Enhancing resilience in AWS Management Console authentication: A disaster recovery guide for IAM Identity Center with IAM Federation SAML 2.0 and Microsoft Entra ID

Introduction

Organizations are embracing AWS IAM Identity Center as their go-to solution for centralized workforce authentication to deliver a seamless single sign-on (SSO) experience across multiple AWS accounts. While working with an Enterprise Support customer, AWS Support developed a solution to add resiliency to user authentication in the AWS Management Console.

Solution overview

The solution implements SAML 2.0-based federation directly between Microsoft Entra ID and individual AWS accounts. This direct federation creates a powerful emergency access pathway that independently operates alongside the IAM Identity Center. By using Regional SAML endpoints to provide enhanced resiliency, this approach intelligently routes authentication requests to available AWS Regions to maximize your uptime and accessibility.

IAM Identity Center offers multi-Region replication capabilities that significantly simplify your authentication resilience strategy. When you also have direct AWS Identity and Access Management (IAM) SAML 2.0 federation as a complementary backup, you gain an independent, parallel authentication path that provides additional layers of protection and flexibility. This defense in depth approach makes sure that your teams maintain uninterrupted access to critical AWS resources.

Comparing IAM Identity Center to IAM Federation SAML 2.0

The following table compares the basics of IAM Identity Center to IAM Federation SAML 2.0:

Dimension	IAM Identity Center	Direct IAM Federation (SAML 2.0)
Ideal customer	Enterprise or large team that uses AWS Organizations	Mid-sized, mature engineering organizations with multiple teams that don’t use AWS Organizations
Permission management	Centralized permission store that uses permissions sets that automatically manage users across your AWS organization	Manually configured permission mappings, SAML attribute assertions, and role assumptions in each account's IAM trust policies
Scalability	Purpose-built for AWS Organizations and includes permissions sets that automatically propagate across accounts from a single interface	Each account requires a separate SAML configuration with replication of changes across all accounts
User provisioning	SCIM-based automatic user and group provisioning	User management on the IdP
Operational excellence	Low operational excellence where changes to permissions sets automatically apply to all assigned accounts	High operational excellence where you must manually update policy changes across every account
Region flexibility	IAM Identity Center multi-Region support is available in the 17 enabled-by-default commercial AWS Regions	Direct SAML federation works across all Regions, including opt-in Regions
Dependency chain	IAM Identity Center adds dependencies on customer managed AWS Key Management Service (AWS KMS) keys that you must replicate, AWS managed applications, and SCIM provisioning	Direct SAML federation reduces these dependencies, and you need only your Entra ID SAML endpoint and IAM roles with proper trust policies.

Solution implementation

This article walks you through how to configure Regional SAML endpoints with Microsoft Entra ID for AWS Management Console authentication, as seen in Figure 1. The solution includes the following steps:

• Update your IdP configuration.

• Modify IAM role trust policies to support multiple Regional endpoints.

• Implement best practices to maintain highly available authentication flows. 

Figure 1: Solution architecture.

Prerequisites

To implement the solution, complete the following steps:

• Have an AWS account.

• Have an Azure account subscription to have a Microsoft Entra ID.

• Have a basic understanding of IAM and permissions to create an IAM identity provider, roles, policies, and users.

To prepare for the authentication process with Microsoft Entra ID, create an enterprise application in Microsoft Entra ID. This application serves as a sign-in endpoint and provides the necessary user identity information through OIDC access tokens to the IdP of the target AWS account.

Create the Microsoft Entra AWS SAML application

To create a Microsoft Entra application that accesses the AWS Management Console, complete the following steps:

1. Log in to the Microsoft Entra admin center.

2. In the navigation pane, under Entra ID, select Enterprise apps service.

3. Choose New application. 

4. In Browse Microsoft Entra App Gallery, enter Amazon Web Services (AWS). 

5. Choose AWS Single Account Access, and then choose Create. 

6. After the console creates the application, under Getting started, choose Set up single sign. 

7. For Single sign-on method, choose SAML. 

8. Save your settings. 

9. Edit the Basic SAML Configuration to configure the Reply URL (ACS URL) to use regional endpoint. In this example, the Regional endpoint is ap-south-1 (Mumbai), as seen in Figure 2.  

Figure 2: Example of the Basic SAML Configuration.

10. Under Set up single sign-on with SAML, under SAML Certificates, choose Download the Federation Metadata XML. This action downloads the metadata locally. 

Create an IAM identity provider

To create an IAM identity provider in the AWS Management Console and upload the metadata file, complete the following steps:

1. Log in to the AWS Management Console, and then choose IAM.

2. In the navigation pane, under Access Management, choose Identity providers.

3. Choose Add provider.

4. Under Provider details, for the provider type, choose SAML.

5. For Provider name, enter a name, such as Azure_AD.

6. For Metadata document, upload the metadata file.

7. Choose Next Step.

8. Validate the provider information, and then choose Create.

Create an IAM role

To access that IAM identity provider that you configured, create an IAM role. Complete the following steps:

1. Open the IAM console.

2. In the navigation pane, under Access Management, choose Roles.

3. Choose Create role.

4. For Trusted entity type, choose SAML 2.0 federation.

5. For SAML 2.0-based provider, select the IAM identity provider that you previously created.

6. Choose Allow programmatic and AWS Management Console access.

7. In the Sign-in endpoints section, select the Regional endpoint that’s in the Replay URL field in the Microsoft Entra Application.

8. Choose Next: Permissions.

9. In Filter policies, select the policy.

10. Choose Next: Tags.

11. Choose Next: Review.

12. For Role name, enter a unique name, such as Azure_SAML_Admin_Role.

13. Choose Create Role.

The trust policy for this role reflects the change in the role, as seen in Figure 3.

Figure 3: Updated IAM role example.

Configure the Microsoft Entra ID AWS SAML application with the IAM identity provider (Microsoft Entra admin center):

After you created the IAM identity provider, complete the following steps to finish the Microsoft Entra ID application setup:

1. Open the Microsoft Entra ID portal.

2. Choose App registerations, and then select your Amazon Web Services app.

3. Choose App roles, and then choose create app role.

4. For the role, enter the following information:
   For Display Name, enter Azure_SAML_Admin_Role.
   For Allowed member types, choose Both (Users/Groups + Applications).
   For Value, enter arn:aws:iam::<ACCOUNT_ID>:role/<ROLE_NAME>,arn:aws:iam::<ACCOUNT_ID>:saml-provider/<PROVIDER_NAME>.
   Note: In the preceding example, replace ACCOUNT_ID, ROLE_NAME, and PROVIDER_NAME with your information.

5. Choose Apply.

Assign a user to the Microsoft Entra AWS SAML application

To assign a user to the Microsoft Entra AWS SAML application, complete the following steps:

1. Open the Microsoft Entra Admin Center portal, and then navigate to your Amazon Web Services application. 

2. Under Users and groups, choose Add user, as seen in Figure 4. 

Figure 4: Add a user to the Microsoft Entra AWS SAML application.

3. Select the user that you want to use to log in to the AWS Management Console.

4. Under Select role, select the role that you created, and then choose Assign.  

5. On the Users and groups page, confirm that the user’s information is correct. 

Test your Azure AD AWS SAML application

To test your Azure AD AWS SAML application, complete the following steps:

1. Open the Microsoft Apps dashboard.

2. Use the user that you configured to log in to the Microsoft Apps dashboard.

3. Select the application that you created in Microsoft Entra ID. The application redirects you to the AWS Management Console in the Region that you configured.

Conclusion

For organizations that need to add resiliency to the authentication process of the AWS Management Console, you can use Microsoft Entra ID to configure SSO. You can use this fallback mechanism for disaster recovery access when the IAM Identity Center isn’t available. This allows organizations to intelligently route authentication requests to available Regions and maximize uptime and accessibility.

About the authors

Anant Jain
Anant Jain is a Technical Consultant at AWS who specializes in storage, resilience, and networking. He architects data protection and migration solutions for large-scale enterprise customers, helping them build secure and highly available cloud infrastructures. As a trusted advisor, he partners with organizations to design tailored cloud strategies that align technical solutions with business objectives.

Rajat Antil
Rajat Antil is a Technical Consultant at AWS with experience in cloud infrastructure, operations, and automation. A passionate technology enthusiast, he enjoys solving complex problems, automating mundane tasks, and building secure, scalable, and resilient solutions for large-scale enterprises.