Tutorial: Configure AWS IAM Identity Center for automatic user provisioning

This tutorial describes the steps you need to perform in both AWS IAM Identity Center(successor to AWS single sign-On) and Microsoft Entra ID to configure automatic user provisioning. When configured, Microsoft Entra ID automatically provisions and de-provisions users and groups to AWS IAM Identity Center using the Microsoft Entra provisioning service. For important details on what this service does, how it works, and frequently asked questions, see Automate user provisioning and deprovisioning to SaaS applications with Microsoft Entra ID.

Capabilities Supported

• Create users in AWS IAM Identity Center
• Remove users in AWS IAM Identity Center when they no longer require access
• Keep user attributes synchronized between Microsoft Entra ID and AWS IAM Identity Center
• Provision groups and group memberships in AWS IAM Identity Center
• IAM Identity Center to AWS IAM Identity Center

Prerequisites

The scenario outlined in this tutorial assumes that you already have the following prerequisites:

• A Microsoft Entra tenant
• A user account in Microsoft Entra ID with permission to configure provisioning (for example, Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator).
• A SAML connection from your Microsoft Entra account to AWS IAM Identity Center, as described in Tutorial

Step 1: Plan your provisioning deployment

1. Learn about how the provisioning service works.
2. Determine who is in scope for provisioning.
3. Determine what data to map between Microsoft Entra ID and AWS IAM Identity Center.

Step 2: Configure AWS IAM Identity Center to support provisioning with Microsoft Entra ID

1. Open the AWS IAM Identity Center.

2. Choose Settings in the left navigation pane

3. In Settings, click on Enable in the Automatic provisioning section.

   

4. In the Inbound automatic provisioning dialog box, copy and save the SCIM endpoint and Access Token (visible after clicking on Show Token). These values are entered in the Tenant URL and Secret Token field in the Provisioning tab of your AWS IAM Identity Center application.

Step 3: Add AWS IAM Identity Center from the Microsoft Entra application gallery

Add AWS IAM Identity Center from the Microsoft Entra application gallery to start managing provisioning to AWS IAM Identity Center. If you have previously setup AWS IAM Identity Center for SSO, you can use the same application. Learn more about adding an application from the gallery here.

Step 4: Define who is in scope for provisioning

The Microsoft Entra provisioning service allows you to scope who is provisioned based on assignment to the application and or based on attributes of the user / group. If you choose to scope who is provisioned to your app based on assignment, you can use the following steps to assign users and groups to the application. If you choose to scope who is provisioned based solely on attributes of the user or group, you can use a scoping filter as described here.

• Start small. Test with a small set of users and groups before rolling out to everyone. When scope for provisioning is set to assigned users and groups, you can control this by assigning one or two users or groups to the app. When scope is set to all users and groups, you can specify an attribute based scoping filter.

• If you need additional roles, you can update the application manifest to add new roles.

Step 5: Configure automatic user provisioning to AWS IAM Identity Center

This section guides you through the steps to configure the Microsoft Entra provisioning service to create, update, and disable users and/or groups in TestApp based on user and/or group assignments in Microsoft Entra ID.

To configure automatic user provisioning for AWS IAM Identity Center in Microsoft Entra ID:

1. Sign in to the Microsoft Entra admin center as at least a Cloud Application Administrator.

2. Browse to Identity > Applications > Enterprise applications

   

3. In the applications list, select AWS IAM Identity Center.

   

4. Select the Provisioning tab.

   

5. Set the Provisioning Mode to Automatic.

   

6. Under the Admin Credentials section, input your AWS IAM Identity Center Tenant URL and Secret Token retrieved earlier in Step 2. Click Test Connection to ensure Microsoft Entra ID can connect to AWS IAM Identity Center.

   

7. In the Notification Email field, enter the email address of a person or group who should receive the provisioning error notifications and select the Send an email notification when a failure occurs check box.

   

8. Select Save.

9. Under the Mappings section, select Synchronize Microsoft Entra users to AWS IAM Identity Center.

10. Review the user attributes that are synchronized from Microsoft Entra ID to AWS IAM Identity Center in the Attribute-Mapping section. The attributes selected as Matching properties are used to match the user accounts in AWS IAM Identity Center for update operations. If you choose to change the matching target attribute, you need to ensure that the AWS IAM Identity Center API supports filtering users based on that attribute. Select the Save button to commit any changes.

    Attribute	Type	Supported for Filtering
    userName	String	✓
    active	Boolean
    displayName	String
    title	String
    emails[type eq "work"].value	String
    preferredLanguage	String
    name.givenName	String
    name.familyName	String
    name.formatted	String
    addresses[type eq "work"].formatted	String
    addresses[type eq "work"].streetAddress	String
    addresses[type eq "work"].locality	String
    addresses[type eq "work"].region	String
    addresses[type eq "work"].postalCode	String
    addresses[type eq "work"].country	String
    phoneNumbers[type eq "work"].value	String
    externalId	String
    locale	String
    timezone	String
    urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:employeeNumber	String
    urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department	String
    urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:division	String
    urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:costCenter	String
    urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:organization	String
    urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager	Reference

11. Under the Mappings section, select Synchronize Microsoft Entra groups to AWS IAM Identity Center.

12. Review the group attributes that are synchronized from Microsoft Entra ID to AWS IAM Identity Center in the Attribute-Mapping section. The attributes selected as Matching properties are used to match the groups in AWS IAM Identity Center for update operations. Select the Save button to commit any changes.

    Attribute	Type	Supported for Filtering
    displayName	String	✓
    externalId	String
    members	Reference

13. To configure scoping filters, refer to the following instructions provided in the Scoping filter tutorial.

14. To enable the Microsoft Entra provisioning service for AWS IAM Identity Center, change the Provisioning Status to On in the Settings section.

    

15. Define the users and/or groups that you would like to provision to AWS IAM Identity Center by choosing the desired values in Scope in the Settings section.

    

16. When you're ready to provision, click Save.

    

This operation starts the initial synchronization cycle of all users and groups defined in Scope in the Settings section. The initial cycle takes longer to perform than subsequent cycles, which occur approximately every 40 minutes as long as the Microsoft Entra provisioning service is running.

Step 6: Monitor your deployment

Once you configure provisioning, use the following resources to monitor your deployment:

1. Use the provisioning logs to determine which users were provisioned successfully or unsuccessfully
2. Check the progress bar to see the status of the provisioning cycle and how close it is to completion
3. If the provisioning configuration seems to be in an unhealthy state, the application goes into quarantine. Learn more about quarantine states here.

Just-in-time (JIT) application access with PIM for groups

With PIM for Groups, you can provide just-in-time access to groups in Amazon Web Services and reduce the number of users that have permanent access to privileged groups in AWS.

Configure your enterprise application for SSO and provisioning

1. Add AWS IAM Identity Center to your tenant, configure it for provisioning as described in the tutorial above, and start provisioning.
2. Configure single sign-on for AWS IAM Identity Center.
3. Create a group that will provide all users access to the application.
4. Assign the group to the AWS Identity Center application.
5. Assign your test user as a direct member of the group created in the previous step, or provide them access to the group through an access package. This group can be used for persistent, non-admin access in AWS.

Enable PIM for groups

1. Create a second group in Microsoft Entra ID. This group will provide access to admin permissions in AWS.
2. Bring the group under management in Microsoft Entra PIM.
3. Assign your test user as eligible for the group in PIM with the role set to member.
4. Assign the second group to the AWS IAM Identity Center application.
5. Use on-demand provisioning to create the group in AWS IAM Identity Center.
6. Sign-in to AWS IAM Identity Center and assign the second group the necessary permissions to perform admin tasks.

Now any end user that was made eligible for the group in PIM can get JIT access to the group in AWS by activating their group membership.

Key considerations

• How long does it take to have a user provisioned to the application?:
  • When a user is added to a group in Microsoft Entra ID outside of activating their group membership using Microsoft Entra ID Privileged Identity Management (PIM):
    • The group membership is provisioned in the application during the next synchronization cycle. The synchronization cycle runs every 40 minutes.
  • When a user activates their group membership in Microsoft Entra ID PIM:
    • The group membership is provisioned in 2 – 10 minutes. When there is a high rate of requests at one time, requests are throttled at a rate of five requests per 10 seconds.
    • For the first five users within a 10-second period activating their group membership for a specific application, group membership is provisioned in the application within 2-10 minutes.
    • For the sixth user and above within a 10-second period activating their group membership for a specific application, group membership is provisioned to the application in the next synchronization cycle. The synchronization cycle runs every 40 minutes. The throttling limits are per enterprise application.
• If the user is unable to access the necessary group in AWS, please review the troubleshooting tips below, PIM logs, and provisioning logs to ensure that the group membership was updated successfully. Depending on how the target application has been architected, it may take additional time for the group membership to take effect in the application.
• You can create alerts for failures using Azure Monitor.
• Deactivation is done during the regular incremental cycle. It isn't processed immediately through on-demand provisioning.

Troubleshooting Tips

Missing attributes

When provisioning a user to AWS, they're required to have the following attributes

• firstName
• lastName
• displayName
• userName

Users who don't have these attributes will fail with the following error

Multi-valued attributes

AWS doesn't support the following multi-valued attributes:

• email
• phone numbers

Trying to flow the above as multi-valued attributes will result in the following error message

There are two ways to resolve this

1. Ensure the user only has one value for phoneNumber/email
2. Remove the duplicate attributes. For example, having two different attributes being mapped from Microsoft Entra ID both mapped to "phoneNumber___" on the AWS side would result in the error if both attributes have values in Microsoft Entra ID. Only having one attribute mapped to a "phoneNumber____ " attribute would resolve the error.

Invalid characters

Currently AWS IAM Identity Center isn't allowing some other characters that Microsoft Entra ID supports like tab (\t), new line (\n), return carriage (\r), and characters such as " <|>|;|:% ".

You can also check the AWS IAM Identity Center troubleshooting tips here for more troubleshooting tips

Additional resources

• Managing user account provisioning for Enterprise Apps
• What is application access and IAM Identity Center with Microsoft Entra ID?

Next steps

• Learn how to review logs and get reports on provisioning activity