AWS Big Data Blog

Enabling Amazon QuickSight federation with Microsoft Entra ID (formerly Azure AD)

June 2025: This post was reviewed and updated for accuracy.

As of August 2023, Amazon QuickSight is now an AWS IAM Identity Center enabled application. This capability allows administrators who subscribe to QuickSight to use IAM Identity Center to enable their users to log in with Azure AD and other external identity providers. For more information, see Simplify business intelligence identity management with Amazon QuickSight and IAM Identity Center (AWS blog post) and Configure your Amazon QuickSight account with IAM Identity Center in the QuickSight documentation. We recommend that you use this new integration. This blog post is provided as a reference for existing account configurations.

Customers today want to establish a single identity and access strategy across all of their own apps, such as on-premises apps, third-party cloud apps (SaaS), or apps in AWS. If your organization use Microsoft Entra ID for cloud applications, you can enable single sign-on (SSO) for applications like Amazon QuickSight without needing to create another user account or remember passwords. You can also enable role-based access control to make sure users get appropriate role permissions in QuickSight based on their entitlement stored in Entra ID attributes or granted through Entra ID group membership. The setup also allows administrators to focus on managing a single source of truth for user identities in Entra ID while having the convenience of configuring access to other AWS accounts and apps centrally.

In this post, we walk through the steps required to configure federated SSO between QuickSight and Entra ID. We also demonstrate ways to assign a QuickSight role based on Entra ID group membership. Administrators can publish the QuickSight app in the MyAppsPortal to enable users to SSO to QuickSight using their Entra ID credentials.

The solution in this post uses an identity provider (IdP)-initiated SSO, which means your end-users must log in to Entra ID and choose the published QuickSight app in the Entra App Portal to sign in to QuickSight.

Registering a QuickSight application in Microsoft Entra admin center

Your first step is to create a QuickSight enterprise application in Microsoft Entra ID.

  1. Log in to your Entra Admin center using the administrator account in the tenant where you want to register the QuickSight application.
  2. Under Identity, expand Applications and choose Enterprise Applications.
  3. Choose New Application.
  4. Browse Microsoft Entra Gallery and search for Amazon Web Services
  5. Choose AWS Single – Account Access.

  1. For Name, enter Amazon QuickSight.
  2. Click on create the application.

Creating users and groups in Microsoft Entra ID

You can now create new users and groups or choose existing users and groups that can access QuickSight.

  1. Under Identity, choose All groups and create New group
  2. For this post, you create three groups, one for each QuickSight role:
  • QuickSight-Admin
  • QuickSight-Author
  • QuickSight-Reader

For instructions on creating groups in Microsoft Entra ID Center, see How to manage user and groups.

Configuring Entra SSO Integration in Entra ID

You can now start configuring the SSO settings for the QuickSight app.

  1. Choose Amazon QuickSight application that you created earlier.
  2. Choose Set up a single sign-on , choose SAML.

  1. Under Set up Single Sign-On with SAML, choose Edit.
  2. In the Basic SAML Configuration
  3. For Identifier (Entity ID), enter https://signin.aws.amazon.com/saml
  4. For Reply URL (Assertion Consumer Service URL), enter https://signin.aws.amazon.com/saml.
  5. Leave Sign on URL blank.
  6. For Relay State, enter https://quicksight.aws.amazon.com.
  7. Leave Logout Url blank.

  1. Under SAML Certificates, choose Download next to Federation Metadata XML.
  2. You use this XML document later when setting up the SAML provider in AWS Identity and Access Management (IAM).
  3. Leave this tab open in your browser while moving on to the next steps.

Creating Microsoft Entra ID as your SAML IdP in AWS

  1. Open a new tab in your browser.
  2. Log in to the IAM console in your AWS account with admin permissions.
  3. On the IAM console, choose Identity providers.
  4. Choose Create provider.
  5. For Provider name, enter AzureActiveDirectory.
  6. Choose Choose File to upload the metadata document you downloaded earlier.
  7. Choose Next Step.
  8. Verify the provider information and choose Create.
  9. On the summary page, record the value for the provider ARN

(arn:aws:iam::<AccountID>:saml-provider/AzureActiveDirectory)

You need this ARN to configure claims rules later in this post.

Configuring IAM policy to list roles

Use the following steps to set up AzureListRole_policy. This policy will allow to fetch the roles from AWS Accounts in Microsoft Entra ID:

  1. On the IAM console, choose Policies.
  2. Choose Create Policy.
  3. Choose JSON and replace the existing text with the following code:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iam:ListRoles"                
            ],
            "Resource": "*"
        }
    ]
}
  1. Choose Review policy
  2. For Name enter AzureListRole_policy.
  3. Choose Create policy.

Create an IAM user

  1. On the IAM console, choose Users.
  2. Choose Create user “ AzureSSOUser”

  1. Set Permissions.
  2. Choose the AzureListRole_policy IAM policy you created earlier.

  1. Choose Next: Tags.
  2. Choose Review and Create
  3. Under the Security credential tab, create an access key. The security credential is used in the Microsoft Entra user provision section to connect to Amazon QuickSight’s API and synchronize user data.

Configuring IAM policies for roles in QuickSight

In this step, you create three IAM policies for different role permissions in QuickSight:

  • QuickSight-Federated-Admin
  • QuickSight-Federated-Author
  • QuickSight-Federated-Reader

Use the following steps to set up QuickSight-Federated-Admin policy. This policy grants admin privileges in QuickSight to the federated user:

  1. On the IAM console, choose Policies.
  2. Choose Create Policy.
  3. Choose JSON and replace the existing text with the following code:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "quicksight:CreateAdmin",
            "Resource": "*"
        }
    ]
}
  1. Choose Review policy
  2. For Name enter QuickSight-Federated-Admin.
  3. Choose Create policy.

Now repeat the steps to create QuickSight-Federated-Author and QuickSight-Federated-Reader policy using the following JSON codes for each policy:

QuickSight-Federated-Author

The following policy grants author privileges in QuickSight to the federated user:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "quicksight:CreateUser",
            "Resource": "*"
        }
    ]
}

QuickSight-Federated-Reader

The following policy grants reader privileges in QuickSight to the federated user:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "quicksight:CreateReader",
            "Resource": "*"
        }
    ]
}

Configuring IAM roles

Next, create the roles that your Microsoft Entra  users assume when federating into QuickSight. The following steps set up the admin role:

  1. On the IAM console, choose Roles.
  2. Choose Create role.
  3. For Select type of trusted entity, choose SAML 2.0 federation.
  4. For SAML 2.0-based provider, choose the provider you created earlier (AzureActiveDirectory).
  5. Select Allow programmatic and AWS Management Console access.

  1. For Attribute, make sure SAML:aud is selected.
  2. Value should show https://signin.aws.amazon.com/saml.
  3. Choose Next: Permissions.
  4. Choose the QuickSight-Federated-Admin IAM policy you created earlier.
  5. Choose Next: Tags.
  6. Choose Next: Review
  7. For Role name, enter QuickSight-Admin-Role.
  8. For Role description, enter a description.
  9. Choose Create role.
  10. On the IAM console, in the navigation pane, choose Roles.
  11. Choose the QuickSight-Admin-Role role you created to open the role’s properties.
  12. Record the role ARN to use later.
  13. On the Trust Relationships tab, choose Edit Trust Relationship.
  14. Under Trusted Entities, verify that the IdP you created is listed.
  15. Under Conditions, verify that SAML:aud with a value of https://signin.aws.amazon.com/saml is present.
  16. Configure Email sync for federated users with value aws:RequestTag/Email“:”*“  –

When you configure email syncing for federated users in QuickSight, users who log in to your QuickSight account for the first time have preassigned email addresses. These are used to register their accounts. With this approach, users can manually bypass by entering an email address. Also, users can’t use an email address that might differ from the email address prescribed.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::Account_ID:saml-provider/AzureActiveDirectory"
            },
            "Action": "sts:AssumeRoleWithSAML",
            "Condition": {
                "StringEquals": {
                    "SAML:aud": "https://signin.aws.amazon.com/saml"
                }
            }
        },
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::AccountId:saml-provider/AzureActiveDirectory"
            },
            "Action": "sts:TagSession",
            "Condition": {
                "StringLike": {
                    "aws:RequestTag/Email": "*"
                }
            }
        }
    ]
}
  1. Repeat these steps to create your author and reader roles and attach the appropriate policies:
  • For QuickSight-Author-Role, use the policy QuickSight-Federated-Author.
  • For QuickSight-Reader-Role, use the policy QuickSight-Federated-Reader.

Configure an AWS access key for API Integration

Configuring Security Credential in Microsoft Entra which you have created and downloaded in the previous section.

  1. Choose Amazon QuickSight application that you created earlier.
  2. Choose Provisioning.
  3. Choose Provisioning Mode to Automatic from drop down
  4. Enter Access key details under Admin Credentials add clientsecret and Secret Token 

  1. Click on Test Connection, with correct credentials the connection would be established to enable provisioning

Configuring user Attributes and Claims in Microsoft Entra

In this step, you return to the application in Microsoft Entra admin center and configure the user claims that Entra ID sends to AWS. By default, several SAML attributes are populated for the new application, but you don’t need these attributes for federation into QuickSight. Under Required Claims edit the below 3 claims and update, delete unnecessary claims

For this post, you update three required claims and add one additional claims:

Required claims

  • Role
  • RoleSessionName
  • SessionDuration

Additional Claims

  • PrincipalTag:Email

Update the Role claim

To update the Role claim, complete the following steps:

  1. Click Claim name https://aws.amazon.com/SAML/Attributes/Role
  2. Under Claim conditions, add a condition for the admin, author, and reader roles. Use the parameters in the following table and make sure to replace <Account ID> with your AWS account ID:
User Type Scoped Group Source Value
Any QuickSight-Admin Attribute arn:aws:iam::<Account ID>:role/QuickSight-Admin-Role,arn:aws:iam::<Account ID>:saml-provider/AzureActiveDirectory
Any QuickSight-Author Attribute arn:aws:iam::<Account ID>:role/QuickSight-Author-Role,arn:aws:iam::<Account ID>:saml-provider/AzureActiveDirectory
Any QuickSight-Reader Attribute arn:aws:iam::<Account ID>:role/QuickSight-Reader-Role,arn:aws:iam::<Account ID>:saml-provider/AzureActiveDirectory

Update RoleSessionName claim

To update your RoleSessionName claim, complete the following steps:

  1. Click, Claim name https://aws.amazon.com/SAML/Attributes/RoleSessionName
  2. For Source, choose Transformation.
  3. For Transformation, enter ExtractMailPrefix().
  4. For Parameter 1, enter user.userprincipalname.

We use the ExtractMailPrefix() function to extract the name from the userprincipalname attribute. For example, the function extracts the name joe from the user principal name value of joe@example.com. IAM uses RoleSessionName to build the role session ID for the user signing into QuickSight. The role session ID is made up of the Role name and RoleSessionName, in Role/RoleSessionName format. Users are registered in QuickSight with the role session ID as the username.

Creating the PrincipalTag:Email  for Additional claim

To create claim, PrincipalTag:Email, complete the following steps:

  1. Choose Add new claim.
  2. For Name, enter PrincipalTag:Email
  3. For Namespace, enter https://aws.amazon.com/SAML/Attributes.
  4. For Source, choose Attribute.
  5. For Source attribute, enter “user.mail

Configuring Single Sign-on in Amazon QuickSight

To enable the SSO Configuration in QuickSight, Follow the steps

  1. Login to QuickSight with Admin role
  2. Click Manage QuickSight
  3. On the left panel, click Single sign-on (SSO)
  4. Select ON for Email syncing for Federated Users
  5. Select ON for Service Provider Initiated SSO

  1. Under configuration, provide the appropriate User access URL as Idp URL from your Entra ID Application properties
  2. Idp redirect URL parameter, set RelayState

Testing the application

You’re now ready to test the application.

  1. In the Microsoft Entra admin Center, under Identity, choose All groups.
  2. Update the group membership of the QuickSight-Admin group by adding the current user to it.

  1. Under Enterprise Applications, choose Amazon QuickSight.
  2. Under Manage, choose Single sign-on.
  3. ClickTest to test the authentication flow.
  4. Log in to QuickSight as an admin.

The following screenshot shows you the QuickSight dashboard for the admin user.

  1. Remove the current user from QuickSight-Admin Entra group and add it to QuickSight-Author group.

When you test the application flow, you log in to QuickSight as an author.

  1. Remove the current user from QuickSight-Author group and add it to QuickSight-Reader group.

When you test the application flow again, you log in as a reader.

Removing the user from the Entra group will not automatically remove the registered user in QuickSight. You have to remove the user manually in the QuickSight admin console. For details on user management inside QuickSight, see managing user access.

Deep-linking QuickSight dashboards

You can share QuickSight dashboards using the sign-on URL for the QuickSight application published in the Microsoft Entra Apps portal. This allows users to federate directly into the QuickSight dashboard without having to land first on the QuickSight homepage.To deep-link to a specific QuickSight dashboard with SSO, complete the following steps:

  1. Under Enterprise Applications, choose Amazon QuickSight
  2. Under Manage, choose Properties.
  3. Locate the User access URL.
  4. Append ?RelayState to the end of the URL containing the URL of your dashboard. For example,

https://launcher.myapps.microsoft.com/api/signin/?tenantId=<>&RelayState=https://us-east-1.quicksight.aws.amazon.com/sn/dashboards/>

You can test it by creating a custom sign-in URL using the RelayState parameter pointing to an existing dashboard. Make sure the user signing in to the dashboard has been granted proper access.

Summary

This post provided step-by-step instructions to configure a federated SSO with Microsoft Entra ID as the IdP. We also discussed how to map users and groups in Entra Admin Center to IAM roles for secure access into QuickSight.If you have any questions or feedback, please leave a comment.

About the authors

Adnan Hasan is a Global GTM Analytics Specialist at Amazon Web Services, helping customers transform their business using data, machine learning and advanced analytics.

Deepak Sahi is a Solutions Architect at AWS based out of Zurich, Switzerland. He has close to two decades of experience in the field of Data Analytics, primarily in Business intelligence and data warehousing. He has worked worldwide as a consultant in domains such as Telcom, Finance, Insurance, Healthcare etc. for many Fortune 500 Companies. He is currently focusing on manufacturing companies in Switzerland at the same time he is a member of SME for Amazon QuickSight. He helps them build secure and innovative cloud solutions, enable data-driven decisions and solve their business challenges.