Andras Dosztal
Andras Dosztal
Network architect
May 26, 2020 2 min read

Accessing AWS console with Azure AD credentials

thumbnail for this post

It is possible to use AAD as an authentication source for users accessing the AWS console. Follow the steps described here, and you won’t need to maintain two authentication sources.

Creating the application on Azure

# Action Screenshot
1 Create a new Enterprise Application under the AAD settings.
2 From the applications, select Azure AD SAML Toolkit, and give it a name (AWS Console in this case).
Step 2
3 After the application is added, choose its Owners.
Step 3
4 Add the Users and groups who can use this application. Note: Groups can only be added with Premium AAD subscriptions.
Step 4
5 Go to Single sign-on and download the Federation Metadata XML.
Step 5

Changing Identity provider on AWS

# Action Screenshot
6 If hasn’t done before, create an Organization and add your account to that.
Step 6
7 Go to AWS SSO and click on Choose your identity source.
Step 7
8 Select External identity provider, then upload the Metadata XML that was downloaded previously from Azure.
Step 8
9 Create a Group for the Azure users.
Step 9
10 Create the Users who were in AAD, assign them to the group created in the previous step.
Step 10
11 Go to AWS accounts, and create a Permission set for the to be associated users.
Step 11
12 Link the users to the AWS account.
Step 12
13 Go to Settings, click on View details next to “Authentication / SAML 2.0”, then click on Download metadata file.
Step 13

Finalizing SAML configuration on Azure

# Action Screenshot
14 Go back to the Enterprise application on the Azure portal, and upload the metadata file that was downloaded in the previous step.
Step 14
15 It is advised to the test the SSO on the Azure portal.
Step 15


Users are not synchronized from AAD but must be created on AWS. This can be done using automation scripts but these need to be developed.