AWS SSO Issue with Office 365

Question

Hello,  
  
Heres our setup. AWS SSO configured with office 365. No AD/on prem solution. Pure cloud.   
I have configured Office 365 as per AWS configuration instruction(after you create the office 365 app in AWS SSO)

Issue -1   
  
1/ User starts with https://ourdomain.awsapps.com/start  
2/ User signs in with their AWS SSO credentials.  
3/ Clicks on office 365 apps icon.  
4/ Gets the error "AADSTS51004: The user account T23/ImJYakmyYc7bbVJWsw== does not exist in the b450a30a-23d0-4cb5-9105-e3b4f5ef1493 directory. To sign into this application, the account must be added to the directory."  
  
Issue -2  
  
1/ User starts with https://portal.office.com  
2/ Enters the username.  
3/ Goes to AWS for authentication.  
4/ Goes back to portal.office.com page.  
5/ Looks between #3 and #4.  
  
The user is present in both office 365 and AWS SSO. Both  have same user name. I don't see any ImmutableId for the user in office 365.  
  
Appreciate any help.  
  
Thank you

Answer

Closing the loop here, I hope this helps anyone who may be in similar situation.  
  
1/ We have to configure Immutable ID on both side - AWS as well as O365. This is not auto generated hence this needs to be done manually.  
  
2/ On the AWS SSO O365 App, select the Attribute mappings tab and change mapping of the Subject attribute from ${user:ad_guid} to ${user:adImmutableId. This was provided by AWS Support.  
  
Making these changes should make O365 work with AWS SSO.

AWS SSO Issue with Office 365

Relevanter Inhalt