SCENARIO 13 SCIM 2.0 AWS IAM Identity Center JML SOC 2

SCIM Provisioning: Entra ID → AWS IAM Identity Center

Manual AWS access provisioning via ticketing was causing 24–72hr delays and an internal audit confirmed 14 stale AWS assignments for disabled Entra accounts. SCIM 2.0 pipeline deployed — 17 users and 3 groups provisioned automatically. Joiner, Mover, and Leaver lifecycle events validated end-to-end with zero manual steps post-pipeline.

SCIM 2.0 AWS IAM Identity Center JML Lifecycle Entra ID PowerShell SOC 2 CC6.2/CC6.3

Business Problem

IDSentinel Solutions' AWS environment had reached a critical operational threshold: six AWS accounts, growing workloads, and a developer population that required access provisioning and deprovisioning managed entirely by manual ticketing. When a developer joined a new team, their AWS access had to be manually assigned — the correct permission set identified, the account located, and the assignment created by hand in the AWS IAM Identity Center console.

An internal audit found 14 active AWS assignments belonging to Entra accounts that had been disabled for more than 30 days. In two cases, the accounts were associated with contractors whose engagements had ended. AWS access had never been removed because there was no automated link between the Entra identity lifecycle and AWS access rights.

Risk

  • 14 stale AWS assignments confirmed for disabled Entra accounts — orphaned access in a production cloud environment
  • No automated deprovisioning — offboarded users retain AWS access until a ticket is filed and manually actioned
  • Role changes go undetected — movers retain previous permission sets with no recertification trigger
  • Manual provisioning introduces 24–72 hour access delays for new joiners
  • Non-compliant with Zero Trust mandate — access must be tied to current identity state
  • SOC 2 CC6.2 (Access Provisioning) and CC6.3 (Logical Access Controls) exposure

Scope

ParameterDetail
Identity sourceMicrosoft Entra ID (M365 Developer Tenant)
Target systemAWS IAM Identity Center
ProtocolSCIM 2.0
Groups provisionedGRP-AWS-Engineering, GRP-AWS-DevOps, GRP-AWS-Security
Lifecycle events testedJoiner (add to group), Mover (group change), Leaver (disable account)
Compliance targetSOC 2 Type II — CC6.2, CC6.3

Solution Design — 4 Workstreams

WS 1

AWS IAM Identity Center Configuration

IAM Identity Center enabled with external identity source set to Entra ID. SCIM endpoint URL and bearer token generated for inbound provisioning. Permission sets created for each group.

WS 2

Entra Enterprise App Registration

AWS IAM Identity Center enterprise app added from the Entra gallery. SCIM provisioning mode enabled — Tenant URL and Secret Token populated from the AWS SCIM endpoint. Connection test confirmed successful.

WS 3

Group Scoping and Provisioning Activation

Three pilot groups scoped for provisioning. Groups and their 17 members pushed to AWS IAM Identity Center. Group-to-permission-set assignments configured in AWS.

WS 4

Lifecycle Validation

Joiner, Mover, and Leaver events simulated end-to-end. Each triggered in Entra and confirmed propagated to AWS via provisioning logs and IAM Identity Center console verification.

// diagrams/scim-provisioning-architecture.png — Entra ID to AWS IAM Identity Center SCIM flow expand
Entra ID to AWS IAM Identity Center SCIM flow

Implementation

  • 01

    Enable AWS IAM Identity Center + SCIM Credentials

    IAM Identity Center enabled in us-east-1. Identity source changed to external identity provider to unlock SCIM inbound provisioning. Automatic provisioning enabled — SCIM endpoint URL and bearer token generated and stored securely for use in Entra.

    // 01-identity-center-enabled expand
    IAM Identity Center enabled — external identity source
    // 02-scim-endpoint-bearer-token expand
    SCIM endpoint URL and bearer token generated
  • 02

    Create Permission Sets

    Permission SetBase PolicyTarget Group
    IDSentinel-ReadOnlyReadOnlyAccessGRP-AWS-Engineering
    IDSentinel-PowerUserPowerUserAccessGRP-AWS-DevOps
    IDSentinel-SecurityAuditSecurityAuditGRP-AWS-Security
    // 03-permission-sets expand
    Three permission sets created — ReadOnly, PowerUser, SecurityAudit
  • 03

    Configure Entra Enterprise App for SCIM

    AWS IAM Identity Center app added from the Entra gallery. Provisioning mode set to Automatic. SCIM Tenant URL and Secret Token populated. Connection test confirmed successful before proceeding.

    // 04-entra-enterprise-app expand
    AWS IAM Identity Center enterprise app added from Entra gallery
    // 05-scim-credentials-configured expand
    SCIM Tenant URL and Secret Token configured
    // 06-connection-test-success expand
    Connection test passed — SCIM endpoint reachable
  • 04

    Review and Confirm Attribute Mappings

    Default SCIM attribute mappings confirmed — userPrincipalName → userName, displayName → displayName, mail → emails[work], givenName → name.givenName, surname → name.familyName.

    // 07-attribute-mappings expand
    SCIM attribute mappings confirmed correct
  • 05

    Scope Groups and Run Initial Provisioning

    Three pilot groups scoped — GRP-AWS-Engineering (8), GRP-AWS-DevOps (5), GRP-AWS-Security (4). Provisioning triggered manually. All 17 users and 3 groups created in AWS IAM Identity Center. Zero errors.

    // 08-groups-scoped expand
    Three pilot groups scoped for provisioning
    // 09-initial-provisioning-logs expand
    Provisioning logs — 17 users, 3 groups, zero errors
    // 10a-users-in-identity-center expand
    Users confirmed in AWS IAM Identity Center — Created by SCIM
    // 10b-users-in-identity-center expand
    Groups confirmed in AWS IAM Identity Center — GRP-AWS-Engineering, DevOps, Security
  • 06

    Assign Permission Sets to Provisioned Groups

    Each provisioned group assigned to the target AWS account with the corresponding permission set — Engineering → ReadOnly, DevOps → PowerUser, Security → SecurityAudit.

    // 11-permission-set-assignments expand
    Permission sets assigned to groups in target AWS account

Lifecycle Validation

  • 07

    Joiner — User Added to Provisioned Group

    Test user t.chen@idsentinelsolutions.com added to GRP-AWS-Engineering in Entra ID. Provisioning cycle ran within 40 minutes. User confirmed present in IAM Identity Center with ReadOnly access to the dev account.

    // 12a-joiner-group-add expand
    User added to GRP-AWS-Engineering in Entra ID
    // 12b-joiner-provisioning-log expand
    Joiner — provisioning log confirms user created in AWS
    // 12c-joiner-iam-confirmed expand
    User confirmed in IAM Identity Center with ReadOnly access
  • 08

    Mover — User Transferred to Different Group

    t.chen removed from GRP-AWS-Engineering and added to GRP-AWS-DevOps in Entra ID. Provisioning cycle propagated the change. IAM Identity Center confirmed ReadOnly assignment removed and PowerUser assignment applied. Zero manual steps.

    // 13a-mover-group-change expand
    Group membership changed in Entra — Engineering → DevOps
    // 13b-mover-provisioning-log expand
    Mover — provisioning log confirms group update propagated
    // 13c-mover-permission-updated expand
    Permission set updated in AWS — ReadOnly removed, PowerUser applied
  • 09

    Leaver — Account Disabled in Entra ID

    PowerShell — disable account to simulate offboarding
    Update-MgUser -UserId "t.chen@idsentinelsolutions.com" `
  -AccountEnabled:$false

    SCIM provisioning detected the account state change and deprovisioned the user from IAM Identity Center. Confirmed user no longer appears in IAM Identity Center and all permission set assignments removed. Zero orphaned access.

    // 14a-leaver-account-disabled expand
    Account disabled in Entra ID via PowerShell
    // 14b-leaver-provisioning-log expand
    Leaver — provisioning log confirms user deprovisioned
    // 14c-leaver-iam-removed expand
    User removed from IAM Identity Center — zero orphaned access

Outcome

SCIM pipeline operational — Entra ID is the authoritative identity source for all AWS IAM Identity Center access
17 pilot users and 3 groups provisioned to AWS without manual intervention
Joiner: new group member provisioned to AWS within one cycle (under 40 minutes)
Mover: permission set updated automatically on group change — zero manual ticket required
Leaver: disabled Entra account triggers automatic deprovisioning — zero orphaned AWS access
14 pre-existing stale assignments identified and removed as part of the migration

Implementation Results

MetricValue
ProtocolSCIM 2.0
Groups provisioned3 (Engineering, DevOps, Security)
Users provisioned17
Permission sets created3
Provisioning errors0
Lifecycle events validated3 (Joiner, Mover, Leaver)
Stale assignments removed14
Manual provisioning steps (post-pipeline)0
Provisioning cycle latency< 40 minutes
Long-lived AWS credentials issued0

Files