SCIM Role Provisioning For AWS SSO App

Kazuma 1 Reputation point

Would it be possible to share the config associated with the provisioning service which reads AWS roles and imports them to the Azure AD servicePrincipal representing the AWS SSO app? I see that I can copy the synchronization template from an existing AWS app to a new servicePrincipal, but I don't see any logic in the template around how roles are queried and filtered when importing them from AWS. Is there a place in the GraphAPI where I can view how the SICM client is configured to query AWS to read the roles, or am I looking in the wrong place and just missing it in the synchronization template? I'm curious as there may be some instances where we want to only import certain roles, or roles that meet only certain criteria, and I'm not seeing where those filters or logic is stored for use by the provisioning service, including the SCIM URL that is used when communicating with AWS.


Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,100 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Danny Zollner 9,536 Reputation points Microsoft Employee

    It is not possible with the current implementation of the inbound AWS role import functionality that we have today to either view or customize configuration regarding how we retrieve data from Amazon. We are not using SCIM, but rather an Amazon-proprietary API, and the scope is set to all roles in the targeted environment. If you can share some examples of things you'd like to be able to configure but aren't able to with the current AWS role import implementation, we can investigate the feasibility of adding these when we next revisit this provisioning connector.

    0 comments No comments