All posts
September 8, 20251 min read

They gave you AWS credentials. You logged in. And now you need it to trust Microsoft Entra.

Identity in the cloud is simple only on paper. AWS controls compute and storage. Microsoft Entra controls authentication and authorization. To make them work together, you have to bridge two worlds without lowering your security posture. The key is federation. AWS supports identity federation through SAML 2.0. Microsoft Entra speaks SAML and can act as the trusted identity provider. The target state: sign in with Entra credentials and get AWS roles without creating separate AWS IAM users. Here

Free White Paper

Microsoft Entra ID (Azure AD) + Zero Trust Architecture: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Andrios Robert

Identity in the cloud is simple only on paper. AWS controls compute and storage. Microsoft Entra controls authentication and authorization. To make them work together, you have to bridge two worlds without lowering your security posture.

The key is federation. AWS supports identity federation through SAML 2.0. Microsoft Entra speaks SAML and can act as the trusted identity provider. The target state: sign in with Entra credentials and get AWS roles without creating separate AWS IAM users.

Here’s the high-level flow:

  1. Microsoft Entra verifies a user’s identity.
  2. Entra issues a SAML assertion.
  3. AWS Security Token Service uses that assertion to create temporary credentials.
  4. The user gets the right IAM role and permissions.

Start with Microsoft Entra. Create an enterprise app for AWS. Use the AWS SSO or SAML connector. Set the identifier and reply URLs exactly as AWS provides. Assign roles or groups in Entra. These dictate which AWS IAM roles the user can assume.

Continue reading? Get the full guide.

Microsoft Entra ID (Azure AD) + Zero Trust Architecture: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

Over in AWS, create an IAM identity provider of type SAML. Import the metadata from Entra. Then create IAM roles with a trust policy that names the Entra identity provider and matches the role claim in the SAML assertion.

Test with one user. Sign in to the AWS console using the Entra single sign-on link. The authentication should route through Entra, return the SAML assertion, and grant the correct AWS role. This is the moment where federated login clicks — no password syncs, no double accounts, just one secure flow.

Consider security controls. Use Conditional Access in Entra to require MFA, device compliance, or IP restrictions before anyone touches AWS. Review AWS CloudTrail to monitor assumed role sessions. Rotate SAML certificates and metadata regularly to avoid downtime.

Once configured, this integration lets you manage identities centrally in Entra while delegating AWS access with full precision. It cuts account sprawl. It preserves enterprise policy. It speeds up onboarding and offboarding.

If you want to see secure systems like this alive and working in minutes — without the endless setup grind — check out hoop.dev. It’s how you can try ideas like Entra-to-AWS federation instantly and see your results, real and running, without the wait.

Get started

See hoop.dev in action

One gateway for every database, container, and AI agent. Deploy in minutes.

Get a demoMore posts