SCIM Role Provisioning For AWS SSO App

Kazuma 1 Reputation point
2020-04-09T14:17:07.29+00:00

Would it be possible to share the config associated with the provisioning service which reads AWS roles and imports them to the Azure AD servicePrincipal representing the AWS SSO app? I see that I can copy the synchronization template from an existing AWS app to a new servicePrincipal, but I don't see any logic in the template around how roles are queried and filtered when importing them from AWS. Is there a place in the GraphAPI where I can view how the SICM client is configured to query AWS to read the roles, or am I looking in the wrong place and just missing it in the synchronization template? I'm curious as there may be some instances where we want to only import certain roles, or roles that meet only certain criteria, and I'm not seeing where those filters or logic is stored for use by the provisioning service, including the SCIM URL that is used when communicating with AWS.

Thanks!

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,606 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Danny Zollner 9,526 Reputation points Microsoft Employee
    2020-04-11T07:26:23.69+00:00

    It is not possible with the current implementation of the inbound AWS role import functionality that we have today to either view or customize configuration regarding how we retrieve data from Amazon. We are not using SCIM, but rather an Amazon-proprietary API, and the scope is set to all roles in the targeted environment. If you can share some examples of things you'd like to be able to configure but aren't able to with the current AWS role import implementation, we can investigate the feasibility of adding these when we next revisit this provisioning connector.

    0 comments