---
title: "AWS Configuration For Microsoft Entra ID as OpenID Connect Identity Provider"
slug: "fortanix-key-insight-aws-configuration-for-microsoft-entra-id-as-open-id-connect-identity-provider"
updated: 2026-03-23T06:23:45Z
published: 2026-03-23T06:38:28Z
canonical: "support.fortanix.com/fortanix-key-insight-aws-configuration-for-microsoft-entra-id-as-open-id-connect-identity-provider"
---

> ## Documentation Index
> Fetch the complete documentation index at: https://support.fortanix.com/llms.txt
> Use this file to discover all available pages before exploring further.

# AWS Configuration For Microsoft Entra ID as OpenID Connect Identity Provider

## 1.0 Introduction

The purpose of this article is to outline the necessary steps for configuring the connection between Fortanix Key Insight Amazon Web Services (**AWS**) and **Microsoft Entra ID** as an OpenID Connect (OIDC) identity provider (IdP) using the **Authorization Code Flow.**

Federated authentication in AWS refers to the process of enabling users to access AWS resources using their existing credentials from an external IdP, such as PingOne, Microsoft Entra ID, and so on.

Configuring Microsoft Entra ID as an OpenID Connect IdP in AWS involves the following steps:

1. Register a client application with your identity provider.
2. Configure the redirect Uniform Resource Locator (URL) on the client application.
3. Gather the Client ID, a unique identifier for your registered application.
4. Gather the OpenID configuration document (well-known) URL specific to your IdP tenant or account.
5. Set up IdP on your cloud account.
6. Set up the necessary permissions for AWS single account onboarding.
7. Set up the necessary permissions for AWS organization onboarding.

## 2.0 Register a Client Application with Microsoft Entra ID

Perform the following steps to register a client application with Microsoft Entra ID:

1. Set up an OIDC web application in Microsoft Entra ID:

*For more information, refer to the*[*Microsoft official documentation*](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app?tabs=certificate)*.*
  1. Navigate to the [*Azure portal*](https://portal.azure.com/)**and search for **Microsoft Entra ID.**
  2. Select **App registrations** under **Manage** in the left navigation panel on the **Microsoft Entra ID** page.

> [!NOTE]
> NOTE
> 
> You can also directly search for App registrations in the Microsoft Azure search bar.
  3. Click **New registration**.
  4. On the **Register an application** page, configure the following fields and click**Register** to register an application:

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Create an Application(1).png)

**Figure 1: Register the new application**
    - **Name**: Enter a user-facing display name for this application. For example, **key-insight-app**.
    - **Supported account type**: Select **Accounts in this organizational directory only (<your organization name> only - Single tenant).**
    - **Redirect URI**: This is optional.
2. Configure the platform settings:

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Image 1(2).png)

**Figure 2: Platform configurations**
  1. In the Microsoft Entra ID, navigate to **App registrations** and select your application.
  2. In your application, select **Manage → Authentication.**
  3. On the **Authentication** page, under **Platform configurations,** click **Add a platform.**
  4. Select**Single-page application** in the **Configure platforms** panel.
  5. In the **Configure single-page application**panel:
    1. **Redirect URIs:** Enter the application’s redirect URI (`https://armor.fortanix.com/system/discovery/{region}/oauth/callback`).

Here, replace `{region}` with the appropriate region. For example, `eu` or `na`.
    2. Click **Configure** to add the single-page application.
  6. After adding the single-page application, under **Platform configurations**, enable **ID tokens (used for implicit and hybrid flows)** check box in the **Implicit grant and hybrid flows** section.
  7. In the **Advanced settings** section, set **Enable the following mobile and desktop flows:** toggle to **Yes**.
  8. Click**Save**to apply the changes.
3. Configure API permissions for OIDC using the following steps:

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/API Permissions(2).png)

**Figure 3: Provide API permissions**
  1. In the Microsoft Entra ID, in **App registrations**, select your application.
  2. In your application, select **Manage****→****API permissions.**
  3. Under the **Configured permissions** section, click **Add a permission**.
  4. On the **Request API permissions** page, select **Microsoft Graph**.
  5. Select **Delegated permissions.**
  6. Under **OpenId permissions**, select the following permissions:
    - email
    - offline_access
    - openid
    - profile
  7. Click **Add permissions** to apply the selected permissions to your app registration.

## 3.0 Configure the Redirect URL on the Client Application

The redirect URL is the address to which Microsoft Entra ID forwards the OIDC response after authentication.

The following is the redirect URL for AWS Microsoft Entra ID IdP:

```bash
https://armor.fortanix.com/system/discovery/{region}/oauth/callback
```

Here, replace `{region}` with the appropriate region. For example, `eu` or `na`.

*For more information, refer to the*[*Microsoft official documentation*](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app?tabs=certificate#add-a-redirect-uri)*.*

## 4.0 Gather the Client ID

A client ID is a unique identifier for the registered client application. It allows you to validate the security tokens you receive from the IdP.

Perform the following steps to retrieve the Client ID:

1. In the Microsoft Entra ID, in **App registrations**, select your application.
2. In your application, select **Overview** page.
3. Copy the `Application(client)ID` from the **Overview** page.

*For more information, refer to the*[*Microsoft official documentation*](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app?tabs=client-secret#register-an-application).

> [!NOTE]
> NOTE
> 
> Ensure to copy and save Application (client) ID. This value is required during the AWS cloud connection setup on the Fortanix Key Insight.

## 5.0 Gather the OpenID Configuration Document (Well-Known) URL

An OIDC provider provides a standard well-known URL that your client application can use to discover information about the provider's configuration dynamically.

This URL is specific to your IdP tenant or account.

To retrieve this value, copy the `OpenID Connect metadata document` from the **Endpoints**section of the registered application.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/DocumentURI(1).png)

**Figure 4: Obtain a well-known URL**

> [!NOTE]
> NOTE
> 
> - In the URL, replace `organizations` with your `AZURE_TENANT_ID` to point to your specific tenant. For example, `https://login.microsoftonline.com/&lt;AZURE_TENANT_ID&gt;/v2.0/.well-known/openid-configuration`.
> - Ensure to record the well-known URL value as it is necessary for the identity provider configuration when setting up the AWS cloud connection in the Fortanix Key Insight user interface (UI).

## 6.0 Setup an IdP on your Cloud Account

Perform the following steps to set up IdP on your cloud account:

1. Configure the Microsoft Entra ID (OIDC IdP) in AWS using the issuer and client ID:
  1. Sign in to the AWS Management Console and open the **IAM** console.
  2. In the left navigation panel, select **Identity providers**.
  3. Click **Add provider** to add a new IdP.
  4. On the **Configure Provider** page:

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/AWS Setup.png)

**Figure 5: Add an identity provider in AWS**
    1. **Provider type:** Select **OpenID Connect**.
    2. **Provider URL:**Enter `https://login.microsoftonline.com/{tenant-id}/v2.0`. Ensure `{tenant-id}` is replaced with your actual Microsoft Entra ID tenant ID.
    3. **Audience:**Enter the Application ID (`Client ID`) from the Azure registered application.
    4. Click **Add provider** to complete the setup.
2. Verify the details of the identity provider created in AWS using the following steps:

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Verify AWS Setup.png)

**Figure 6: Verify the IdP in AWS**

*For more information, refer to the*[*AWS official documentation*](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html)*.*
  1. Navigate to the **IAM** console in AWS.
  2. Click your OIDC identity provider.
  3. Ensure the **Provider URL** is correctly set to `https://login.microsoftonline.com/{tenant-id}/v2.0`.
  4. Ensure the **Audience** matches the Application (client) ID from Microsoft Entra ID.
  5. (Optional) Ensure the thumbprint in the **Thumbprints** the section is correct and matches the one you obtained.

## 7.0 AWS Single Account - Onboarding Setup

This section describes the steps to onboard a single AWS account in Fortanix Key Insight.

*For a comprehensive list of AWS permissions required to onboard an AWS connection, refer to*[*AWS Connection Permissions*](https://support.fortanix.com/docs/fortanix-key-insight-aws-connection-permissions).

### 7.1 Create an IAM Role for the Web Identity Federation

Perform the following steps to create an IAM role:

1. On the IAM page, select **Roles**.
2. Select **Create role**.
3. On the **Select trusted Identity** page:
  1. **Trusted entity type**: Select **Web Identity.**
  2. **Identity Provider**: Select the IdP created in [*Section 6.0: Set Up an IdP on your Cloud Account*](/v1/docs/fortanix-key-insight-aws-configuration-for-microsoft-entra-id-as-open-id-connect-identity-provider#60-setup-an-idp-on-your-cloud-account).
  3. **Audience:**Enter****the Application (Client) ID value from the Microsoft Entra ID registered application.
  4. Click **Next.**
4. On the **Add permissions** page:
  1. Attach the necessary policies to the role as explained in [*Section 7.2: Access Control Permissions*](/v1/docs/fortanix-key-insight-aws-configuration-for-microsoft-entra-id-as-open-id-connect-identity-provider#72-access-control-permissions)*.*
  2. Click **Next***.*
5. On the **Name, review and create** page, verify the details, and complete the role creation.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Create an IAM Role.png)

**Figure 7: Create an IAM role**

### 7.2 Access Control Permissions

This section describes the general requirements for AWS access permissions.

- For **single-account**onboarding, the policies are attached directly to the IAM user in that account.
- For AWS **Organization** onboarding, these permissions are provisioned automatically using the CloudFormation Template (CFT) deployed using AWS CloudFormation StackSets, as explained in [*Section 8.2: Deploy the CFT*](/v1/docs/fortanix-key-insight-aws-configuration-for-microsoft-entra-id-as-open-id-connect-identity-provider#82-deploy-the-cft).

#### 7.2.1 Scan AWS Services

The following **read-only** permissions are required for scanning the AWS KMS, S3, EBS, EKS, EFS, DynamoDB, Redshift, and RDS services:

- **KMS**

```bash
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "kms:ListKeys",
        "tag:GetResources"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "kms:GetKeyRotationStatus",
        "kms:GetKeyPolicy",
        "kms:DescribeKey",
        "kms:ListGrants",
        "kms:ListResourceTags",
        "kms:ListKeyRotations"
      ],
      "Resource": "arn:aws:kms:*:*:key/*"
    }
  ]
}
```

Additionally, to list AWS KMS aliases, the IAM policy must include the `kms:ListAliases` action with the `Resource` set to "`*`".

Fortanix Key Insight recommends creating a separate policy for this permission, as shown below, to meet AWS requirements and prevent permission errors:

```bash
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "kms:ListAliases"
      ],
      "Resource": "*"
    }
  ]
}
```
- **RDS**

```bash
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "rds:DescribeDBInstances",
      "Resource": "*"
    }
  ]
}
```
- **EBS**

```bash
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "ec2:DescribeVolumes",
      "Resource": "*"
    }
  ]
}
```
- **S3**

```bash
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListAllMyBuckets",
        "s3:GetEncryptionConfiguration",
        "s3:GetBucketLocation"
      ],
      "Resource": "*"
    }
  ]
}
```

- **DynamoDB**

```bash
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "dynamodb:ListTables",
        "dynamodb:DescribeTable",
        "dynamodb:ListStreams",
        "dynamodb:DescribeStream"
      ],
      "Resource": "*"
    }
  ]
}
```

- **EKS**

```bash
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "eks:DescribeCluster",
        "eks:ListClusters"
      ],
      "Resource": "*"
    }
  ]
}
```

- **EFS**

```bash
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "elasticfilesystem:DescribeFileSystems",
      "Resource": "*"
    }
  ]
}
```

- **Redshift**

```bash
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
         "redshift:DescribeClusters"
       ],
      "Resource": "*"
    }
  ]
}
```

#### 7.2.2 Scan AWS Certificates

The following **read-only** permissions are required for scanning the AWS certificates:

```bash
{
	"Version": "2012-10-17",
	"Statement": [
	    {
		"Effect": "Allow",
		"Action": [
		    "acm:ListCertificates",
			"acm:DescribeCertificate"
		],
		"Resource": "*"
	   }
    ]
}
```

## 8.0 AWS Organization - Onboarding Setup

### 8.1 Create an IAM Role for the Web Identity Federation

For steps to set up an IAM role for the Web Identity Federation with the necessary permissions for an AWS organization, *refer to*[*Section 9.1: Set up an IAM Role with the Necessary Permissions – AWS Organization*](/v1/docs/fortanix-key-insight-aws-configuration-for-microsoft-entra-id-as-open-id-connect-identity-provider#91-set-up-an-iam-role-with-the-necessary-permissions-aws-organization)*.*

### 8.2 Deploy the CFT

This section outlines the steps for deploying the CloudFormation Template (CFT) through StackSets to create roles that the IAM role, created in [*Section 8.1: Create an IAM Role for the Web Identity Federation*](/v1/docs/fortanix-key-insight-aws-configuration-for-microsoft-entra-id-as-open-id-connect-identity-provider#81-create-an-iam-role-for-the-web-identity-federation), can assume in member accounts.

To deploy the CFT for role creation from a root or user account, the account must have the following permissions policy (if no other attached policies already cover these permissions).

> [!NOTE]
> NOTE
> 
> To attach the following permission policy, the IAM role needs the corresponding IAM service read or write permissions.

```bash
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "FortanixCFTPermissions",
            "Effect": "Allow",
            "Action": [
                "cloudformation:*",
                "organizations:*",
                "s3:*"
            ],
            "Resource": "*"
        }
    ]
}
```

> [!NOTE]
> NOTE
> 
> *Refer to the*[*AWS official documentation*](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-orgs-activate-trusted-access.html)*for more information about enabling trusted access for StackSets.*
> 
> Enabling trusted access creates the following service-linked roles:
> 
> - `AWSServiceRoleForCloudFormationStackSetsOrgAdmin` (management account)
> - `AWSServiceRoleForCloudFormationStackSetsOrgMember` (member accounts)
> 
> These roles allow AWS CloudFormation StackSets to perform supported operations within accounts in your AWS Organization.

Perform the following steps:

1. Create the JSON file for the CFT. For example, `fortanix-key-insight-AWS-CFT-template.json`.

*Refer to*[*Section 9.2: Download the JSON file for CFT*](/v1/docs/fortanix-key-insight-aws-configuration-for-microsoft-entra-id-as-open-id-connect-identity-provider#92-download-the-json-file-for-cft)*to create the CFT.*
2. Go to your AWS account from which the CFT will be deployed. Activate trusted access with AWS Organization as described above, if it is not already enabled.
3. In the AWS Management Console, navigate to **CloudFormation → StackSets** page.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/KI_AWS Scanning_Stackset(1).png)

**Figure 8: CloudFormation StackSets page**
4. Click **Create StackSets.**
5. On the **Choose a template** page, select **Upload a template file** and upload the JSON file that you created in *Step 1*.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/KI_AWS Scanning_Choose Template.png)

**Figure 9: Choose the CTF template**

![4.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/25761299251988.png)

**Figure 10: JSON file uploaded**
6. After you upload the CFT template, you will see the JSON file uploaded in the template field.
7. On the **Specify StackSet details** page:

> [!NOTE]
> NOTE
> 
> The **AWSAccountID** and **AWSUserName** must be created in advance as described in [*Section 9.1: Set Up an IAM User With the Necessary Permissions - AWS Organization*](/v1/docs/fortanix-key-insight-aws-configuration-for-microsoft-entra-id-as-open-id-connect-identity-provider#91-set-up-an-iam-role-with-the-necessary-permissions-aws-organization).

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/KI_AWS Scanning_Stackset Details.png)

**Figure 11: StackSet details**
  1. **StackSet name:**Enter a stack set name.
  2. **StackSet description** (optional): Enter a description.
  3. **AWSAccountID:**Enter the AWS account ID of the user who initiates the scan**.**
  4. **AWSUserName:** Enter the AWS user name of the user who initiates the scan.
  5. Click **Next**.
8. On the **Set deployment options** page, specify the required deployment targets and regions.
9. Click **Next**.
10. On the **Review** section, review the details and create a StackSet.

## 9.0 Appendix

### 9.1 Set up an IAM Role with the Necessary Permissions - AWS Organization

Create an IAM role as described in [*Section 7.1: Create an IAM Role for the Web Identity Federation*](/v1/docs/fortanix-key-insight-aws-configuration-for-microsoft-entra-id-as-open-id-connect-identity-provider#71-create-an-iam-role-for-the-web-identity-federation)**in AWS, and attach the following permissions policy to list accounts and assume roles:

```bash
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "FortanixFkiScannerPermissions",
            "Effect": "Allow",
            "Action": [
                "organizations:DescribeOrganization",
                "organizations:ListAccounts",
                "organizations:ListAccountsForParent",
                "organizations:ListChildren",
                "organizations:ListOrganizationalUnitsForParent"
            ],
            "Resource": "*"
        },
        {
            "Sid": "FortanixFkiScannerPermissionsRole",
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole"
            ],
            "Resource": "arn:aws:iam::*:role/FortanixOrganizationAccessRoleForOIDC"
        }
    ]
}
```

> [!NOTE]
> NOTE
> 
> The above IAM role must be created using one of the two options:
> 
> - From the AWS Organizations management account.
> - From an AWS member account, where the IAM role is then assigned as a delegated administrator for AWS organizations. *For more information, refer to the*[*AWS official documentation*](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_delegate_policies.html?icmpid=docs_orgs_console)*.*

When creating an IAM role as a delegated organization administrator, use the delegation policy listed below in the organization management account to register the IAM role as a delegated administrator. This IAM role also needs `sts:AssumeRole` permission in their account to assume the Fortanix access role in member accounts.

```bash
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Statement",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::{REPLACE_WITH_ACCOUNT_NUMBER_OF_CREATED_IAM_ROLE}:role/FortanixKeyInsightScanner"
      },
      "Action": [
        "organizations:DescribeOrganization",
        "organizations:ListAccounts",
        "organizations:ListAccountsForParent",
        "organizations:ListChildren",
        "organizations:ListOrganizationalUnitsForParent"
      ],
      "Resource": "*"
    }
  ]
}
```

### 9.2 Download the JSON File for CFT

Download the following CFT JSON file (`fortanix-key-insight-AWS-CFT-template.json`), which should be deployed using StackSets across the entire AWS Organization.

Enter the Account ID and IAM username created in [*Section 9.1: Set Up an IAM Role with the Necessary Permissions - AWS Organization*](/v1/docs/fortanix-key-insight-aws-configuration-for-microsoft-entra-id-as-open-id-connect-identity-provider#91-set-up-an-iam-role-with-the-necessary-permissions-aws-organization) in the `AwsAccountId` and `AwsUserName` fields, respectively.

[](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/fortanix-key-insight-AWS-CFT-template(1).json)fortanix-key-insight-AWS-CFT-template9.47 KB[**](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/fortanix-key-insight-AWS-CFT-template(1).json)

Fortanix Key Insight identifies encryption keys and data services across on-premises and hybrid multicloud environments, providing a unified dashboard for tracking key mappings and cryptographic security. It offers security and compliance teams data-driven insights to assess risks, align with best practices, and meet industry regulations. Iy also supports continuous risk mitigation and crypto-agility, adapting to evolving security needs, including preparation for the post-quantum era.