Azure AD

Overview

In this lab we will walk through how to integrate Azure AD with Control Tower. We will leverage AWS Single Sign-on service’s external identity provider capabilities and enable automated user and group provisioning. Perission sets will provide the means to manage users and groups roles and permissions.

Prerequisites

  • This lab requires an account with Administrator privileges and Control Tower.
  • We will be utilizing an Azure free account to create our Azure AD and test users for this lab. Follow the steps from Microsoft to create a free account and free access to Azure AD Premium trial
  • You’ll want to have picked out (try to select a lowercase alphanumerics):
    • alias (the mailbox/username)
    • realm (the 2nd order a domain for .local),
      so alias@realm.local

Azure - Quick Setup

Before we can start to configure the lab you’ll need to create an Azure AD instance, please follow this guide from Microsoft to accomplish this https://azure.microsoft.com/en-us/trial/get-started-active-directory/.

Azure - Create a Directory

  • Log into the Microsoft Azure portal portal.azure.com/#home
  • In Azure Services ribbon click on +Create a resource
  • New
    • in search the Marketplace type Azure Active Directory
  • Azure Active Directory
    • Click Create
  • Create a directory :
    • Select Azure Active Directory
    • Click Next : Configuration >
  • Create a directory : Configuration
    • Complete the fields
      • Organization name : realm
      • Initial domain name : realm
      • Country/Region : a location that matches where Control Tower is deployed
    • Click Create
  • Click here

AWS SSO - Service Provider Metadata

In this section we are going to configure AWS SSO to use Azure Active Directory as an External Identity Provider.

  • On the AWS SSO Dashboard click the Choose your identity source link.
  • In the Identity Source section, in the row Identity Source, click the Change link.
  • Select External Identity Provider
  • in the Service provider metadata section click Download metadata file and save on your computer as aws-sp.xml.
  • Leave this browser tab open, and open a new tab to access your Microsoft Azure Console

Azure - Setup the AWS Single Sign-on App

First we need to create an instance of the AWS Single Sign-on enterprise app in our Azure Active Directory. If you have multiple AWS Organizations, you will setup one app for each organization. So name the apps with distinct and easy for your users.

  • Sign in to the Azure portal using a work account, school account, or personal Microsoft account.
  • In the Azure portal, search for and select Azure Active Directory.
  • Within the Azure Active Directory overview menu, choose Enterprise Applications > All applications.
  • Select New application to add an application.

  • AWS Single Sign-on
    • Name : AWS Single Sign-on
    • click Create

Now we need to configure the app.

  • on the lefthand menu, click Single sign-on
  • dialogue titled Amazon Web Services (AWS) | Single sign-on
    • click SAML-based Sign-on
  • dialogue titled Amazon Web Services (AWS) | SAML-based Sign-on
    • click Upload metadata file
    • click Select a file, and browse to aws-sp.xml file and click Add
  • Basic SAML Configuration
    • Click Save
    • close the dialogue with X in the top right.
  • dialogue titled Test single sign-on with Amazon Web Services (AWS)
    • Click No, I’ll test later
  • Amazon Web Services (AWS) | SAML-based Sign-on
  • Scroll down to SAML Signing Certificate section
    • On the line Federation Metadata XML, click Download and save it on your computer as azure-idp.xml.
  • Review the information displayed and then
  • In the User Attribute & Claims, click the Pencil icon and make any adjustments you wish

AWS SSO - Change Identity Provider

In this section we are going to upload the details of our Azure Active Directory Identity Provider.

  • Switch back to the browser tab On the AWS SSO
  • in the section Identity provider metadata
    • Click Browse and select the azure-idp.xml document you saved above
    • Click Next: Review
  • Review and confirm
    • Review the information provided
    • Type CONFIRM in the field at the bottom
    • click Change Identity source
    • Once the reconfiguration has completed click Return to settings

AzureAD - Create a Group

We going to create a group to represent our Financial Operations team members, who should have permissions to access billing information on our organisations master payer.

  • One the top ribbon, click the link for your directory’s realm
  • Then in the left hand menu, click Groups
  • Groups | All groups
    • click + New group
  • New Group
    • Group type : Security
    • Group name : AWSFinOpsUsers
    • Group description : Cross Account Financial Operations Users.
    • Membership type : Assigned
    • Click Create
  • One the top ribbon click the link for your directory’s realm
  • Then in the left hand menu, click Enterprise applications
  • in the list click on Then in the left hand menu, click AWS Single Sign-on
  • AWS Single Sign-on | Overview
    • Then in the left hand menu, click Users and groups
  • AWS Single Sign-on | Users and groups
    • click + Add user
    • Add Assignment
      • click Users and groups
      • click on AWSFinOpsUsers
      • click Select
    • click Assign

AWS SSO - Automated Provisioning

  • Switch back to the browser tab On the AWS SSO - Settings
  • Click on the link Enable automatic provisioning
  • You’ll need to copy and paste the following fields into the Amazon Web Services (AWS) | Provisioning form on the tab you left open on the Azure console

AzureAD - Automated Provisioning

  • Switch back to the browser tab On the Amazon Web Services (AWS) | Single Sign-on
  • on the lefthand menu, under Manage, Click on Provisioning
  • Amazon Web Services (AWS) | Provisioning

    • change Provisioning Mode to Automatic
      • Tenant URL: SCIM endpoint
      • Secret Token : Access token
      • Click Test Connection
    • Click Save
    • Settings
      • Provisioning status : On
      • Scope : Sync only assigned users and groups
    • Click Save
  • under Current Status, click Refresh

  • if not successful

    • check Clear current state and restart synchronization,
    • Click Save
    • under Current Status, click Refresh
    • it should now indicate Initial cycle completed

  • Click on Edit attribute mappings
  • Provisioning
    • Click Mappings
    • in the section now visible click Provision Azure Active Directory Users
  • Attribute Mapping
    • Scroll down the page until you reach the Attribute Mappings

Since Active Directory’s attribute scheme is significantly complex and allows for multiple telephone numbers, street address these can lead to provisioning errors with AWS Single Sign-on. The simplist way to avoid these issues is to reduce the attribute map to a minimal set.

  • Delete any superfluous attribute lines,
  • Click the ‘X’ to close the Attribute Mapping dialogue
  • Click the ‘X’ to close the Provisioning dialogue
  • Click the ‘X’ to close the AWS Single Sign-on | Provision dialogue

AWS SSO - Create Permission Set

We’ll now create a permission with appropriate rights for the Financial Operations Team.

  • Switch to the browser tab On the AWS SSO
  • In the left panel, click AWS accounts, and then the Permission sets tab
  • Click Create permission set
  • Create new permission set
    • select Use an existing job function policy
    • Click Billing and click Create
  • Click on Billing in the list of permission sets
  • Billing - Permissions tab

AWS SSO - Assign Group

We now need to add the group of users represented by the group (from Azure) AWSFinOpsUsers with the permission set Billing to the master payer account.

  • Switch to the browser tab On the AWS SSO
  • In the left panel, click AWS accounts, and then the AWS organization tab
  • Click Root
  • Check your master account and click Assign users
  • Assign Users
    • Click the Groups tab
    • Check AWSFinOpsUsers
    • Click Next: Permission sets
  • Select permission sets
    • check Billing
    • Click Finish
  • Complete
    • Click Proceed to AWS accounts

AWS SSO - Assign Users

Create an Azure AD test user

In this section, you’ll create a test user in the Azure portal.

  • In the Azure portal, search for and select Azure Active Directory.
  • In the lefthand panel, click Users.
  • click +New user on the top menu.
  • New user

    • Select Create user
    • Identity

      • User name : alias@realm.onmicrosoft.com
      • Name : your first name your last name
      • First name : your first name
      • Last name : your last name
    • Groups and roles

      • click 0 groups selected
        • select AWSFinOpsUsers
        • click Select
      • Roles : User
    • Settings

      • Block sign in : No
      • Usage location : leave blank
    • job info

      • job title : leave blank
      • Department : leave blank
    • click Create

  • In the list of users, click your first name your last name (the user you just created)

  • click Reset password on the top menu

  • in the righthand menu, click Reset password

  • copy the Temporary password to the clipboard

Explore as our FinOps User

Now we can see what the experience we’ve configured for our test user.

  • Switch to the browser tab On the AWS SSO
  • In the left panel, click Dashboard,
  • Copy the User portal URL:
  • Open a browser window in Private or incognito mode and paste the user portal URL in to the address bar.
  • Browser should redirect you to your Azure log in page,
    • username : alias@realm.onmicrosoft.com
    • password : the one you copied to the clipboard
    • you may be asked to provide additional security questions based on you Azure AD configuration
  • Once successfully logged in you should be return to the AWS Single Sign-On start page
  • Click on AWS Account (1)
    • Click on the name of your master account
    • On the line Billing click the link Management Console
    • A new tab should open and display the Billing & Cost Management Dashboard for your organization.

Add User to Control Tower created Group

Control Tower populates AWS SSO with a number of default groups, we’ll now add our test users to one of these. In the Master account:

  • In the AWS SSO Dashboard
    • click Groups in the lefthand menu
    • click on AWSControlTowerAdmins
    • review the Group members, this should not include the test user
  • In the Azure portal, search for and select Azure Active Directory.
    • In the lefthand panel, click Groups.
      • click New group,
      • Group type : Security
      • Group name : AWSControlTowerAdmins
      • Group description : Control Tower Admin default group
      • Membership type : Assigned
    • Click Create
    • Click on AWSControlTowerAdmins,
    • In the lefthand menu, under Manage, click Members (Preview)
    • In the dialogue AWSControlTowerAdmins | Members (Preview)
      • click + Add members
      • search for and select alias@realm.onmicrosoft.com
      • click Select
    • the user alias@realm.onmicrosoft.com should now be listed.
    • In the top ribbon click realm
    • In the lefthand menu, click Enterprise applications
    • In the main pane, click AWS Single Sign on
    • In the lefthand menu, under Manage, click Users and groups
    • In the main pane, click + Add user
    • In the dialogue Add Assignment
      • click Users and groups
      • select AWSControlTowerAdmins, click Select
      • click Assign
  • In the AWS SSO Dashboard
    • click Groups in the lefthand menu
    • click on AWSControlTowerAdmins
    • review the Group members, if the alias@realm.onmicrosoft.com is not listed then a wait a few minutes and refresh your browser

Deleting AWS resources deployed in this lab

In the Master account:

  • In the AWS SSO Dashboard
    • In the Identity Source section, in the row Identity Source, click the Change link.
    • Change identity source
      • Select AWS SSO,
      • click Next: Review
    • Review and confirm
      • Review the information provided
      • Type CONFIRM in the field at the bottom
      • click Change Identity source
    • Once the reconfiguration has completed click Return to settings
  • In the Azure portal
    • In the Azure portal, search for and select Azure Active Directory.
    • In the lefthand panel, click Enterprise applications.
    • click on AWS Single Sign-on
    • on the lefthand panel, click on Properties
    • click Delete on the top menu
    • click Yes

*Copyright 2021, Amazon Web Services, All Rights Reserved.*