Integrating your Azure AD identity provider
substrate create-admin-account -quality <quality>
will ask for several inputs, which this page will help you provide from your Azure AD identity provider.
These steps must be completed by an Azure administrator with the Application Administrator, Attribute Assignment Administrator, and Attribute Definition Administrator roles in an organization subscribed to Azure AD Premium 1 or Azure AD Premium 2.
Create a custom security attribute for assigning IAM roles to Azure AD users
Visit https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/CustomAttributesCatalog in a browser (or visit the Azure portal, click Azure Active Directory, and click Custom security attributes (Preview))
Click Add attribute set
Enter “AWS” for Attribute set name
Click Add
Click AWS
Click Add attribute
Enter “RoleName” for Attribute name
Click Save
Create and configure an OAuth OIDC client
Visit https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/RegisteredApps in a browser (or visit the Azure portal, click Azure Active Directory, and click App registrations)
Click New registration
Enter a name for the application
Select “Accounts in this organizational directory only (Default Directory only - Single tenant)”
Select “Web” as the platform
Enter “https://intranet-dns-domain-name/login” (substituting your just-purchased or just-transferred Intranet DNS domain name) next to the platform selector in the text input with e.g. https://example.com/auth as its placeholder
Click Register
Use the Application (client) ID to respond to
substrate create-admin-account
's promptClick Add a certificate or secret
Click New client secret
Enter a description
Specify an expiration date however you see fit and set yourself a reminder to rotate the client secret before that date arrives
Click Add
Use the Value to respond to
substrate create-admin-account
's prompt (being wary that this value will never be shown again; if you need to copy it again, you'll need to create a new client secret)
Authorize users to use AWS
Visit https://portal.azure.com/#view/Microsoft_AAD_UsersAndTenants/UserManagementMenuBlade/\~/AllUsers in a browser (or visit the Azure portal, click Azure Active Directory, and click Users)
For every user authorized to use AWS:
Click the user's name
Click Assigned roles in the left column
Click Add assignments
Select “Attribute Assignment Reader” and “Attribute Definition Reader”
Click Add
Click Custom security attributes (preview) in the left column
Click Add assignment
Select “AWS” in the Attribute set column
Select “RoleName” in the Attribute name column
Enter the name (not the ARN) of the IAM role they should assume in your admin account (“Administrator” for yourself as you're getting started; if for others it's not “Administrator” or “Auditor”, ensure you've followed adding non-Administrator roles for humans first)
Click Save
Visit https://portal.azure.com/#view/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/~/AppAppsPreview/menuId~/null in that same browser (or visit the Azure portal, click Azure Active Directory, and click Enterprise applications)
Click the name of the application you created above
Click Users and groups in the left column
Click Add user/group
Click Users
Select every user authorized to use AWS
Click Select
Click Assign
With your identity provider integrated, jump to deleting unnecessary root access keys.
Last updated