On-Demand SCIM provisioning of Azure AD to AWS SSO with PowerShell
February 14, 2022: We updated this post to include a link to an updated version of this solution in the Prerequisites section.
July 6, 2021: We updated this post to remove the user requirement to trigger the API endpoint because authentication is performed by application permissions.
January 8, 2021: We updated this post to reflect some changes to the user interface.
In this post, I will demonstrate how you can use a PowerShell script to initiate an on-demand synchronization between Azure Active Directory and AWS Single Sign-On (AWS SSO) and avoid the default 40-minute synchronization schedule between both identity providers. This solution helps enterprises quickly synchronize changes made to users, groups, or permissions within Azure AD with AWS SSO. This allows user or permission changes to be quickly reflected in associated AWS accounts.
You need the following to complete this session:
- Automatic SCIM provisioning of Azure AD to AWS SSO with PowerShell using an Azure Function
- AWS SSO configured using the steps outlined in The Next Evolution in AWS Single Sign-On blog post
- An Azure account
- A local machine with Visual Studio Code, PowerShell 7,and Azure Az module installed and configured to connect to Azure Cloud
- The aws-sso-sync-script which can be downloaded from this GitHub repository
This post focuses on the steps needed to set up the on-demand sync solution. You can find specifics on how to set up and use PowerShell and the Azure PowerShell modules at Installing Azure PowerShell.
Grant permission to the Graph API to access the Default Directory in Azure AD
To get started, grant the permissions needed for the application to have access to the directory endpoint.
To grant permissions
- Sign in to the Azure Portal and navigate to the Azure AD dashboard.
- From the left navigation pane, select App registrations. If you don’t see your application listed, select the All applications tab.
For this example, I’m using an application named AWS.
- Choose API permissions from the navigation pane.
- Choose the Add a permission option.
- From the settings page that opens, choose the Microsoft Graph option.
Under What type of permissions does your application require, select Application permissions and enter Application.ReadWrite.OwnedBy in the permissions search field. Select Application.ReadWrite.OwnedBy and choose Add permissions at the bottom of the page.
- On the API permissions page, choose Grant admin consent for Default Directory and select Yes.
Create a certificate and secret to access the application
To get started, create a certificate and secret which grants secure access to the AWS application.
To create a certificate and secret
- Choose Certificate & secrets from the left navigation menu and then choose New client secret.
- Select the desired length of the certificate.
- Provide a description and choose Add.
- Copy the value of the certificate that’s generated and save it to use later in this process.
- After you’ve saved the value to use later, select Home from the top left corner of the screen.
Prerequisites to trigger the SCIM endpoint
You need the following items to run the PowerShell code that triggers the endpoint.
- From the application registration, retrieve the items shown below. Note that you must use the client secret saved earlier when the certificate was created.
- Tenant ID
- Display name
- Application ID
- Client secret
- Copy the items to a notepad in the preceding order so you can enter all of them through a single copy and paste action while running the script.
- From the menu, select Azure Active Directory.
- Choose App registrations and select the AWS App that was set up.
- Copy the Application (client) ID and the Directory (tenant) ID.
Trigger the SCIM endpoint with PowerShell
Now that you’ve completed all of the previous steps, you need to copy the code from the GitHub repository to your local machine and run it. We’ve configured the code to run manually, but you can also automate it to trigger an Azure Automation runbook when users are added to Azure through Alerts. You can also configure CloudWatch Events to run a Lambda function at periodic intervals.
To trigger the SCIM endpoint
- Copy the code from the GitHub repository.
- Save the code using the code editor of your choice, or you can download Visual Studio Code. Give the file a user-friendly name, such as Sync.ps1.
- Navigate to the location where you saved the file and run ./sync.ps1.
- When prompted, enter the values from the notepad. You can paste these all at one time so you don’t have to copy and paste each individual item.
Note: When copying and pasting in Windows, choose the PowerShell icon, then Edit > Paste.
After you paste the values into the PowerShell window, you see the script input as shown in the following screenshot. The client secret and password are secure values and are masked for security purposes.
After the job has started in PowerShell, two messages are displayed. One indicating that synchronization is starting and a following message when synchronization has completed. Both are shown in the following figure.
View the synchronization status and logs
To verify that the job ran successfully, you can check the completed time from the Azure portal. You can verify the time the script ran by viewing the completion time along with the current status.
To view the status and logs
- From the menu, choose Azure Active Directory.
- Choose Enterprise applications and select the AWS App.
- From the left navigation menu, choose Provisioning and then choose View provisioning details. This displays the last time the sync completed.
In this post, I demonstrate how you can use a PowerShell script to trigger the SCIM endpoint to on-demand synchronize Azure AD with AWS Single Sign-On. You can find the code in this GitHub repository and use it to synchronize user and group changes on demand.
If you have feedback about this post, submit comments in the Comments section below.
Want more AWS Security how-to content, news, and feature announcements? Follow us on Twitter.