On-Demand SCIM provisioning of Azure AD to AWS IAM Identity Center with PowerShell

June 6, 2023: We made minor updates to the section “Grant permission to the Graph API to access the Default Directory in Azure AD.”

September 20, 2022: We updated the link to the GitHub repository.

September 12, 2022: This blog post has been updated to reflect the new name of AWS Single Sign-On (SSO) – AWS IAM Identity Center. Read more about the name change here.

February 14, 2022: We updated this post to include a link to an updated version of this solution in the Prerequisites section.

July 6, 2021: We updated this post to remove the user requirement to trigger the API endpoint because authentication is performed by application permissions.

January 8, 2021: We updated this post to reflect some changes to the user interface.

In this post, I will demonstrate how you can use a PowerShell script to initiate an on-demand synchronization between Azure Active Directory and AWS IAM Identity Center (AWS IAM Identity Center) and avoid the default 40-minute synchronization schedule between both identity providers. This solution helps enterprises quickly synchronize changes made to users, groups, or permissions within Azure AD with AWS IAM Identity Center. This allows user or permission changes to be quickly reflected in associated AWS accounts.

Prerequisites

You need the following to complete this session:

• Automatic SCIM provisioning of Azure AD to AWS IAM Identity Center with PowerShell using an Azure Function
• AWS IAM Identity Center configured using the steps outlined in The Next Evolution in AWS IAM Identity Center blog post
• An Azure account
• A local machine with Visual Studio Code, PowerShell 7,and Azure Az module installed and configured to connect to Azure Cloud
• The aws-IAM-Identity-Center-sync-script which can be downloaded from this GitHub repository

This post focuses on the steps needed to set up the on-demand sync solution. You can find specifics on how to set up and use PowerShell and the Azure PowerShell modules at Installing Azure PowerShell.

Figure 1: Triggering the SCIM Endpoint to sync all users and groups

Grant permission to the Graph API to access the Default Directory in Azure AD

To get started, grant the permissions needed for the application to have access to the directory endpoint.

To grant permissions

1. Sign in to the Azure Portal and navigate to the Azure AD dashboard.
2. From the left navigation pane, select App registrations. If you don’t see your application listed, select the All applications tab.
   For this example, I’m using an application named AWS.
   

   Figure 2: Select the AWS app registration

3. Choose API permissions from the navigation pane.
4. Choose the Add a permission option.
   

   Figure 3: Select the Add API permission

5. From the settings page that opens, choose the Microsoft Graph option.
   

   Figure 4: Request API permissions

   Under What type of permissions does your application require, select Application permissions. Enter Application.ReadWrite.OwnedBy in the permissions search field, select Application.ReadWrite.OwnedBy, and choose Add permissions at the bottom of the page. Repeat this step for the Synchronization.ReadWrite.All permission.
   

   

   Figure 5: Request API permissions – Add permissions

6. On the API permissions page, choose Grant admin consent for Default Directory and select Yes.
   
   

   Figure 6: Grant permission to the Application

Create a certificate and secret to access the application

To get started, create a certificate and secret which grants secure access to the AWS application.

To create a certificate and secret

1. Choose Certificate & secrets from the left navigation menu and then choose New client secret.
   

   Figure 7: Creating a client secret for 1 year

2. Select the desired length of the certificate.
3. Provide a description and choose Add.
   1. Copy the value of the certificate that’s generated and save it to use later in this process.
   2. After you’ve saved the value to use later, select Home from the top left corner of the screen.
   

   Figure 8: Make sure you click Copy to clipboard to store the value of the secret

Prerequisites to trigger the SCIM endpoint

You need the following items to run the PowerShell code that triggers the endpoint.

1. From the application registration, retrieve the items shown below. Note that you must use the client secret saved earlier when the certificate was created.
   • Tenant ID
   • Display name
   • Application ID
   • Client secret
2. Copy the items to a notepad in the preceding order so you can enter all of them through a single copy and paste action while running the script.
3. From the menu, select Azure Active Directory.
4. Choose App registrations and select the AWS App that was set up.
5. Copy the Application (client) ID and the Directory (tenant) ID.

Figure 9: App registration contains all the items needed for the PowerShell script

Trigger the SCIM endpoint with PowerShell

Now that you’ve completed all of the previous steps, you need to copy the code from the GitHub repository to your local machine and run it. We’ve configured the code to run manually, but you can also automate it to trigger an Azure Automation runbook when users are added to Azure through Alerts. You can also configure CloudWatch Events to run a Lambda function at periodic intervals.

To trigger the SCIM endpoint

1. Copy the code from the GitHub repository.
2. Save the code using the code editor of your choice, or you can download Visual Studio Code. Give the file a user-friendly name, such as Sync.ps1.
3. Navigate to the location where you saved the file and run ./sync.ps1.
4. When prompted, enter the values from the notepad. You can paste these all at one time so you don’t have to copy and paste each individual item.
   

   Note: When copying and pasting in Windows, choose the PowerShell icon, then Edit > Paste.

   

   Figure 10: Windows Command Prompt – Select Paste to copy all items needed to trigger the sync

After you paste the values into the PowerShell window, you see the script input as shown in the following screenshot. The client secret and password are secure values and are masked for security purposes.

Figure 11: PowerShell script with input values pasted in

After the job has started in PowerShell, two messages are displayed. One indicating that synchronization is starting and a following message when synchronization has completed. Both are shown in the following figure.

Figure 12: Output from a successful run of the PowerShell script

View the synchronization status and logs

To verify that the job ran successfully, you can check the completed time from the Azure portal. You can verify the time the script ran by viewing the completion time along with the current status.

To view the status and logs

1. From the menu, choose Azure Active Directory.
2. Choose Enterprise applications and select the AWS App.
3. From the left navigation menu, choose Provisioning and then choose View provisioning details. This displays the last time the sync completed.
   

   Figure 13: View the Provisioning details about the job

Summary

In this post, I demonstrate how you can use a PowerShell script to trigger the SCIM endpoint to on-demand synchronize Azure AD with AWS IAM Identity Center. You can find the code in this GitHub repository and use it to synchronize user and group changes on demand.

If you have feedback about this post, submit comments in the Comments section below.

Want more AWS Security how-to content, news, and feature announcements? Follow us on Twitter.