# Integrate Azure AD with Multiple AWS Accounts

**Adding AWS Application from Gallery**

To configure the integration of AWS into Azure AD, you will need to add the AWS application from application gallery on Azure to your list of manage SaaS applications.

**Steps**

1. In the Azure portal, on the left navigation panel, click **Azure Active Directory**
    
2. Navigate to **Enterprise Applications** and then select the **All Applications**
    
3. To add new application, click **New application**button on the top of dialog.
    
4. In the search box, type **Amazon Web Services (AWS)**, select **Amazon Web Services (AWS)** from result panel then click **Add** button to add the application.
    

**Configure AWS app & Azure AD single sign-on**

For single sign-on to work, a link relationship between an Azure AD user and the related user in Amazon Web Services (AWS) needs to be established.

In Amazon Web Services (AWS), assign the value of the **user name** in Azure AD as the value of the **Username** to establish the link relationship.

To configure and test Azure AD single sign-on with Amazon Web Services (AWS), you need to complete the following below

* **Configure Azure single sign-on**
    

**To configure Azure AD single sign-on with Amazon Web Services (AWS), perform the following steps:**

1. In the Azure portal, on the **Amazon Web Services (AWS)**application integration page, select **Single sign-on**.
    
2. On the **Select a Single sign-on method** dialog, select **SAML** mode to enable single sign-on.
    
3. On the **Set up Single Sign-On with SAML**page, click **Edit** icon to open **Basic SAML Configuration**
    
4. On the Basic SAML Configuration section, the user does not have to perform any step as the app is already pre-integrated with Azure.
    
5. Amazon Web Services (AWS) application expects the SAML assertions in a specific format. Configure the following claims for this application. You can manage the values of these attributes from the **User Attributes & Claims** section on application integration page. On the **Set up Single Sign-On with SAML** page, click **Edit** button to open **User Attributes & Claims**
    
6. In the **User Claims**section on the **User Attributes** dialog, configure SAML token attribute as shown in the image above and perform the following steps:
    

<table><tbody><tr><td colspan="1" rowspan="1"><p><strong>Name</strong></p></td><td colspan="1" rowspan="1"><p><strong>Source Attribute</strong></p></td><td colspan="1" rowspan="1"><p><strong>Namespace</strong></p></td></tr><tr><td colspan="1" rowspan="1"><p>RoleSessionName</p></td><td colspan="1" rowspan="1"><p>user.userprincipalname</p></td><td colspan="1" rowspan="1"><p><a target="_blank" rel="noopener noreferrer nofollow" href="https://aws.amazon.com/SAML/Attributes" style="pointer-events: none">https://aws.amazon.com/SAML/Attributes</a></p></td></tr><tr><td colspan="1" rowspan="1"><p>Role</p></td><td colspan="1" rowspan="1"><p>user.assignedroles</p></td><td colspan="1" rowspan="1"><p><a target="_blank" rel="noopener noreferrer nofollow" href="https://aws.amazon.com/SAML/Attributes" style="pointer-events: none">https://aws.amazon.com/SAML/Attributes</a></p></td></tr><tr><td colspan="1" rowspan="1"><p>SessionDuration</p></td><td colspan="1" rowspan="1"><p>"provide a value between 900 seconds (15 minutes) to 43200 seconds (12 hours)"</p></td><td colspan="1" rowspan="1"><p><a target="_blank" rel="noopener noreferrer nofollow" href="https://aws.amazon.com/SAML/Attributes" style="pointer-events: none">https://aws.amazon.com/SAML/Attributes</a></p></td></tr></tbody></table>

* **Adding Claims**
    

1. Click **Add New Claim** to open the **Manage User claims**
    
2. In the **Name** textbox, type the attribute name shown for that row.
    
3. In the **Namespace** textbox, type the Namespace value shown for that row.
    
4. Select Source as **Attribute**.
    
5. From the **Source attribute** list, type the attribute value shown for that row.
    
6. Click **Ok**
    
7. Click **Save**.
    
8. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Federation Metadata XML** and save it on your computer.
    

* **Configure Amazon Web Services (AWS) Single Sign-On**
    

1. In a different browser window, sign-on to your Amazon Web Services (AWS).
    
2. Click **AWS Home**.
    
3. Click **Identity and Access Management**.
    
4. Click **Identity Providers**, and then click **Create Provider**.
    
5. On the **Configure Provider** dialog page, perform the following steps:
    
6. As **Provider Type**, select **SAML**.
    
7. In the **Provider Name** textbox, type a provider name.
    
8. To upload your downloaded **metadata file** from Azure portal, click **Choose File**.
    
9. Click **Next Step**.
    
10. On the **Verify Provider Information** dialog page, click **Create**.
    
11. Click **Roles**, and then click **Create role**.
    
12. On the **Create role** page, perform the following steps:
    
13. Select **SAML 2.0 federation** under **Select type of trusted entity**.
    
14. Under **Choose a SAML 2.0 Provider section**, select the **SAML provider** you have created previously.
    
15. Select **Allow programmatic and AWS Management Console access**.
    
16. Click **Next: Permissions**.
    
17. On the **Attach Permissions Policies**dialog, please attach the appropriate policy as per your organization. Click **Next: Review**.
    
18. On the **Review** dialog, perform the following steps:
    
19. In the **Role name** textbox, enter your Role name.
    
20. In the **Role description** textbox, enter the description.
    
21. Click **Create Role**.
    
22. Create as many roles as needed and map them to the Identity Provider.
    
23. Sign out from your current AWS account and login with other account where you want to configure single sign on with Azure AD.
    
24. Perform step-2 to step-10 to create multiple roles that you want to setup for this account. If you have more than two accounts, please perform the same steps for all the accounts to create roles for them.
    
25. Once all the roles are created in the accounts, they show up in the **Roles** list for those accounts.
    
26. We need to capture all the Role ARN and Trusted Entities for all the roles across all the accounts, which we need to map manually with Azure AD application.
    
27. Click on the roles to copy **Role ARN**and **Trusted Entities** You need these values for all the roles that you need to create in Azure AD.
    
28. Perform the above step for all the roles in all the accounts and store all of them in format **Role ARN, Trusted entities** in a notepad.
    

* **Application Registration**
    

1. In the Azure Portal, navigate to App Registration
    
2. Click on your AWS application
    
3. Open Manifest Tab, this will bring up the edit manifest page, where you have to add pair values (add pair values for each role that you created in AWS. e.g. if you have created 6 roles on AWS you will need to create 6 pair values)
    

           Sample pair values are below

```plaintext
     {
      "allowedMemberTypes": [
        "User"
      ],
      "displayName": "AWS-Prod-Admins,AzureAD",
      "id": "f0b999cd-0e5d-4faa-8c7b-d9224c4b27a5",
      "isEnabled": true,
      "description": "To grant Full Admin (AWS) Access to users for Prod Account,AzureAD",
      "value": "arn:aws:iam::xxxxxxxx:role/AWS-Prod-Admins,arn:aws:iam::xxxxxxxx:saml-provider/AzureAD"
     }
```

Remember that you have to add one of these sections for each pair Group-Role, as mentioned above.

* **User/Group Assignment**
    

1. In the Azure Portal, navigate to Enterprise applications.
    
2. Select your Amazon Web Services Application
    
3. Navigate to Users and groups
    
4. Click on Add user
    
5. Click on users and groups and search for the security group that you created on your AD on premise
    
6. Click on the security group / user and click select
    
7. Click on select role and search for the role that you want to bind the security group/user with this role.
    

e.g. AWS-30000000-Admin (security group) – AWS-xxxxxx-Admins (role)

**5-   MFA**

1. Select Conditional Access
    
2. You will see list of Policies (or just one policy) for your AWS application
    
3. Click the Policy and click on users and groups
    
4. Search for the same security groups that you linked against roles
    
5. Once all the users/groups are selected, click on Done button and click Save
    

**6-    Testing**

1. Navigate to [portal.office365.com](http://portal.office365.com) and login with your credentials
    
2. Click on all applications and select your AWS application.
    
3. You should be prompted for MFA
    
4. Once MFA is approved, you should be able to sign in to AWS.
    

**Multiple AWS account**

For Multiple AWS accounts, you will need to do below

* AWS
    
    * Create Identity provide using same Meta Data Federation File (Step 1 .1 / 8)
        
    * Create roles (Step 2 /7)
        
* Office365
    
    * Navigate to app registration (Step 3)
        
    * Add the pair values
        
    * User/Group assignment
        
    * MFA
        
* Testing
    
    * Test by navigating to [portal.office365.com](http://portal.office365.com)
