Integrating AWS IAM Identity Center with Azure AD using SCIM Provisioning

Introduction

 In today’s cloud-driven landscape, organizations often use a mix of cloud providers and identity management systems. One common setup is using Azure Active Directory (Azure AD) as the central identity provider while managing AWS access via AWS IAM Identity Center (formerly AWS SSO). To streamline user and group management, integrating these systems with SCIM (System for Cross-domain Identity Management) is highly recommended.

This blog post walks you through integrating AWS IAM Identity Center with Azure AD using SCIM provisioning to automate user lifecycle management.

What is SCIM?

 SCIM is an open standard designed to automate the exchange of user identity information between identity providers (like Azure AD) and service providers (like AWS IAM Identity Center). SCIM helps automatically create, update, and deactivate user accounts based on changes in your IdP.

Benefits of Using SCIM with AWS IAM Identity Center

• Automated user provisioning: No more manual creation of users in AWS
• Group synchronization: Sync Azure AD groups to AWS
• Automatic deprovisioning: Users who leave the organization lose AWS access immediately
• Reduced admin overhead and human error

Pre-requisites

• Azure EntraID
• Admin access to Azure Portal
• Admin access to AWS IAM Identity Center
• AWS IAM Identity Center set to use “External Identity Provider”

Step-by-Step Integration Guide

Step 1: Set up IAM Identity Center in AWS

• Sign in to AWS Console
  • Go to IAM Identity Center: https://console.aws.amazon.com/singlesignon/
• Enable IAM Identity Center (if not already enabled).

• Select “External identity provider”
  • Under Settings > Identity Source, click Change.
  • Choose External identity provider.
  • Click Download metadata file — you’ll need this in Azure.

 Step 2: Register AWS IAM Identity Center as an Enterprise App in Azure Entra ID

• Go to Azure Portal → Azure Entra ID.
• Navigate to Enterprise Applications → Click + New Application.

• Select “Create your own application”, give it a name (e.g., “AWS SSO”), and choose Integrate any other application you don’t find in the gallery.

• Once created, go to:
  • Single Sign-On → Choose SAML.

• • Upload the AWS SSO metadata file you downloaded earlier.

• Azure will fill in SAML configuration fields automatically.

Step 3: Configure SAML Attributes and Claims in Azure

Under Attributes & Claims:
Ensure the following claim exists (or add it manually):

These claims are used by AWS to identify and authorize users.

 Step 4: Download Azure Federation Metadata XML

• From the Single Sign-On > SAML page in Azure, click Download Federation Metadata XML.

• You’ll need to upload this in AWS.

 Step 5: Upload Azure Metadata in AWS IAM Identity Center

• Go back to AWS IAM Identity Center → Settings > Identity Source.
• Upload the Azure federation metadata XML.

• Confirm and complete the identity source switch.

 Step 6: Assign Users or Groups in Azure to the AWS App

• In Azure Entra ID → Enterprise Applications → Your AWS SSO app.
• Under Users and groups, click + Add user/group.

• Add the users or groups who should have access to AWS.

 Step 7: Assign Permission Sets and AWS Account Access in AWS (With out SCIM)

Manually Create Users and Groups in AWS IAM Identity Center

• Go to AWS IAM Identity Center > Users.
  • Click Add User.
  • Enter same email or username as in Azure AD.
• In AWS IAM Identity Center, go to AWS Accounts.
• Choose an account → Assign users or groups.
• Add users from Azure and assign appropriate Permission Sets (e.g., Administrator, ReadOnly).

 Step 8: Test the Login Flow

• Go to the user portal URL from AWS IAM Identity Center (e.g., https://<your-tenant>.awsapps.com/start).
• Try signing in with an Azure Entra ID user.
• You should be redirected to the Azure login screen and then back to AWS.

.

SCIM Provisioning from Azure to AWS IAM Identity Center

 Enable SCIM Provisioning in AWS IAM Identity Center

1. Go to AWS Console → IAM Identity Center.
2. Click Settings > Automatic provisioning.
3. Enable provisioning and copy the following:
   • SCIM endpoint URL
   • Bearer token (for authentication)

Important: Copy the bearer token and save it securely — it’s only shown once!

Configure Provisioning in Azure Entra ID

1. Go to Azure Portal → Azure Entra ID → Enterprise Applications.
2. Select your AWS IAM Identity Center (SSO) app.
3. Click Provisioning in the left menu.
4. Set Provisioning Mode = Automatic.

Enter SCIM Endpoint and Token

Fill in the SCIM connection settings:

• Click Test Connection.
• You should see a success message.

Map Attribute Mappings (Optional)

Azure provides default attribute mappings. Make sure these are in place:

You can also enable group provisioning by mapping group attributes.

Assign Users and Groups to the App

1. In the Enterprise Application > Users and groups, add the Azure AD users or groups to be provisioned.
2. These will now sync to AWS automatically via SCIM.

Start Provisioning

1. Go back to Provisioning in Azure.
2. Click Start Provisioning.

Verify in AWS

• In AWS IAM Identity Center > Users & Groups, you’ll start seeing users and groups show up as they’re synced from Azure.

• Provisioning can take a few minutes.

Ongoing Sync Behavior

• Azure runs provisioning every 40 minutes by default.
• You can force sync manually under Provisioning > Restart Provisioning.
• Changes in Azure (e.g., user name, group membership) automatically reflect in AWS.

Conclusion

By enabling SCIM provisioning between Azure AD and AWS IAM Identity Center, you automate and secure the identity lifecycle. This reduces operational overhead and ensures consistent access management across your cloud environments. It’s a best practice for any organization leveraging multi-cloud identity strategies.

About CloudThat