<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"
	xmlns:content="http://purl.org/rss/1.0/modules/content/"
	xmlns:wfw="http://wellformedweb.org/CommentAPI/"
	xmlns:dc="http://purl.org/dc/elements/1.1/"
	xmlns:atom="http://www.w3.org/2005/Atom"
	xmlns:sy="http://purl.org/rss/1.0/modules/syndication/"
	xmlns:slash="http://purl.org/rss/1.0/modules/slash/"
	>

<channel>
	<title>entra ID &#8211; Blog of Kliment Andreev &#8211; A place so I won&#039;t forget things</title>
	<atom:link href="https://blog.andreev.it/tag/entra-id/feed/" rel="self" type="application/rss+xml" />
	<link>https://blog.andreev.it</link>
	<description></description>
	<lastBuildDate>Sun, 31 Mar 2024 17:15:00 +0000</lastBuildDate>
	<language>en-US</language>
	<sy:updatePeriod>
	hourly	</sy:updatePeriod>
	<sy:updateFrequency>
	1	</sy:updateFrequency>
	
	<item>
		<title>Entra ID (Azure AD) SSO and Azure Static Web Apps</title>
		<link>https://blog.andreev.it/2024/03/entra-id-azure-ad-sso-and-azure-static-web-apps/</link>
					<comments>https://blog.andreev.it/2024/03/entra-id-azure-ad-sso-and-azure-static-web-apps/#respond</comments>
		
		<dc:creator><![CDATA[Kliment Andreev]]></dc:creator>
		<pubDate>Sun, 31 Mar 2024 17:15:00 +0000</pubDate>
				<category><![CDATA[Azure]]></category>
		<category><![CDATA[Cloud]]></category>
		<category><![CDATA[Azure AD]]></category>
		<category><![CDATA[Azure Static Web Apps]]></category>
		<category><![CDATA[entra ID]]></category>
		<category><![CDATA[SSO]]></category>
		<guid isPermaLink="false">https://blog.andreev.it/?p=9861</guid>

					<description><![CDATA[In this post I&#8217;ll explain how to configure a static web app in Azure&#8230;]]></description>
										<content:encoded><![CDATA[<div id="bsf_rt_marker"></div><p>In this post I&#8217;ll explain how to configure a static web app in Azure and put the app behind Entra ID (Azure AD) SSO authentication. You&#8217;ll have the same protection as logging with your Entra ID credentials to Azure and Office 365. There is no need for any code change in the app. As long as you are an user or a member of an Entra ID group assigned to the Enterprise Application, then you can access the Static Web App URL. I&#8217;ll use Azure DevOps to host the files for the web site, but you can use any other repo. </p>
<h1>Azure DevOps</h1>
<p>Log to your ADO organization and create a new project. I called mine <em>Static Web App</em>. Click on <strong>Initialize </strong>and then copy the path so you can clone it locally.<br />
<a href="https://blog.andreev.it/wp-content/uploads/2024/03/P172-01.png"><img fetchpriority="high" decoding="async" src="https://blog.andreev.it/wp-content/uploads/2024/03/P172-01-1024x836.png" alt="" width="1024" height="836" class="aligncenter size-large wp-image-9872" srcset="https://blog.andreev.it/wp-content/uploads/2024/03/P172-01-1024x836.png 1024w, https://blog.andreev.it/wp-content/uploads/2024/03/P172-01-300x245.png 300w, https://blog.andreev.it/wp-content/uploads/2024/03/P172-01-768x627.png 768w, https://blog.andreev.it/wp-content/uploads/2024/03/P172-01-1170x955.png 1170w, https://blog.andreev.it/wp-content/uploads/2024/03/P172-01-585x478.png 585w, https://blog.andreev.it/wp-content/uploads/2024/03/P172-01.png 1357w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><br />
Once cloned, go to the repo locally and you&#8217;ll see a README.md file. Clone this web site template or just create an index.html file. </p>
<pre class="brush: bash; title: ; notranslate">
git clone https://github.com/designmodo/html-website-templates.git
</pre>
<p>Then move the index file back to the root of our repo.</p>
<pre class="brush: bash; title: ; notranslate">
mv html-website-templates/Animated\ Landing\ Page\ Website\ Template/* .
rm -rf html-website-templates/
</pre>
<p>You should have the index.html file in the root of our repo. Push to ADO.</p>
<pre class="brush: bash; title: ; notranslate">
git add .
git commit -m &quot;Updated website&quot;
git push
</pre>
<h1>Azure Static Web App</h1>
<p>Log to your Azure subscription and create or use an existing resource group. I&#8217;ll call mine <strong>rgStaticWebApp</strong>. Go to the <strong>Static Web Apps</strong> menu and create a new <strong>Static Web App</strong>. Specify a subscription, a resource group and name it. In my case it&#8217;s called <em>mystaticwebapp</em>.<br />
<a href="https://blog.andreev.it/wp-content/uploads/2024/03/P172-02.png"><img decoding="async" src="https://blog.andreev.it/wp-content/uploads/2024/03/P172-02-1024x506.png" alt="" width="1024" height="506" class="aligncenter size-large wp-image-9874" srcset="https://blog.andreev.it/wp-content/uploads/2024/03/P172-02-1024x506.png 1024w, https://blog.andreev.it/wp-content/uploads/2024/03/P172-02-300x148.png 300w, https://blog.andreev.it/wp-content/uploads/2024/03/P172-02-768x379.png 768w, https://blog.andreev.it/wp-content/uploads/2024/03/P172-02-585x289.png 585w, https://blog.andreev.it/wp-content/uploads/2024/03/P172-02.png 1156w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><br />
Make sure you choose the <strong>Standard hosting plan</strong>. SSO won&#8217;t work with the free plan. Choose the repo location, the branch and <strong>HTML </strong>for <strong>Build Preset</strong>.<br />
Use the defaults for the rest and click on <strong>Create</strong>. The static web site will be deployed in 5-10 seconds and if you go to the resource, click <strong>Overview</strong>, you&#8217;ll see the URL of your website. Go to that URL and you&#8217;ll see our website is public.<br />
<a href="https://blog.andreev.it/wp-content/uploads/2024/03/P172-04.jpg"><img decoding="async" src="https://blog.andreev.it/wp-content/uploads/2024/03/P172-04-1024x642.jpg" alt="" width="1024" height="642" class="aligncenter size-large wp-image-9875" srcset="https://blog.andreev.it/wp-content/uploads/2024/03/P172-04-1024x642.jpg 1024w, https://blog.andreev.it/wp-content/uploads/2024/03/P172-04-300x188.jpg 300w, https://blog.andreev.it/wp-content/uploads/2024/03/P172-04-768x482.jpg 768w, https://blog.andreev.it/wp-content/uploads/2024/03/P172-04-1536x963.jpg 1536w, https://blog.andreev.it/wp-content/uploads/2024/03/P172-04-1920x1204.jpg 1920w, https://blog.andreev.it/wp-content/uploads/2024/03/P172-04-1170x734.jpg 1170w, https://blog.andreev.it/wp-content/uploads/2024/03/P172-04-585x367.jpg 585w" sizes="(max-width: 1024px) 100vw, 1024px" /></a></p>
<h1>Custom domain (optional)</h1>
<p>In case you want a custom domain, then these changes are required. This is not a requirement for the SSO, but it&#8217;s better if you have your own domain URL.<br />
Click on <strong>Custom Domains</strong> and then choose where is your domain hosted. In my case I have it with CloudFlare.<br />
<a href="https://blog.andreev.it/wp-content/uploads/2024/03/P172-05.png"><img loading="lazy" decoding="async" src="https://blog.andreev.it/wp-content/uploads/2024/03/P172-05.png" alt="" width="895" height="603" class="aligncenter size-full wp-image-9876" srcset="https://blog.andreev.it/wp-content/uploads/2024/03/P172-05.png 895w, https://blog.andreev.it/wp-content/uploads/2024/03/P172-05-300x202.png 300w, https://blog.andreev.it/wp-content/uploads/2024/03/P172-05-768x517.png 768w, https://blog.andreev.it/wp-content/uploads/2024/03/P172-05-585x394.png 585w" sizes="(max-width: 895px) 100vw, 895px" /></a><br />
Enter how you want to access your website, in my case it is <em>mysite.andreev.it</em>.<br />
You&#8217;ll have to create a CNAME in CloudFlare.<br />
<a href="https://blog.andreev.it/wp-content/uploads/2024/03/P172-06.png"><img loading="lazy" decoding="async" src="https://blog.andreev.it/wp-content/uploads/2024/03/P172-06.png" alt="" width="838" height="501" class="aligncenter size-full wp-image-9882" srcset="https://blog.andreev.it/wp-content/uploads/2024/03/P172-06.png 838w, https://blog.andreev.it/wp-content/uploads/2024/03/P172-06-300x179.png 300w, https://blog.andreev.it/wp-content/uploads/2024/03/P172-06-768x459.png 768w, https://blog.andreev.it/wp-content/uploads/2024/03/P172-06-585x350.png 585w" sizes="(max-width: 838px) 100vw, 838px" /></a><br />
Do not proxy it thru CloudFlare for now.<br />
<a href="https://blog.andreev.it/wp-content/uploads/2024/03/P172-07.png"><img loading="lazy" decoding="async" src="https://blog.andreev.it/wp-content/uploads/2024/03/P172-07-1024x116.png" alt="" width="1024" height="116" class="aligncenter size-large wp-image-9883" srcset="https://blog.andreev.it/wp-content/uploads/2024/03/P172-07-1024x116.png 1024w, https://blog.andreev.it/wp-content/uploads/2024/03/P172-07-300x34.png 300w, https://blog.andreev.it/wp-content/uploads/2024/03/P172-07-768x87.png 768w, https://blog.andreev.it/wp-content/uploads/2024/03/P172-07-1170x133.png 1170w, https://blog.andreev.it/wp-content/uploads/2024/03/P172-07-585x66.png 585w, https://blog.andreev.it/wp-content/uploads/2024/03/P172-07.png 1306w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><br />
Click on <strong>Add </strong>at the bottom and it might take some time for Azure to verify the new CNAME record. In my case it took less than a minute.<br />
<a href="https://blog.andreev.it/wp-content/uploads/2024/03/P172-08.png"><img loading="lazy" decoding="async" src="https://blog.andreev.it/wp-content/uploads/2024/03/P172-08.png" alt="" width="808" height="589" class="aligncenter size-full wp-image-9884" srcset="https://blog.andreev.it/wp-content/uploads/2024/03/P172-08.png 808w, https://blog.andreev.it/wp-content/uploads/2024/03/P172-08-300x219.png 300w, https://blog.andreev.it/wp-content/uploads/2024/03/P172-08-768x560.png 768w, https://blog.andreev.it/wp-content/uploads/2024/03/P172-08-585x426.png 585w" sizes="(max-width: 808px) 100vw, 808px" /></a><br />
&#8230;and if you go to <em>whateveryou.namedyour.site</em>, you should see the same static web page.</p>
<h1>Entra ID (Azure AD) SSO</h1>
<p>In order to add SSO, we have to add a file in the root of our static web site and then make some changes in Azure. Refer to this <a href="https://learn.microsoft.com/en-us/azure/static-web-apps/authentication-custom?tabs=aad%2Cinvitations" rel="noopener" target="_blank">link </a>for more information.<br />
Create the following file in the root of the static web site and name it <strong>staticwebapp.config.json</strong>. It has to be this name.<br />
This is what the file looks like.</p>
<pre class="brush: xml; highlight: [18,19,20]; title: ; notranslate">
{
  &quot;routes&quot;: &#x5B;
    {
      &quot;route&quot;: &quot;/*&quot;,
      &quot;allowedRoles&quot;: &#x5B;&quot;authenticated&quot;]
    }
  ],
  &quot;responseOverrides&quot;: {
    &quot;401&quot;: {
      &quot;statusCode&quot;: 302,
      &quot;redirect&quot;: &quot;/.auth/login/aad&quot;
    }
  },
  &quot;auth&quot;: {
    &quot;identityProviders&quot;: {
      &quot;azureActiveDirectory&quot;: {
        &quot;registration&quot;: {
          &quot;openIdIssuer&quot;: &quot;https://login.microsoftonline.com/TENANT_ID/v2.0&quot;,
          &quot;clientIdSettingName&quot;: &quot;AZURE_CLIENT_ID&quot;,
          &quot;clientSecretSettingName&quot;: &quot;AZURE_CLIENT_SECRET&quot;
        }
      }
    }
  }
}
</pre>
<p>We need 3 values. The first value, <strong>TENANT_ID</strong> needs to go to this file hardcoded and the other two values for the <strong>CLIENT_ID</strong> and <strong>CLIENT_SECRET</strong> will be added in Azure. Here is how to fine these values. Go to Entra ID and click <strong>Overview</strong>. This is your <strong>TENANT_ID</strong> value. Copy and paste that value in line 18 and save the file. After, <em>git add/commit/push</em> the file back to Azure DevOps repo.<br />
<a href="https://blog.andreev.it/wp-content/uploads/2024/03/P172-09.png"><img loading="lazy" decoding="async" src="https://blog.andreev.it/wp-content/uploads/2024/03/P172-09-1024x572.png" alt="" width="1024" height="572" class="aligncenter size-large wp-image-9890" srcset="https://blog.andreev.it/wp-content/uploads/2024/03/P172-09-1024x572.png 1024w, https://blog.andreev.it/wp-content/uploads/2024/03/P172-09-300x168.png 300w, https://blog.andreev.it/wp-content/uploads/2024/03/P172-09-768x429.png 768w, https://blog.andreev.it/wp-content/uploads/2024/03/P172-09-1170x654.png 1170w, https://blog.andreev.it/wp-content/uploads/2024/03/P172-09-585x327.png 585w, https://blog.andreev.it/wp-content/uploads/2024/03/P172-09.png 1204w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><br />
Go to <strong>App Registrations</strong> and click on <strong>New registration</strong>.<br />
Enter these values and click <strong>Register</strong>. Replace the URL with yours even if it&#8217;s not a custom domain. Add <strong>.auth/login/aad/callback</strong> as a suffix.<br />
<a href="https://blog.andreev.it/wp-content/uploads/2024/03/P172-10.png"><img loading="lazy" decoding="async" src="https://blog.andreev.it/wp-content/uploads/2024/03/P172-10-802x1024.png" alt="" width="802" height="1024" class="aligncenter size-large wp-image-9896" srcset="https://blog.andreev.it/wp-content/uploads/2024/03/P172-10-802x1024.png 802w, https://blog.andreev.it/wp-content/uploads/2024/03/P172-10-235x300.png 235w, https://blog.andreev.it/wp-content/uploads/2024/03/P172-10-768x980.png 768w, https://blog.andreev.it/wp-content/uploads/2024/03/P172-10-585x747.png 585w, https://blog.andreev.it/wp-content/uploads/2024/03/P172-10.png 1035w" sizes="(max-width: 802px) 100vw, 802px" /></a><br />
The app registers right away and if you click the <strong>Overview </strong>you&#8217;ll see the app client ID. Copy this value in notepad or somewhere.<br />
<a href="https://blog.andreev.it/wp-content/uploads/2024/03/P172-12.png"><img loading="lazy" decoding="async" src="https://blog.andreev.it/wp-content/uploads/2024/03/P172-12-1024x488.png" alt="" width="1024" height="488" class="aligncenter size-large wp-image-9891" srcset="https://blog.andreev.it/wp-content/uploads/2024/03/P172-12-1024x488.png 1024w, https://blog.andreev.it/wp-content/uploads/2024/03/P172-12-300x143.png 300w, https://blog.andreev.it/wp-content/uploads/2024/03/P172-12-768x366.png 768w, https://blog.andreev.it/wp-content/uploads/2024/03/P172-12-1170x557.png 1170w, https://blog.andreev.it/wp-content/uploads/2024/03/P172-12-585x279.png 585w, https://blog.andreev.it/wp-content/uploads/2024/03/P172-12.png 1279w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><br />
From the menu on the left, click <strong>Certificates &#038; secrets</strong> and then click on <strong>New client secret</strong>.<br />
<a href="https://blog.andreev.it/wp-content/uploads/2024/03/P172-13.png"><img loading="lazy" decoding="async" src="https://blog.andreev.it/wp-content/uploads/2024/03/P172-13-1024x611.png" alt="" width="1024" height="611" class="aligncenter size-large wp-image-9892" srcset="https://blog.andreev.it/wp-content/uploads/2024/03/P172-13-1024x611.png 1024w, https://blog.andreev.it/wp-content/uploads/2024/03/P172-13-300x179.png 300w, https://blog.andreev.it/wp-content/uploads/2024/03/P172-13-768x458.png 768w, https://blog.andreev.it/wp-content/uploads/2024/03/P172-13-585x349.png 585w, https://blog.andreev.it/wp-content/uploads/2024/03/P172-13.png 1027w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><br />
Name the secret and choose for how long it&#8217;s valid.<br />
<a href="https://blog.andreev.it/wp-content/uploads/2024/03/P172-14.png"><img loading="lazy" decoding="async" src="https://blog.andreev.it/wp-content/uploads/2024/03/P172-14.png" alt="" width="841" height="253" class="aligncenter size-full wp-image-9893" srcset="https://blog.andreev.it/wp-content/uploads/2024/03/P172-14.png 841w, https://blog.andreev.it/wp-content/uploads/2024/03/P172-14-300x90.png 300w, https://blog.andreev.it/wp-content/uploads/2024/03/P172-14-768x231.png 768w, https://blog.andreev.it/wp-content/uploads/2024/03/P172-14-585x176.png 585w" sizes="(max-width: 841px) 100vw, 841px" /></a><br />
You&#8217;ll see that a secret has been created and you&#8217;ll have a value and a secret ID. Copy the value not the ID in notepad or somewhere.<br />
Now, go to the Static Web App and click on Environment variables. Add both <strong>AZURE_CLIENT_ID</strong> and <strong>AZURE_CLIENT_SECRET</strong> and click <strong>Apply </strong>at the bottom.<br />
<a href="https://blog.andreev.it/wp-content/uploads/2024/03/P172-15.png"><img loading="lazy" decoding="async" src="https://blog.andreev.it/wp-content/uploads/2024/03/P172-15-1024x537.png" alt="" width="1024" height="537" class="aligncenter size-large wp-image-9894" srcset="https://blog.andreev.it/wp-content/uploads/2024/03/P172-15-1024x537.png 1024w, https://blog.andreev.it/wp-content/uploads/2024/03/P172-15-300x157.png 300w, https://blog.andreev.it/wp-content/uploads/2024/03/P172-15-768x403.png 768w, https://blog.andreev.it/wp-content/uploads/2024/03/P172-15-1170x614.png 1170w, https://blog.andreev.it/wp-content/uploads/2024/03/P172-15-585x307.png 585w, https://blog.andreev.it/wp-content/uploads/2024/03/P172-15.png 1246w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><br />
Finally, go to <strong>App Registration</strong>, find your app there, click <strong>Authentication </strong>on the left and make sure that <strong>ID tokens</strong> option is checked.<br />
<a href="https://blog.andreev.it/wp-content/uploads/2024/03/P172-11.png"><img loading="lazy" decoding="async" src="https://blog.andreev.it/wp-content/uploads/2024/03/P172-11-1024x739.png" alt="" width="1024" height="739" class="aligncenter size-large wp-image-9898" srcset="https://blog.andreev.it/wp-content/uploads/2024/03/P172-11-1024x739.png 1024w, https://blog.andreev.it/wp-content/uploads/2024/03/P172-11-300x216.png 300w, https://blog.andreev.it/wp-content/uploads/2024/03/P172-11-768x554.png 768w, https://blog.andreev.it/wp-content/uploads/2024/03/P172-11-1536x1108.png 1536w, https://blog.andreev.it/wp-content/uploads/2024/03/P172-11-1170x844.png 1170w, https://blog.andreev.it/wp-content/uploads/2024/03/P172-11-585x422.png 585w, https://blog.andreev.it/wp-content/uploads/2024/03/P172-11.png 1561w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><br />
Now, if you go to the URL of the app, you&#8217;ll be prompted to log in and after successfully logging in, you&#8217;ll see our static web page. But every user from your tenant can log in, the only restriction is that you are member of the Entra ID tenant. If you want to restrict the website only to specific people, do the following. Go to <strong>Enterprise Applications</strong>, find your application and click on <strong>Properties</strong>. Make sure <strong>Assignment required</strong> is set to <strong>Yes</strong>. Click <strong>Save </strong>on top.<br />
<a href="https://blog.andreev.it/wp-content/uploads/2024/03/P172-16.png"><img loading="lazy" decoding="async" src="https://blog.andreev.it/wp-content/uploads/2024/03/P172-16-1024x602.png" alt="" width="1024" height="602" class="aligncenter size-large wp-image-9899" srcset="https://blog.andreev.it/wp-content/uploads/2024/03/P172-16-1024x602.png 1024w, https://blog.andreev.it/wp-content/uploads/2024/03/P172-16-300x176.png 300w, https://blog.andreev.it/wp-content/uploads/2024/03/P172-16-768x451.png 768w, https://blog.andreev.it/wp-content/uploads/2024/03/P172-16-1536x902.png 1536w, https://blog.andreev.it/wp-content/uploads/2024/03/P172-16-1170x687.png 1170w, https://blog.andreev.it/wp-content/uploads/2024/03/P172-16-585x344.png 585w, https://blog.andreev.it/wp-content/uploads/2024/03/P172-16.png 1590w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><br />
Then, click on <strong>Users and Groups</strong> and assign a group or users to the app. Mind that if you use the free version of Entra ID, you won&#8217;t be able to assign groups, only users.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://blog.andreev.it/2024/03/entra-id-azure-ad-sso-and-azure-static-web-apps/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
		<item>
		<title>Entra ID (Azure AD) and AWS SSO (AWS IAM Identity Center)</title>
		<link>https://blog.andreev.it/2024/03/entra-id-azure-ad-and-aws-sso/</link>
					<comments>https://blog.andreev.it/2024/03/entra-id-azure-ad-and-aws-sso/#respond</comments>
		
		<dc:creator><![CDATA[Kliment Andreev]]></dc:creator>
		<pubDate>Mon, 11 Mar 2024 18:58:39 +0000</pubDate>
				<category><![CDATA[AWS]]></category>
		<category><![CDATA[Azure]]></category>
		<category><![CDATA[Cloud]]></category>
		<category><![CDATA[AWS IAM Identity Center]]></category>
		<category><![CDATA[Azure AD]]></category>
		<category><![CDATA[entra ID]]></category>
		<category><![CDATA[SSO]]></category>
		<guid isPermaLink="false">https://blog.andreev.it/?p=9787</guid>

					<description><![CDATA[I wrote about this topic a couple of years ago, but some things changed&#8230;]]></description>
										<content:encoded><![CDATA[<div id="bsf_rt_marker"></div><p>I wrote about this <a href="https://blog.andreev.it/2021/06/azure-aws-use-azure-ad-with-aws-sso/" rel="noopener" target="_blank">topic </a>a couple of years ago, but some things changed so I am writing this post again. In this post I&#8217;ll explain how to log to AWS Console and AWS cli with Entra ID (former Azure AD) credentials. For this you&#8217;ll need admin access to both the AWS account and Entra ID. </p>
<h1>IAM Identity Center</h1>
<p>The former AWS Single Sign-on is now IAM Identity Center. You need to enable this in order to configure SSO. Go to <strong>IAM Identity Center</strong> and click on the <strong>Enable</strong> button.<br />
<a href="https://blog.andreev.it/wp-content/uploads/2024/03/P171-01.png"><img loading="lazy" decoding="async" src="https://blog.andreev.it/wp-content/uploads/2024/03/P171-01-1024x277.png" alt="" width="1024" height="277" class="aligncenter size-large wp-image-9788" srcset="https://blog.andreev.it/wp-content/uploads/2024/03/P171-01-1024x277.png 1024w, https://blog.andreev.it/wp-content/uploads/2024/03/P171-01-300x81.png 300w, https://blog.andreev.it/wp-content/uploads/2024/03/P171-01-768x208.png 768w, https://blog.andreev.it/wp-content/uploads/2024/03/P171-01-1536x415.png 1536w, https://blog.andreev.it/wp-content/uploads/2024/03/P171-01-1170x316.png 1170w, https://blog.andreev.it/wp-content/uploads/2024/03/P171-01-585x158.png 585w, https://blog.andreev.it/wp-content/uploads/2024/03/P171-01.png 1887w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><br />
Enable it with AWS Organizations.<br />
<a href="https://blog.andreev.it/wp-content/uploads/2024/03/P171-02.png"><img loading="lazy" decoding="async" src="https://blog.andreev.it/wp-content/uploads/2024/03/P171-02-1024x828.png" alt="" width="1024" height="828" class="aligncenter size-large wp-image-9789" srcset="https://blog.andreev.it/wp-content/uploads/2024/03/P171-02-1024x828.png 1024w, https://blog.andreev.it/wp-content/uploads/2024/03/P171-02-300x243.png 300w, https://blog.andreev.it/wp-content/uploads/2024/03/P171-02-768x621.png 768w, https://blog.andreev.it/wp-content/uploads/2024/03/P171-02-1170x947.png 1170w, https://blog.andreev.it/wp-content/uploads/2024/03/P171-02-585x473.png 585w, https://blog.andreev.it/wp-content/uploads/2024/03/P171-02.png 1246w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><br />
What you want to do first is to change the AWS access portal URL. Click on the <strong>Edit </strong>button and change the URL. It has to be unique, so don&#8217;t expect you can type aws and be done with it. </p>
<p><a href="https://blog.andreev.it/wp-content/uploads/2024/03/P171-03-1.png"><img loading="lazy" decoding="async" src="https://blog.andreev.it/wp-content/uploads/2024/03/P171-03-1.png" alt="" width="796" height="823" class="aligncenter size-full wp-image-9821" srcset="https://blog.andreev.it/wp-content/uploads/2024/03/P171-03-1.png 796w, https://blog.andreev.it/wp-content/uploads/2024/03/P171-03-1-290x300.png 290w, https://blog.andreev.it/wp-content/uploads/2024/03/P171-03-1-768x794.png 768w, https://blog.andreev.it/wp-content/uploads/2024/03/P171-03-1-585x605.png 585w" sizes="(max-width: 796px) 100vw, 796px" /></a></p>
<p>Another setting that you have to change is the <strong>Identity source</strong>. On the left side of the <strong>IAM Identity Center</strong>, you are on the <strong>Dashboard </strong>screen. Click on <strong>Settings </strong>and then click on <strong>Change identity source</strong>.<br />
<a href="https://blog.andreev.it/wp-content/uploads/2024/03/P171-04.png"><img loading="lazy" decoding="async" src="https://blog.andreev.it/wp-content/uploads/2024/03/P171-04-1024x450.png" alt="" width="1024" height="450" class="aligncenter size-large wp-image-9791" srcset="https://blog.andreev.it/wp-content/uploads/2024/03/P171-04-1024x450.png 1024w, https://blog.andreev.it/wp-content/uploads/2024/03/P171-04-300x132.png 300w, https://blog.andreev.it/wp-content/uploads/2024/03/P171-04-768x337.png 768w, https://blog.andreev.it/wp-content/uploads/2024/03/P171-04-1536x675.png 1536w, https://blog.andreev.it/wp-content/uploads/2024/03/P171-04-2048x900.png 2048w, https://blog.andreev.it/wp-content/uploads/2024/03/P171-04-1920x844.png 1920w, https://blog.andreev.it/wp-content/uploads/2024/03/P171-04-1170x514.png 1170w, https://blog.andreev.it/wp-content/uploads/2024/03/P171-04-585x257.png 585w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><br />
Choose <strong>External identity provider</strong> and click <strong>Next</strong>.<br />
<a href="https://blog.andreev.it/wp-content/uploads/2024/03/P171-05.png"><img loading="lazy" decoding="async" src="https://blog.andreev.it/wp-content/uploads/2024/03/P171-05-1024x539.png" alt="" width="1024" height="539" class="aligncenter size-large wp-image-9792" srcset="https://blog.andreev.it/wp-content/uploads/2024/03/P171-05-1024x539.png 1024w, https://blog.andreev.it/wp-content/uploads/2024/03/P171-05-300x158.png 300w, https://blog.andreev.it/wp-content/uploads/2024/03/P171-05-768x404.png 768w, https://blog.andreev.it/wp-content/uploads/2024/03/P171-05-1170x616.png 1170w, https://blog.andreev.it/wp-content/uploads/2024/03/P171-05-585x308.png 585w, https://blog.andreev.it/wp-content/uploads/2024/03/P171-05.png 1305w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><br />
You will see this screen which consists of two parts, service provider metatada (that&#8217;s AWS) and Identity provider metadata (that&#8217;s Entra ID). Click on <strong>Download metadata file</strong>. You&#8217;ll get an XML file.<br />
<a href="https://blog.andreev.it/wp-content/uploads/2024/03/P171-06.png"><img loading="lazy" decoding="async" src="https://blog.andreev.it/wp-content/uploads/2024/03/P171-06-906x1024.png" alt="" width="906" height="1024" class="aligncenter size-large wp-image-9793" srcset="https://blog.andreev.it/wp-content/uploads/2024/03/P171-06-906x1024.png 906w, https://blog.andreev.it/wp-content/uploads/2024/03/P171-06-265x300.png 265w, https://blog.andreev.it/wp-content/uploads/2024/03/P171-06-768x868.png 768w, https://blog.andreev.it/wp-content/uploads/2024/03/P171-06-1170x1323.png 1170w, https://blog.andreev.it/wp-content/uploads/2024/03/P171-06-585x661.png 585w, https://blog.andreev.it/wp-content/uploads/2024/03/P171-06.png 1239w" sizes="(max-width: 906px) 100vw, 906px" /></a><br />
Keep the page open and in a new browser window go to portal.azure.com.</p>
<h1>Entra ID</h1>
<p>Once logged to Azure, go to <strong>Enterprise Applications</strong> and search for <strong>AWS IAM Identity Center (successor to AWS Single Sign-On)</strong>. Click to install. When you are presented with the <strong>Overview </strong>of the application, click on <strong>Assign users and groups</strong>. Depending on your Entra ID level (P1 or P2) you might not be able to assign groups, so you have to assign users.<br />
<a href="https://blog.andreev.it/wp-content/uploads/2024/03/P171-07.png"><img loading="lazy" decoding="async" src="https://blog.andreev.it/wp-content/uploads/2024/03/P171-07-1024x600.png" alt="" width="1024" height="600" class="aligncenter size-large wp-image-9795" srcset="https://blog.andreev.it/wp-content/uploads/2024/03/P171-07-1024x600.png 1024w, https://blog.andreev.it/wp-content/uploads/2024/03/P171-07-300x176.png 300w, https://blog.andreev.it/wp-content/uploads/2024/03/P171-07-768x450.png 768w, https://blog.andreev.it/wp-content/uploads/2024/03/P171-07-1536x900.png 1536w, https://blog.andreev.it/wp-content/uploads/2024/03/P171-07-2048x1199.png 2048w, https://blog.andreev.it/wp-content/uploads/2024/03/P171-07-1920x1124.png 1920w, https://blog.andreev.it/wp-content/uploads/2024/03/P171-07-1170x685.png 1170w, https://blog.andreev.it/wp-content/uploads/2024/03/P171-07-585x343.png 585w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><br />
The next step is to setup the SSO. Click on <strong>2. Set up single sign on</strong> and then <strong>SAML</strong>. You&#8217;ll be presented with this page and eventually you&#8217;ll see a prompt if you want to save some SSO settings. If you don&#8217;t see the prompt, no worries. If you see the prompt, click <strong>Yes</strong>.<br />
<a href="https://blog.andreev.it/wp-content/uploads/2024/03/P171-08.png"><img loading="lazy" decoding="async" src="https://blog.andreev.it/wp-content/uploads/2024/03/P171-08-814x1024.png" alt="" width="814" height="1024" class="aligncenter size-large wp-image-9798" srcset="https://blog.andreev.it/wp-content/uploads/2024/03/P171-08-814x1024.png 814w, https://blog.andreev.it/wp-content/uploads/2024/03/P171-08-238x300.png 238w, https://blog.andreev.it/wp-content/uploads/2024/03/P171-08-768x967.png 768w, https://blog.andreev.it/wp-content/uploads/2024/03/P171-08-1170x1473.png 1170w, https://blog.andreev.it/wp-content/uploads/2024/03/P171-08-585x736.png 585w, https://blog.andreev.it/wp-content/uploads/2024/03/P171-08.png 1218w" sizes="(max-width: 814px) 100vw, 814px" /></a><br />
Click on <strong>Upload metadata file</strong> and point to the XML file that you saved from AWS. Click <strong>Save </strong>and don&#8217;t worry about any of the fields there. If you see a popup to test the config, just click <strong>No, I&#8217;ll test later</strong>. Under step 3, <strong>SAML Certificates</strong>, click to <strong>Download </strong>Federation Metadata XML.<br />
<a href="https://blog.andreev.it/wp-content/uploads/2024/03/P171-09.png"><img loading="lazy" decoding="async" src="https://blog.andreev.it/wp-content/uploads/2024/03/P171-09.png" alt="" width="1009" height="546" class="aligncenter size-full wp-image-9799" srcset="https://blog.andreev.it/wp-content/uploads/2024/03/P171-09.png 1009w, https://blog.andreev.it/wp-content/uploads/2024/03/P171-09-300x162.png 300w, https://blog.andreev.it/wp-content/uploads/2024/03/P171-09-768x416.png 768w, https://blog.andreev.it/wp-content/uploads/2024/03/P171-09-585x317.png 585w" sizes="(max-width: 1009px) 100vw, 1009px" /></a><br />
You&#8217;ll get another XML file called <strong>AWS IAM Identity Center (successor to AWS Single Sign-On).xml</strong>.</p>
<h1>Back to AWS</h1>
<p>Go back to the same page where you&#8217;ve downloaded the XML metadata file, but this time look at the bottom part where it says <strong>Identity provider metadata</strong> and <strong>IdP SAML metadata</strong>. Click on <strong>Choose file</strong> and upload the file from Azure. Click <strong>Next</strong>, type <strong>ACCEPT </strong>and click <strong>Change identity source</strong>.<br />
Once completed click to <strong>Enable </strong>Automatic provisioning.  Copy the <strong>SCIM endpoint</strong> and the <strong>access token</strong>. </p>
<h1>Back to Azure</h1>
<p>Under the AWS SSO application. on the left side click on <strong>Provisioning</strong>. Change the <strong>Provisioning Mode</strong> to <strong>Automatic</strong>. Expand <strong>Admin credentials</strong> and for <strong>Tenant ID</strong> enter the <strong>SCIM endpoint</strong> and for <strong>Secret Token</strong>, enter the token. Click <strong>Test Connection</strong> and upon successful test, click <strong>Save</strong>. If you see clientsecret instead of Tenant ID, it means you are not using the right AWS application and you use the AWS Single Account application instead. Start from scratch.<br />
Anytime you assign a new user or a group to AWS application, Azure will sync the user to AWS. But, instead of waiting (40 mins by default) for the initial sync, click on the <strong>Overview </strong>and click <strong>Start provisioning</strong>.<br />
<a href="https://blog.andreev.it/wp-content/uploads/2024/03/P171-10.png"><img loading="lazy" decoding="async" src="https://blog.andreev.it/wp-content/uploads/2024/03/P171-10-1024x704.png" alt="" width="1024" height="704" class="aligncenter size-large wp-image-9803" srcset="https://blog.andreev.it/wp-content/uploads/2024/03/P171-10-1024x704.png 1024w, https://blog.andreev.it/wp-content/uploads/2024/03/P171-10-300x206.png 300w, https://blog.andreev.it/wp-content/uploads/2024/03/P171-10-768x528.png 768w, https://blog.andreev.it/wp-content/uploads/2024/03/P171-10-1170x804.png 1170w, https://blog.andreev.it/wp-content/uploads/2024/03/P171-10-585x402.png 585w, https://blog.andreev.it/wp-content/uploads/2024/03/P171-10.png 1200w" sizes="(max-width: 1024px) 100vw, 1024px" /></a></p>
<h1>Back to AWS</h1>
<p>If your provisioning works fine, you&#8217;ll see your assigned Azure user under <strong>Users </strong>in IAM Identity Center. On the left side of the IAM Identity Center, click on <strong>Permission sets</strong>. Click <strong>Create Permission set</strong> and choose <strong>Predefined permission set</strong>, then <strong>AdministratorAccess</strong>. Change the name, description, session duration if needed and then click <strong>Next</strong> and then <strong>Create</strong>.<br />
Finally, click on <strong>AWS accounts</strong>, select an account from the organization, click <strong>Assign users or groups</strong>, click <strong>Users </strong>or <strong>Groups</strong>, select a user and click <strong>Next</strong>. Assign a permission set, click <strong>Next </strong>and <strong>Submit</strong>.<br />
<a href="https://blog.andreev.it/wp-content/uploads/2024/03/P171-11.png"><img loading="lazy" decoding="async" src="https://blog.andreev.it/wp-content/uploads/2024/03/P171-11-1024x675.png" alt="" width="1024" height="675" class="aligncenter size-large wp-image-9804" srcset="https://blog.andreev.it/wp-content/uploads/2024/03/P171-11-1024x675.png 1024w, https://blog.andreev.it/wp-content/uploads/2024/03/P171-11-300x198.png 300w, https://blog.andreev.it/wp-content/uploads/2024/03/P171-11-768x506.png 768w, https://blog.andreev.it/wp-content/uploads/2024/03/P171-11-585x386.png 585w, https://blog.andreev.it/wp-content/uploads/2024/03/P171-11.png 1048w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><br />
Now, test the SSO by going to whatever.awsapps.com/start# and you&#8217;ll be redirected to the Microsoft sign in prompt. Follow the authentication process for Entra ID (username, password, MFA etc) and once you pass the authentication process you&#8217;ll see the AWS account that you have access to.<br />
<a href="https://blog.andreev.it/wp-content/uploads/2024/03/P171-12.png"><img loading="lazy" decoding="async" src="https://blog.andreev.it/wp-content/uploads/2024/03/P171-12-1024x309.png" alt="" width="1024" height="309" class="aligncenter size-large wp-image-9806" srcset="https://blog.andreev.it/wp-content/uploads/2024/03/P171-12-1024x309.png 1024w, https://blog.andreev.it/wp-content/uploads/2024/03/P171-12-300x91.png 300w, https://blog.andreev.it/wp-content/uploads/2024/03/P171-12-768x232.png 768w, https://blog.andreev.it/wp-content/uploads/2024/03/P171-12-1170x353.png 1170w, https://blog.andreev.it/wp-content/uploads/2024/03/P171-12-585x177.png 585w, https://blog.andreev.it/wp-content/uploads/2024/03/P171-12.png 1513w" sizes="(max-width: 1024px) 100vw, 1024px" /></a></p>
<h1>AWS CLI and SSO</h1>
<p>Follow the instructions to <a href="https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html" rel="noopener" target="_blank">install </a>AWS CLI for your OS, then configure SSO. Name your session, enter the URL you configured earlier, enter the region where you configured SSO and hit enter for the registration scopes. </p>
<pre class="brush: bash; title: ; notranslate">
aws configure sso
SSO session name (Recommended): sso
SSO start URL &#x5B;None]: https://your_url.awsapps.com/start
SSO region &#x5B;None]: us-east-1
SSO registration scopes &#x5B;sso:account:access]:
Attempting to automatically open the SSO authorization page in your default browser.
If the browser does not open or you wish to use a different device to authorize this request, open the following URL:

https://device.sso.us-east-1.amazonaws.com/

Then enter the code:

PWKG-CAFZ
</pre>
<p>After successful authentication, you&#8217;ll be presented with the accounts available to you. Pick one.<br />
<a href="https://blog.andreev.it/wp-content/uploads/2024/03/P171-13.png"><img loading="lazy" decoding="async" src="https://blog.andreev.it/wp-content/uploads/2024/03/P171-13-1024x305.png" alt="" width="1024" height="305" class="aligncenter size-large wp-image-9819" srcset="https://blog.andreev.it/wp-content/uploads/2024/03/P171-13-1024x305.png 1024w, https://blog.andreev.it/wp-content/uploads/2024/03/P171-13-300x89.png 300w, https://blog.andreev.it/wp-content/uploads/2024/03/P171-13-768x229.png 768w, https://blog.andreev.it/wp-content/uploads/2024/03/P171-13-1536x458.png 1536w, https://blog.andreev.it/wp-content/uploads/2024/03/P171-13-1170x349.png 1170w, https://blog.andreev.it/wp-content/uploads/2024/03/P171-13-585x174.png 585w, https://blog.andreev.it/wp-content/uploads/2024/03/P171-13.png 1734w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><br />
You&#8217;ll be prompted to choose the roles available to you and then specify your default region, default output and the profile. \<br />
NOTE: If you&#8217;ll be working with multiple accounts, maybe you should specify a different profile than the default. It&#8217;s up to you. E.g. specify prod and dev profiles. </p>
<pre class="brush: plain; title: ; notranslate">
There are 2 AWS accounts available to you.
Using the account ID 123456789012
The only role available to you is: AdministratorAccess
Using the role name &quot;AdministratorAccess&quot;
CLI default client Region &#x5B;None]: us-east-2
CLI default output format &#x5B;None]: json
CLI profile name &#x5B;AdministratorAccess-123456789012]: default

To use this profile, specify the profile name using --profile, as shown:

aws s3 ls --profile default
</pre>
<p>After your SSO session expires, you have to log back in.</p>
<pre class="brush: bash; title: ; notranslate">
aws sso login
</pre>
<p>If you are like me and always uses the <strong>default </strong>profile so I don&#8217;t have to type <em>&#8211;profile</em> parameter, then anytime you want to use a different account, just <strong>aws configure sso</strong> again, but specify the other account now. </p>
]]></content:encoded>
					
					<wfw:commentRss>https://blog.andreev.it/2024/03/entra-id-azure-ad-and-aws-sso/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
	</channel>
</rss>
