Microsoft Entra ID and AWS IAM Federation for Multi-Account Single Sign-On
Implemented federated identity and Single Sign-On (SSO) between Microsoft Entra ID and AWS IAM to provide centralized access management across a multi-account AWS environment.
Implemented: August 2020
Problem
The organization operated a large AWS estate consisting of multiple accounts distributed across several business units, production environments, and PCI-regulated workloads.
Managing individual AWS IAM users across multiple accounts would have increased administrative overhead, introduced security risks, and made it difficult to enforce consistent access controls and user lifecycle management.
The business required a centralized identity solution that provided secure authentication, role-based access control, and seamless access to AWS resources while supporting governance and compliance requirements.
Solution
Designed and implemented federated authentication between Microsoft Entra ID (Azure Active Directory) and AWS using SAML 2.0-based Single Sign-On.
Microsoft Entra ID was established as the central Identity Provider (IdP), while AWS IAM acted as the Service Provider (SP). AWS IAM roles were created across multiple AWS accounts and mapped to Entra ID security groups, enabling users to access authorized AWS environments using their existing corporate identities.
The solution eliminated the need for local IAM user accounts, centralized identity governance, and streamlined user onboarding and offboarding processes through Entra ID.
Access permissions were assigned using role-based access control (RBAC), ensuring users received only the permissions required for their job functions.
Architecture
- Microsoft Entra ID served as the centralized Identity Provider (IdP).
- AWS IAM integrated with Entra ID using SAML 2.0 federation.
- Entra ID security groups controlled access to AWS environments.
- AWS IAM roles were mapped to corresponding Entra ID groups.
- Users authenticated using corporate credentials through Single Sign-On.
- Federated access provided entry into multiple AWS accounts without separate AWS credentials.
- AWS Organizations and Control Tower governance remained centrally managed across all accounts.
Outcome
The implementation established centralized identity and access management across the organization’s AWS environment. Administrative overhead was reduced, security posture improved through elimination of local IAM users, and access governance became significantly easier to manage and audit.
Key Takeaways
- Federated identity simplifies access management across multi-account AWS environments.
- Centralized authentication improves governance and user lifecycle management.
- Role-based access control strengthens security through least-privilege access.
- Future iterations should include conditional access policies and privileged access management controls.
Reflection
If implementing the solution today, I would leverage AWS IAM Identity Center integrated with Microsoft Entra ID, implement Just-in-Time privileged access workflcws, and apply Conditional Access policies for stronger identity security and compliance controls.
