How to Configure AWS IAM SAML 2.0 Federation with Microsoft Entra ID (Formerly Azure AD) for Single-Account Access

Overview

This guide walks you through setting up SAML 2.0 federation between Microsoft Entra ID (formerly Azure Active Directory) and AWS IAM for single-account access. This allows your organization's users to sign in to the AWS Management Console using their Entra ID credentials.

When to use this approach vs. AWS IAM Identity Center: We recommend using AWS IAM Identity Center for multi-account setups. However, IAM SAML 2.0 federation remains a valid option when:

• IAM Identity Center is already in use in another region and you need an alternative federated access path.
• You want to use a different identity provider alongside an existing Identity Center deployment.
• You have a single AWS account that needs federated access from Entra ID.

---

Prerequisites

• A Microsoft Entra ID tenant with administrative privileges (at least Cloud Application Administrator and Application Administrator roles).
• An AWS account with IAM administrative access.
• A web browser with access to both the Microsoft Entra admin center and the AWS Management Console.

---

Architecture

User  --->  Microsoft Entra ID  --(SAML 2.0 Assertion)-->  AWS STS  --->  AWS Management Console
                  (IdP)                                      (SP)

1. The user navigates to My Apps (https://myapps.microsoft.com) and selects the AWS application.
2. Entra ID authenticates the user and generates a SAML assertion containing the user's role mapping.
3. AWS STS validates the assertion against the registered SAML identity provider and issues temporary credentials.
4. The user is redirected to the AWS Management Console with the assumed IAM role.

---

Step 1: Create the Enterprise Application in Microsoft Entra ID

1. Sign in to the Microsoft Entra admin center.
2. Navigate to Identity > Applications > Enterprise applications.
3. Click + New application.
4. In the Browse Microsoft Entra App Gallery, search for aws.
5. Select "AWS Single-Account Access" from the results.
6. Give the application a meaningful name (e.g., AWS Production Account - SAML) and click Create.

---

Step 2: Configure SAML Single Sign-On

1. In the newly created enterprise application, navigate to Single sign-on from the left menu.

2. Select SAML as the single sign-on method.

3. In Section 1 — Basic SAML Configuration, click Edit and set the following:

   Setting	Value
   Identifier (Entity ID)	https://signin.aws.amazon.com/saml
   Reply URL (Assertion Consumer Service URL)	https://signin.aws.amazon.com/saml

   Multiple AWS accounts / multiple apps: If you are creating more than one Entra ID enterprise application for different AWS accounts, you must make the Entity ID unique per application. Use the # suffix convention:

   • First app: https://signin.aws.amazon.com/saml
   • Second app: https://signin.aws.amazon.com/saml#2
   • Third app: https://signin.aws.amazon.com/saml#3

   The Reply URL remains https://signin.aws.amazon.com/saml for all apps (no suffix needed).

4. Click Save.

Verify the Attributes & Claims (Section 2)

The default claim mappings for the AWS Single-Account Access gallery app are pre-configured. Verify that the following claims are present:

Claim Name	Value
https://aws.amazon.com/SAML/Attributes/RoleSessionName	user.userprincipalname
https://aws.amazon.com/SAML/Attributes/Role	user.assignedroles
Unique User Identifier (Name ID)	user.userprincipalname

---

Step 3: Download the SAML Metadata XML

1. Still on the SAML configuration page, scroll to Section 3 — SAML Certificates.
2. Next to Federation Metadata XML, click Download.
3. Save this file — you will upload it to AWS IAM in the next step.

This XML file contains the public certificate and federation endpoints that AWS uses to validate SAML assertions from Entra ID.

---

Step 4: Create an IAM Identity Provider in AWS

1. Sign in to the AWS Management Console.

2. Navigate to IAM > Identity providers (left sidebar).

3. Click Add provider.

4. Configure the provider:

   Setting	Value
   Provider type	SAML
   Provider name	A descriptive name (e.g., EntraID-SAML)
   Metadata document	Upload the Federation Metadata XML downloaded in Step 3

5. Click Add provider.

6. Save the Identity Provider ARN — you will need it in the next steps. It will look like:

   arn:aws:iam::123456789012:saml-provider/EntraID-SAML
   

---

Step 5: Create an IAM Role for SAML 2.0 Federation

1. In the AWS IAM console, navigate to Roles > Create role.

2. Select SAML 2.0 federation as the trusted entity type.

3. Configure the trust:

   Setting	Value
   SAML provider	Select the identity provider you created (e.g., EntraID-SAML)
   Access type	Select Allow programmatic and AWS Management Console access

4. Click Next and attach the IAM policies you want this role to have (e.g., AdministratorAccess, ReadOnlyAccess, or custom policies).

5. Give the role a descriptive name (e.g., Admin-SAML or ReadOnly-SAML).

6. Click Create role.

7. Save the Role ARN. It will look like:

   arn:aws:iam::123456789012:role/Admin-SAML
   

Tip: You can create multiple roles with different permission levels (Admin, ReadOnly, Developer, etc.) and map them to different users or groups in Entra ID.

---

Step 6: Configure the App Role in Microsoft Entra ID (App Registration)

This is the step that ties Entra ID users to specific AWS IAM roles.

1. Go back to the Microsoft Entra admin center.

2. Navigate to Identity > Applications > App registrations.

3. Click All applications and find the app registration that corresponds to your enterprise application (same name).

4. In the left menu, click App roles.

5. Click + Create app role and configure:

   Setting	Value
   Display name	A descriptive name (e.g., Admin-SAML)
   Allowed member types	Users/Groups
   Value	The combined ARN string in this exact format: <Identity_Provider_ARN>,<Role_ARN>
   Description	Description of the role (e.g., Administrator access to AWS account 123456789012)
   Enable this app role	Checked

   Example Value:

   arn:aws:iam::123456789012:saml-provider/EntraID-SAML,arn:aws:iam::123456789012:role/Admin-SAML
   

   Critical: The format is Identity Provider ARN first, then Role ARN, separated by a comma with no spaces. Getting this order wrong or adding spaces will cause authentication to fail.

6. Click Apply.

7. Repeat for each additional AWS IAM role you want to make available (e.g., ReadOnly-SAML, Developer-SAML).

---

Step 7: Assign Users and Groups to the Enterprise Application

1. In the Entra admin center, navigate back to Identity > Applications > Enterprise applications.
2. Select your AWS application (e.g., AWS Production Account - SAML).
3. In the left menu, click Users and groups.
4. Click + Add user/group.
5. Under Users, search for and select the users or groups you want to grant AWS access to.
6. Under Select a role, choose the appropriate AWS role mapping (e.g., Admin-SAML).
7. Click Assign.

Note: If you have multiple app roles defined, each user/group assignment must be paired with a specific role. A single user can be assigned multiple roles — they will be prompted to select a role at login if they have more than one.

---

Step 8: Test the Configuration

1. Open an incognito/private browser window.
2. Navigate to https://myapps.microsoft.com.
3. Sign in with the credentials of a user who was assigned to the enterprise application in Step 7.
4. Click the AWS Single-Account Access tile (or the custom name you gave it).
5. You should be redirected to the AWS Management Console and signed in with the assumed SAML role.

If the user has multiple roles assigned:

• A role selection page will appear — the user picks the desired role before being redirected to the AWS console.

---

Troubleshooting

Symptom	Likely Cause	Solution
"Your request included an invalid SAML response"	Mismatched Entity ID or Reply URL	Verify that the Identifier and Reply URL in Entra ID exactly match https://signin.aws.amazon.com/saml. Check for trailing slashes or # suffix issues.
"Not authorized to perform sts:AssumeRoleWithSAML"	Role ARN / IdP ARN mismatch	Verify the app role value format is <IdP_ARN>,<Role_ARN> with no spaces. Confirm both ARNs exist and are correct.
"RoleSessionName is required"	Missing SAML attribute claim	Ensure the RoleSessionName attribute claim is mapped to user.userprincipalname in the SAML configuration.
User does not see the app in My Apps	User not assigned to the enterprise app	Go to Enterprise application > Users and groups and verify the user is assigned with a role.
Access denied after successful login	IAM role has insufficient policies	Check the IAM role's permission policies in the AWS console.
SAML certificate expired	Entra ID signing certificate has expired	Go to SAML Certificates in Entra ID, generate a new certificate, download the new metadata XML, and update the IAM identity provider in AWS.

---

Security Best Practices

• Least privilege: Create purpose-specific IAM roles with the minimum permissions required. Avoid assigning AdministratorAccess broadly.
• Use Entra ID groups: Assign roles to Entra ID security groups rather than individual users for easier management.
• Monitor sign-ins: Review the Entra ID sign-in logs and AWS CloudTrail for SAML federation activity.
• Certificate rotation: Set a reminder to rotate the SAML signing certificate before it expires (default is 3 years). Update the metadata XML in AWS IAM after rotation.
• Conditional Access: Apply Entra ID Conditional Access policies to the enterprise application to enforce MFA, device compliance, or location-based restrictions.
• Session duration: The default SAML session duration is 1 hour. You can customize this (up to 12 hours) by adding the https://aws.amazon.com/SAML/Attributes/SessionDuration attribute claim with the value in seconds (e.g., 43200 for 12 hours).

---

Additional Resources

• AWS Documentation — Creating IAM SAML Identity Providers
• AWS Documentation — Creating a Role for SAML 2.0 Federation
• Microsoft Learn — Tutorial: Microsoft Entra SSO Integration with AWS Single-Account Access