Azure AD

Entra ID and Cognito - OIDC

August 11, 2025

Overview

This guide walks through setting up Microsoft Entra ID (formerly Azure AD) as an OpenID Connect (OIDC) identity provider for AWS Cognito User Pools. This integration allows users to sign in to your applications using their Microsoft credentials.

Steps

1. Sign in to Azure Portal

Navigate to https://portal.azure.com and access Microsoft Entra ID (formerly “Azure AD”) from the main services menu.

2. Register a New Application

1. In Microsoft Entra ID, select App registrations → New registration.

Entra ID and Cognito Itegration - Step5

August 10, 2025

Step 5: Verify and Test the Integration

The hosted UI automatically displays both authentication options.

• Native Cognito User Pool authentication (existing functionality)
• Microsoft Entra ID federation (newly implemented)

Now, Amazon Cognito seamlessly handles the authentication flow regardless of which identity provider is used, as shown below.

See also:

Entra ID and Cognito Itegration - Guide

Entra ID and Cognito Itegration - Step1

Entra ID and Cognito Itegration - Step2

Entra ID and Cognito Itegration - Step4

August 10, 2025

Step 4: Update Cognito App Client Configuration

Enable the new identity provider in your Cognito App Client settings:

1. Within your Cognito User Pool, navigate to App integration and select your app client
2. Under Hosted UI, click Edit to modify the settings

1. In the Identity providers section, select EntraID to enable it
2. Save your changes to apply the configuration

See also:

Entra ID and Cognito Itegration - Guide

Entra ID and Cognito Itegration - Step3

August 10, 2025

Step 3: Integrate Identity Provider with Amazon Cognito

Now, configure Amazon Cognito to recognize Microsoft Entra ID as a federated identity provider:

1. In the AWS Console, navigate to Amazon Cognito and select your User Pool
2. Go to Sign-in experience and locate the Federated identity provider sign-in section
3. Select Add identity provider and choose SAML as the provider type

4. Configure the identity provider with these settings:

   • Provider name: “EntraID” (this name will appear on your login screen)

Entra ID and Cognito Itegration - Step2

August 10, 2025

Step 2: Configure SAML Parameters

You’ll need to retrieve key information from your Cognito User Pool to properly configure the SAML parameters:

1. In the AWS Console, locate your Cognito User Pool and note the User Pool ID

2. Record the Cognito Domain from your User Pool settings

3. In Azure Portal, configure the following SAML parameters:
   • Identifier (Entity ID): Format as urn:amazon:cognito:sp:{User pool ID}
   • Reply URL (Assertion Consumer Service URL): Format as {Cognito domain}/saml2/idpresponse
4. Save your configuration changes

Entra ID and Cognito Itegration - Guide

August 10, 2025

Overview

This comprehensive guide walks you through the process of integrating Microsoft Entra ID (formerly Azure AD) with Amazon Cognito to enable seamless federation authentication for your web application.

What we do

Our web application currently uses Amazon Cognito User Pool for authentication, limiting access to Cognito-registered users only. This guide demonstrates how to extend authentication capabilities by implementing Microsoft Entra ID federation, allowing your enterprise users to access the application using their existing Microsoft credentials.

Entra ID and Cognito Itegration - Step1

August 10, 2025

Step 1: Configure SAML in Microsoft Entra ID

Begin by setting up a SAML application in Microsoft Entra ID to establish the identity provider side of the federation:

1. In Azure Portal, access Microsoft Entra ID, then select Enterprise applications
2. Select New application to create a custom application integration

3. Click Create your own application to configure a custom SAML provider

4. Configure the application with the following parameters:

   • Application name: (your preferred application name)
   • Select Integrate any other application you don’t find in the gallery (Non-gallery)

5. Click Create to generate the application