Identity

Centralize identity management

In a hybrid identity scenario we recommend that you integrate your on-premises and cloud directories. Integration enables your IT team to manage accounts from one location, regardless of where an account is created. Integration also helps your users be more productive by providing a common identity for accessing both cloud and on-premises resources.

Best practice: Establish a single Azure AD instance. Consistency and a single authoritative sources will increase clarity and reduce security risks from human errors and configuration complexity. Detail: Designate a single Azure AD directory as the authoritative source for corporate and organizational accounts.

Best practice: Integrate your on-premises directories with Azure AD.

Detail: Use Azure AD Connect to synchronize your on-premises directory with your cloud directory.

Best practice: Don’t synchronize accounts to Azure AD that have high privileges in your existing Active Directory instance

Best practice: Turn on password hash synchronization.

Detail: Password hash synchronization is a feature used to synch user password hashes from an on-premises Active Directory instance to a cloud-based Azure AD instance. This sync helps to protect against leaked credentials being replayed from previous attacks.

Setting up a two-way trust between Azure Active Directory (Azure AD) and Amazon Web Services (AWS) involves creating a federation between these two services. This allows users to access resources across Azure and AWS with single sign-on (SSO), leveraging their existing credentials without the need for separate logins for each service. Here's a high-level overview of the steps involved in establishing this setup:

1. Prepare Azure AD for Federation

• Create an Azure AD Enterprise Application: This represents the AWS service in Azure AD. You'll need to go to the Azure portal, find Azure Active Directory, then go to Enterprise Applications, and add a new application. Choose the AWS application from the gallery if available or set it up manually if necessary.

• Configure Single Sign-On: In the Azure AD application, set up SSO by selecting SAML as the sign-on method. You will configure the SAML settings to match what AWS expects (like the ACS URL and Entity ID).

• Assign Users or Groups: Decide which users or groups in Azure AD should have access to AWS and assign them to the application. This controls who can use the SSO to access AWS.

2. Configure AWS for Federation

• Create an Identity Provider in AWS: Go to the AWS Management Console, find IAM (Identity and Access Management), and create a new Identity Provider. Select SAML as the provider type and upload the metadata file you got from Azure AD during the SSO setup.

• Create IAM Roles for SSO: Create IAM roles that define what permissions users federating in from Azure AD will have in AWS. Each role will be associated with the Azure AD identity provider you created and will include a trust policy that allows access for that provider.

• Map Azure AD Attributes and Claims: Ensure that the claims issued by Azure AD are mapped correctly to AWS roles. This involves editing the trust relationships of the roles to include the appropriate conditions that rely on the SAML attributes.

3. Establish Trust from AWS to Azure AD

• Export AWS Identity Provider Metadata: From the AWS IAM console, download the SAML metadata for the AWS identity provider you created.

• Configure AWS as a Trusted Application in Azure AD: Go back to Azure AD and configure a new enterprise application or a SAML-based single sign-on application, this time representing AWS in Azure AD, and upload the AWS metadata file.

• Map AWS Claims and Attributes in Azure AD: Similar to the previous steps, ensure that the claims and attributes expected by Azure AD are correctly mapped from AWS, facilitating the reverse trust relationship.

4. Test the Federation

• Test Azure AD to AWS SSO: Log in to Azure AD and access the AWS application to verify that SSO works and that you can access AWS resources based on the roles assigned.

• Test AWS to Azure AD SSO: Depending on the specific requirements, testing this direction might involve accessing Azure resources from AWS based on the trust relationship and role mappings you've configured.

Final Steps and Considerations

• Monitoring and Logging: Set up monitoring and logging on both Azure AD and AWS to track SSO attempts, successes, and failures.

• Security Policies and Conditional Access: Review and adjust security policies and conditional access settings as necessary to ensure secure and compliant access.

• Documentation and Support: Both Microsoft and AWS provide detailed documentation and support resources. It's important to refer to the latest guides and support articles, as the interfaces and procedures can change.

This overview provides a conceptual pathway for setting up a two-way trust between Azure AD and AWS. Given the complexity and potential for variation in specific implementations, you should consult the detailed documentation provided by both Microsoft Azure and AWS, or consider engaging with a professional service that specializes in cloud identity federation.