Introduction
Six months ago, managing AWS access for 50+ developers was slow, manual, and error-prone.
New hires waited days for access. Leavers sometimes kept production permissions. Promotions required hours of manual updates across multiple accounts.
We fixed this using SAML federation and SCIM provisioning between Entra ID and AWS—reducing onboarding from hours to minutes and eliminating manual access management.
Today, when Aamir joins:
- HR creates his Entra ID account (5 minutes)
- HR adds him to security group "AWS-Developers-Read Only" (30 seconds)
- SCIM automatically provisions him to AWS (Provisioning typically occurs within 20–40 minutes, though on-demand sync can be triggered manually)
- Aamir clicks the AWS tile on myapps.microsoft.com
- Aamir lands in the AWS Console with correct permissions
Total time: 15 minutes. Zero IT involvement.
When Alex leaves:
- HR disables his Entra ID account (30 seconds)
- SCIM automatically suspends him in AWS (depends on sync time)
- All AWS access revoked across all accounts
- No orphaned accounts possible
In this post, I'll show you how we built this automated identity system that eliminated passwords and reduced onboarding from 6 hours to 15 minutes.
Architecture Overview
Our solution combines two protocols working together:
SAML 2.0 - Authentication (Single Sign-On)
Components:
- Azure Entra ID - Identity Provider (IdP), issues SAML tokens
- AWS IAM Identity Center - Service Provider (SP), validates tokens
- SAML assertions - Signed XML tokens proving user identity
Flow: User → Entra ID (authenticate) → SAML token → AWS (validate) → Console access
SCIM 2.0 - Provisioning (Automatic User Sync)
Components:
- Entra ID Provisioning - Source, detects user/group changes
- AWS IAM Identity Center - Target, receives SCIM API calls
- SCIM REST API - Creates, updates, deletes users automatically
Flow: User added to group → Entra detects → SCIM API call → AWS creates user → User appears in IAM Identity Center
The Complete Picture
1. HR creates user in Entra ID
2. HR adds user to AWS security group
3. SCIM syncs user to AWS (5-10 mins)
4. User goes to myapps.microsoft.com
5. User authenticates with SAML
6. User clicks AWS tile
7. User accesses AWS with federated credentials
Prerequisites
Before starting, ensure you have:
Azure AD Premium P1 or P2 license (SCIM requires P1+)
Global Administrator role in Azure AD
AWS account with admin access
Cost: $0 if using Azure AD P2 trial (90 days) and AWS free tier
Key benefit: User provisioning and authentication are separate but integrated. SCIM handles the "who exists" part, SAML handles the "prove who you are" part.
Architecture showing both SAML authentication and SCIM provisioning flows between Entra ID and AWS
AWS IAM Identity Center Setup
Step 1: Enable IAM Identity Center and Get SCIM Details
- Log into AWS management account
- Navigate to IAM Identity Center
- Click Enable (free service)
- Go to Settings → Identity source
- Click Actions → Enable automatic provisioning
- CRITICAL: Copy and save these two values:
SCIM endpoint:
https://scim.us-east-1.amazonaws.com/[instance-id]/scim/v2
Access token:
[Long token string - shown only once!]
Save the token immediately in your password manager. You'll need it in 10 minutes and AWS won't show it again but you can always delete and regenerate.
AWS IAM Identity Center showing SCIM endpoint and access token generation
Step 2: Create Permission Sets
Permission sets define what users can do in AWS. Create three:
DeveloperReadOnly:
Name: DeveloperReadOnly
Session duration: PT4H (4 hours)
Managed policy: ViewOnlyAccess
DeveloperPowerUser:
Name: DeveloperPowerUser
Session duration: PT8H (8 hours)
Managed policy: PowerUserAccess
Add inline policy for additional permissions for power user:
DeveloperAdmin:
Name: DeveloperAdmin
Session duration: PT4H (4 hours, shorter for security)
Managed policy: AdministratorAccess
Note: We'll configure external identity provider (Entra ID metadata) after Entra setup.
Three permission sets created in IAM Identity Center with different access levels
Entra ID Configuration
Step 1: Create Security Groups
Navigate to Entra ID → Groups and create:
Group 1:
Name: AWS-Developers-ReadOnly
Type: Security
Membership: Assigned
Group 2:
Name: AWS-Developers-PowerUser
Type: Security
Membership: Assigned
Group 3:
Name: AWS-Developers-Admin
Type: Security
Membership: Assigned
Step 2: Add AWS IAM Identity Center Enterprise App
- Entra ID → Enterprise Applications → New Application
- Search: "AWS IAM Identity Center"
- Select and click Create
- Name: "AWS IAM Identity Center - Production"
Step 3: Configure SAML Single Sign-On
- Go to Single sign-on → SAML
- Get these URLs from AWS IAM Identity Center → Settings → Actions and Manage Authentication:
- Entity ID
- Reply URL (ACS URL)
- Sign-on URL
In Entra, click Edit on "Basic SAML Configuration" and paste the URL info from AWS. Better still, you can download the metadata file on AWS and upload it on Azure
- Download Federation Metadata XML under SAML certificates in Azure's AWS IAM Identity Center application.
SAML configuration in Entra ID showing Entity ID, Reply URL, and Sign-on URL
Step 4: Upload Metadata to AWS
- Back in AWS: IAM Identity Center → Settings → Identity source
- Actions → Change identity source
Select External identity provider
Upload the Federation Metadata XML from Entra
- Click Next → Finish
SAML federation is now configured. Next: SCIM provisioning.
Step 5: Configure SCIM Provisioning
This is where automated provisioning is configured.
- In Entra, go to Enterprise Applications → AWS IAM Identity Center
- Click Provisioning
- Click Get started
Set Provisioning Mode to Automatic
Enter SCIM credentials (from AWS earlier):
Tenant URL: [Your SCIM endpoint from AWS]
Secret Token: [Your access token from AWS]
Click Test Connection - should show "Success ✓"
Configure Mappings.
Attribute mappings showing how Entra ID user properties map to AWS SCIM attributes
- Under Settings, set:
Scope: Sync only assigned users and groups
Notification Email: your-email@company.com (if you need email notifications for SCIM alerts)
- Set Provisioning Status to On
- Click Save
SCIM provisioning configuration
Entra ID will now:
- Immediately start initial sync (20-40 minutes)
- Sync incrementally every 40 minutes automatically
- Create users in AWS when added to groups
- Update users when attributes change
- Suspend users when disabled in Entra
- Remove group memberships when users are unassigned; users can be deactivated depending on configuration
Step 6: Assign Groups to Application
- Users and groups → Add user/group
- Select all three groups:
- AWS-Developers-ReadOnly
- AWS-Developers-PowerUser
- AWS-Developers-Admin
- Click Assign
This tells Entra to include these groups in SCIM sync.
Step 7: Map Groups to AWS Accounts
In AWS: IAM Identity Center → AWS Accounts
For each account, assign groups to permission sets:
Testing the Automated Lifecycle
Now test the three lifecycle scenarios: joiner, mover, leaver.
Test 1: Joiner - New Hire (Aamir)
Aamir joins as a Backend Engineer.
HR creates Entra account:
HR adds Aamir to group:
Entra detects change, queues for SCIM sync
SCIM sync runs (every 40 minutes)
AWS creates user automatically
Aamir tests access:
- Goes to myapps.microsoft.com
- Sees "AWS IAM Identity Center" tile
- Clicks it
- Authenticates with Entra (username + password + MFA) and goes straight to AWS portall without AWS credentials
- Sees available accounts:
- Viewonly access
- Selects "Viewonly access"
- Lands in AWS console
- Aamir can view resources in Azure portal but can not create or deploy code, start EC2 instances, manage RDS etc. Gets an error when he tries to launch an instance
Total time: 40 minutes (mostly waiting for sync)
Manual IT effort: 0 minutes
Check Entra provisioning logs:
Test 2: Mover - Job Change (Shen)
Shen Li gets promoted from Junior to Senior Developer.
Manager requests elevated access
IT updates groups:
Remove: AWS-Developers-ReadOnly
Add: AWS-Developers-PowerUser
SCIM sync executes:
AWS updates permission assignments
Total time: 30 minutes
Manual AWS changes: 0
Test 3: Leaver - Offboarding (Alex)
Alex's last day is Friday at 5 PM.
HR disables Entra account:
Account status: Disabled (Block sign-in)
Alex immediately cannot log in to any Microsoft apps
5:40 PM - SCIM sync run
5:41 PM - AWS marks user inactive:
- All permission set assignments revoked
- Prevents new sessions; existing sessions expire based on session duration 5:42 PM - Alex tries to access AWS: Error: "User is not authorized to perform this action"
Results and Metrics
Time Savings
Before (Manual IAM Users):
- Onboarding: 6 hours elapsed, 2 hours IT effort
- Permission change: 45 minutes × 12 accounts = 9 hours
- Offboarding: 2-3 hours, risk of missing accounts
After (Federated + SCIM):
- Onboarding: 40 minutes elapsed, 5 minutes IT effort (95% reduction)
- Permission change: 5 minutes elapsed, 2 minutes IT effort
- Offboarding: 25 minutes, 30 seconds IT effort, Near-zero risk when processes are followed
Security Improvements
Before:
- 3 orphaned accounts discovered in audit
- Inconsistent MFA enforcement
- 12 passwords per developer
- Manual access reviews (8 hours quarterly)
After:
- Effectively eliminates orphaned accounts when SCIM is properly configured
- MFA and access policies enforced via Conditional Access (device, location, risk)
- 1 password for everything
- Group-based reviews (30 minutes quarterly)
Cost
AWS IAM Identity Center: $0 (free)
Entra ID P1 license: ~$6/user/month (often already licensed)
Implementation time: 3 hours one-time
Annual time saved: ~600 hours
Annual cost saved: $45,000 (at $75/hour engineering cost)
ROI: 15,000%
Limitations and What's Next
We've solved SSO and automated provisioning, but discovered new challenges:
What Works Great
✅ Automated provisioning - Users appear in AWS automatically
✅ Automated deprovisioning - Leavers lose access within 25 minutes
✅ Single sign-on - One password, one MFA device
✅ Group-based access - Easy to understand and manage
What's Still Missing
❌ No lifecycle governance - No approval workflows for access requests
❌ No access reviews - Can't prove compliance for auditors
❌ No time-bound access - Admin access is permanent once granted
❌ No enterprise IGA - Can't integrate with HR systems (Workday, SAP)
❌ No role mining - Manual group design, no analytics
The Real-World Problem
When Aamir needs production access:
- IT just adds him to AWS-Production-PowerUser group
- No approval required
- No justification documented
- No expiration date
- No quarterly review
Key Takeaways
- SAML + SCIM together solve the password and provisioning problems
- 40-minute sync delay is acceptable for most organizations (can force on-demand)
- Group-based access is intuitive but needs governance on top
- Implementation time: 3 hours for massive productivity gains
- Security improves dramatically - Effectively eliminates orphaned accounts when SCIM is properly configured, complete audit trail
- 6. Separation of authentication and provisioning simplifies identity architecture and reduces operational risk
If you're managing 10+ AWS users manually, implement this solution. The setup takes an afternoon, but the benefits last forever.
Quick Reference
SCIM Sync Timing
- Initial sync: 20-40 minutes
- Incremental sync: Every 40 minutes automatically
- On-demand sync: Available in Entra provisioning
- Changes aren't instant: Plan for up to 40-minute delay
Troubleshooting
| Issue | Check | Fix |
|---|---|---|
| User not syncing | Provisioning logs in Entra | Verify user in assigned group |
| "Invalid SAML response" | Metadata current? | Re-upload metadata to AWS |
| User can't see accounts | Permission set assigned? | Map group to account in AWS |
| SCIM sync failing | Token valid? | Regenerate and update in Entra |
Security Best Practices
- MFA: Enforce via Entra Conditional Access (not AWS)
- Session duration: 4-8 hours for standard, 2-4 hours for admin
- Break-glass: Create 2 IAM users, store credentials offline
- Monitoring: CloudTrail + Entra sign-in logs + alerts
Top comments (0)