SCIM Role Provisioning For AWS SSO App

Question

Would it be possible to share the config associated with the provisioning service which reads AWS roles and imports them to the Azure AD servicePrincipal representing the AWS SSO app? I see that I can copy the synchronization template from an existing AWS app to a new servicePrincipal, but I don't see any logic in the template around how roles are queried and filtered when importing them from AWS. Is there a place in the GraphAPI where I can view how the SICM client is configured to query AWS to read the roles, or am I looking in the wrong place and just missing it in the synchronization template? I'm curious as there may be some instances where we want to only import certain roles, or roles that meet only certain criteria, and I'm not seeing where those filters or logic is stored for use by the provisioning service, including the SCIM URL that is used when communicating with AWS.

Thanks!

Answer 1

It is not possible with the current implementation of the inbound AWS role import functionality that we have today to either view or customize configuration regarding how we retrieve data from Amazon. We are not using SCIM, but rather an Amazon-proprietary API, and the scope is set to all roles in the targeted environment. If you can share some examples of things you'd like to be able to configure but aren't able to with the current AWS role import implementation, we can investigate the feasibility of adding these when we next revisit this provisioning connector.