How to Configure AWS IAM Identity Center with Azure AD

I’ve been in situations where enterprise teams need to connect their existing Azure AD identity infrastructure to AWS without duplicating user management. This guide walks through the complete federation setup so you can authenticate to AWS using your Azure AD credentials—no password sync, no duplicate user maintenance.

Enable IAM Identity Center

Start by confirming IAM Identity Center is active in your AWS account. Navigate to IAM Identity Center in the AWS Console and select your preferred region (typically us-east-1 or your primary region). If you’re seeing the “Enable IAM Identity Center” button, click it. Once enabled, you’ll see the Access Portal URL — save this, you’ll need it later for testing.

Note: IAM Identity Center can only be enabled once per AWS Organization. Choose your region carefully; it cannot be changed without disabling and re-enabling.

Change Identity Source to External IdP

With IAM Identity Center active, go to Settings and select the Identity source tab. Click Change identity source and select External identity provider. AWS will now generate a SAML metadata XML file that describes your IAM Identity Center instance to Azure AD. Download this XML file and keep it open—you’ll upload it to Azure AD in the next step.

The metadata contains your SAML assertion consumer service (ACS) URL and entity ID. Azure AD will use these to know where to send authenticated user assertions.

Configure the Enterprise App in Azure AD

Log in to your Azure Portal as a Global Admin. Navigate to Enterprise Applications → New application → Create your own application. Select Integrate any other application you don’t find in the gallery. Name it AWS IAM Identity Center.

Once created, go to Single sign-on → SAML. Click Upload metadata file and select the XML you downloaded from IAM Identity Center. Azure automatically populates the Sign on URL and Identifier (Entity ID) from your metadata.

In the Attributes & Claims section, ensure http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier maps to user.userprincipalname. This makes the Azure AD user’s email the SAML NameID, which must match the email in your IAM Identity Center users.

Configure SCIM Provisioning in Azure AD

SCIM (System for Cross-domain Identity Management) is how Azure AD automatically creates, updates, and removes users in IAM Identity Center. Back in the Azure Enterprise App, go to Provisioning → Get started → select Automatic.

In Admin Credentials, you’ll need two pieces from IAM Identity Center:

1. The SCIM endpoint URL (found in IAM Identity Center → Settings → Automatic provisioning)
2. The access token (generated in the same section)

Paste both into Azure AD’s provisioning fields and click Test Connection. You should see a green checkmark if IAM Identity Center can authenticate the token.

# Verify your SCIM setup works by listing users in IAM Identity Center
aws identitystore list-users --identity-store-id d-xxxxxxxxxx --region us-east-1

Note: The SCIM access token is a bearer token that Azure AD uses to call IAM Identity Center’s SCIM API. Rotate this token every 90 days for security.

Map User Attributes and Assign Groups

In Azure AD’s Provisioning → Mappings, verify these attribute mappings:

• userName → userPrincipalName (Azure AD user’s email)
• emails[primary].value → mail
• displayName → displayName
• givenName → givenName
• surname → surname

These mappings ensure Azure AD user properties sync correctly into IAM Identity Center.

Next, go to Users and groups in the Enterprise App. Click Add user/group and assign the Azure AD security groups that should have AWS access. Only users in assigned groups will sync to IAM Identity Center.

Start Provisioning and Test Login

Back in Provisioning, click Start provisioning. This takes 5–10 minutes. Watch the Provisioning logs to confirm users and groups are syncing without errors.

Once complete, navigate to your IAM Identity Center Access Portal URL. You should be redirected to Azure AD login. Enter your Azure AD credentials. After authentication, you’ll land on the IAM Identity Center portal—success!

Create Permission Sets and Account Assignments

Back in IAM Identity Center → Multi-account access, create a Permission Set (e.g., “DeveloperAccess”). Attach the AWS managed policy PowerUserAccess or a custom policy matching your needs. Then go to AWS accounts → [Your Account] → Assign users and assign the synced Azure AD group to this permission set.

Users in that group will now see the AWS account and permission set in their access portal.

# Verify permission sets were created
aws sso-admin list-permission-sets --instance-arn arn:aws:sso:::instance/ssoins-xxxxxxxxxx

Is This Safe?

Yes. SCIM uses bearer tokens (not passwords) to sync identity data. SAML is a token-based federation protocol—no credentials are shared. If you revoke the Azure AD Enterprise App or disable SCIM, all AWS access is immediately revoked. Passwords never touch AWS systems.

Key Takeaway

Federating Azure AD to AWS IAM Identity Center eliminates password silos and gives you centralized identity governance. SCIM keeps your users synchronized, SAML provides seamless login, and AWS permission sets define least-privilege access. Your security team gets a single source of truth, and your users get transparent SSO.

Questions? Connect with me on LinkedIn.