IAM Identity Center
to manage access based on the attributes you passed from Microsoft Entra ID.
Before you begin this procedure, you first need to enable the Attributes for access control
feature. For more information about how to do this, see Enable and configure attributes for access
control.
-
In the Microsoft Entra admin
center console, navigate to Identity > Applications > Enterprise
applications and then choose AWS IAM Identity Center.
-
Choose Single sign-on.
-
In the Attributes & Claims section, choose
Edit.
-
On the Attributes & Claims page, do the
following:
-
Choose Add new claim
-
For Name, enter
AccessControl:AttributeName
. Replace
AttributeName
with the name of the attribute you
are expecting in IAM Identity Center. For example,
AccessControl:Department
.
-
For Namespace, enter
https://aws.amazon.com/SAML/Attributes
.
-
For Source, choose Attribute.
-
For Source attribute, use the drop-down list to choose
the Microsoft Entra ID user attributes. For example,
user.department
.
-
Repeat the previous step for each attribute you need to send to IAM Identity Center in the
SAML assertion.
-
Choose Save.
- Configure ABAC using IAM Identity Center
-
Configure ABAC using IAM Identity Center
With this method, you use the Attributes for access control feature in IAM Identity Center to pass an
Attribute
element with the Name
attribute set to
https://aws.amazon.com/SAML/Attributes/AccessControl:{TagKey}
.
You can use this element to pass attributes as session tags in the SAML assertion. For
more information about session tags, see Passing session tags
in AWS STS in the IAM User Guide.
To pass attributes as session tags, include the AttributeValue
element
that specifies the value of the tag. For example, to pass the tag key-value pair
Department=billing
, use the following attribute:
<saml:AttributeStatement>
<saml:Attribute Name="https://aws.amazon.com/SAML/Attributes/AccessControl:Department">
<saml:AttributeValue>billing
</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
If you need to add multiple attributes, include a separate Attribute
element for each tag.
Troubleshooting
For general SCIM and SAML troubleshooting with Microsoft Entra ID, see the following sections:
Synchronization issues with Microsoft Entra ID and
IAM Identity Center
If you are experiencing issues with Microsoft Entra ID users not synchronizing to IAM Identity Center, it might be
due to a syntax issue that IAM Identity Center has flagged when a new user is being added to IAM Identity Center. You
can confirm this by checking the Microsoft Entra ID audit logs for failed events, such as an
'Export'
. The Status Reason for this event will
state:
{"schema":["urn:ietf:params:scim:api:messages:2.0:Error"],"detail":"Request is unparsable, syntactically incorrect, or violates schema.","status":"400"}
You can also check AWS CloudTrail for the failed event. This can be done by searching in the
Event History console of CloudTrail using the following filter:
"eventName":"CreateUser"
The error in the CloudTrail event will state the following:
"errorCode": "ValidationException",
"errorMessage": "Currently list attributes only allow single item“
Ultimately, this exception means that one of the values passed from Microsoft Entra ID contained
more values than anticipated. The solution is to review the attributes of the user in
Microsoft Entra ID, ensuring that none contain duplicate values. One common example of duplicate values
is having multiple values present for contact numbers such as mobile,
work, and fax. Although separate values, they
are all passed to IAM Identity Center under the single parent attribute
phoneNumbers.
For general SCIM troubleshooting tips, see Troubleshooting.
Microsoft Entra ID Guest Account Synchronization
If you would like to sync your Microsoft Entra ID guest users to IAM Identity Center, see the following
procedure.
Microsoft Entra ID guest users’ email is different than Microsoft Entra ID users. This difference causes issues
when attempting to synchronize Microsoft Entra ID guest users with IAM Identity Center. For example, see the following
email address for a guest user:
exampleuser_domain.com#EXT@domain.onmicrosoft.com
.
IAM Identity Center expects the email address of a user to not contain the
EXT@domain
format.
-
Sign in to the Microsoft
Entra admin center and navigate to Identity >
Applications > Enterprise applications and
then choose AWS IAM Identity Center
-
Navigate to the Single Sign On tab in the left pane.
-
Select Edit which appears next to User Attributes
& Claims.
-
Select Unique User Identifier (Name ID) following
Required Claims.
-
You will create two claim conditions for your Microsoft Entra ID users and guest users:
-
For Microsoft Entra ID users, create a user type for members with source attribute set to
user.userprincipalname
.
-
For Microsoft Entra ID guest users, create a user type for external guests with the source
attribute set to user.mail
.
-
Select Save and retry signing in as a Microsoft Entra ID guest
user.
Additional resources
The following resources can help you troubleshoot as you work with AWS: