Share via

[MSDN Redirect] User provisioning from Azure AD to AWS will not start

SwathiDhanwada-MSFT 18,891 Reputation points
2020-02-07T04:58:39.027+00:00

Following the instructions in the AWS blog post entitled "The Next Evolution in AWS Single Sign-On", I have created an Enterprise Application in Azure Active Directory and changed the identity source in AWS SSO to be Azure AD. As an initial test, I configured AWS SSO provisioning to "manual" and created a user in AWS SSO with a "Username" that matches my Azure AD "Unique User Identifier". I was able to log into the AWS console successfully. When I tested sign on using "Test this application" in Azure AD it worked as expected and I was successfully logged into AWS with the option to choose an account and role to assume.

The problem is that I cannot get automatic user provisioning to work.

  • I enabled automatic provisioning in AWS SSO.
  • I enabled automatic provisioning in Azure AD.
  • I have one group assigned to the Azure AD Enterprise Application, containing three users.
  • As the blog post recommends, I created a mapping between the objectId Azure Active Directory attribute and the externalId customappsso attribute.
  • I've waited at least 40 minutes.
  • There are no entries in the Azure AD provisioning logs showing interaction between Azure AD and AWS.
  • The Azure AD audit log shows a success entry stating "Provisioning to enterprise application access was configured and started".
  • I tried "Clear current state and restart synchronization", but user provisioning still did not start. The audit logs records this action as "Provisioning to access was restarted. We will revisit all users in your directory".

Azure AD always says "Initial cycle not run". The Azure SSO Users and Groups pages are both empty, but I am expecting to see three users and one group.

What could be wrong?

Source : https://social.msdn.microsoft.com/Forums/en-US/b5b6b14d-dcdc-4d30-86f5-35b25ca447ca/user-provisioning-from-azure-ad-to-aws-will-not-start?forum=windowsazuremanagement

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,339 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marilee Turscak-MSFT 37,141 Reputation points Microsoft Employee
    2020-02-10T23:43:37.24+00:00

    Try deleting and re-adding the Enterprise Application.

    I would also try following the Microsoft tutorial. https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/amazon-web-service-tutorial

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.