In today’s cloud-first world, managing secure access across multiple platforms is essential for enterprise security. Identity and Access Management (IAM) federation allows organisations to use their existing identity provider to authenticate users across different applications and services. This approach simplifies access management, enhances security, and improves the user experience.
In this guide, we’ll walk through setting up IAM federation between Microsoft Entra ID (formerly Azure AD) and AWS Q Business using SAML 2.0 authentication. This integration creates a seamless single sign-on experience while maintaining robust security controls.
What is Amazon Q Business?
Before we dive into the integration details, let’s take a moment to understand what we’re actually connecting to. Amazon Q Business is AWS’s AI-powered assistant designed specifically for enterprise use. It allows employees to ask questions, get insights, and find information across connected company data sources—all while maintaining proper security and compliance controls.
Key features of AWS Q Business include:
- Answering questions about internal documents and data
- Helping employees find information quickly without digging through multiple systems
- Maintaining context across conversations for more helpful responses
- Connecting to various data sources like SharePoint, OneDrive, Salesforce, and more
- Respecting your existing permissions and security boundaries
By integrating Q Business with Microsoft Entra ID, you’re creating a seamless experience where employees can access this powerful AI assistant using their existing credentials—no new passwords to memorise (or forget).
Why Integrate Entra ID with AWS Q Business?
Integrating Microsoft Entra ID with Amazon Q Business isn’t just a technical upgrade—it’s a practical improvement your whole organisation will notice.
Here’s what it means in practice:
- Easier access for your team
Staff can sign in using the credentials they already use. It’s quicker, simpler, and reduces the need for IT support. - Better control for IT and security
Access is managed through your existing identity policies, with automatic updates when roles change—no duplication, no manual clean-up. - Stronger security and compliance
Centralising access makes it easier to enforce consistent policies, track activity, and meet compliance requirements like ISO 27001. - Fewer manual tasks
User provisioning and deprovisioning are handled automatically, helping reduce overhead and avoid unnecessary risk. - Higher uptake across the business
When access is seamless, people are more likely to use the tools you’ve invested in—improving the return on that investment.
Skipping this step means more work for your teams and more risk for the business. With this integration in place, it’s easier to scale AI tools securely and get real value from them.
Prerequisites
Before we proceed with the integration, make sure you have the following for a smooth process:
- Admin access to Microsoft Entra ID
- Admin access to AWS Management Console
- Permissions to create IAM roles and identity providers
Step-by-Step Integration Guide
1. Create the Application in Microsoft Entra ID.
First, we need to set up the AWS application in Entra ID:
- Sign in to the Azure portal
- Navigate to Enterprise Applications → New application
- Search for Amazon Web Services (AWS) and select AWS Single-Account Access
- Enter a descriptive name for your application and click Create
- On the application overview page, go to Single sign-on → SAML
- Under Basic SAML Configuration, click Edit
- For both Identifier (Entity ID) and Reply URL (Assertion Consumer Service URL), enter a placeholder (e.g., https://replaceWithWebAppUrl/saml) – we’ll update these later.
- Save your changes.
Download the Federation Metadata XML from the SAML Certificates section.
2. Create AWS IAM Identity Provider and Role.
Now, let’s configure the AWS side:
- Sign in to the AWS IAM Console
- Go to Identity providers → Add provider
- Choose SAML as the provider type, enter a name, and upload the metadata XML from Entra ID
- Click Add Provider and copy the provider ARN
- Create a new IAM role with a custom trust policy:
- Go to Roles → Create role → Custom trust policy
- Add the trust policy JSON, replacing the placeholder values.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "{{AWS IAM Identity Provider ARN}}"
},
"Action": "sts:AssumeRoleWithSAML",
"Condition": {
"StringEquals": {
"SAML:aud": "{{QBusiness web app URL}}saml"
}
}
},
{
"Effect": "Allow",
"Principal": {
"Federated": "{{AWS IAM Identity Provider ARN}}"
},
"Action": "sts:TagSession",
"Condition": {
"StringLike": {
"aws:RequestTag/Email": "*"
},
"ForAllValues:StringEquals": {
"sts:TransitiveTagKeys": "Email"
}
}
},
{
"Effect": "Allow",
"Principal": {
"Service": "qbusiness.amazonaws.com"
},
"Action": [
"sts:AssumeRole",
"sts:SetContext"
]
}
]
}
-
- Grant appropriate permissions policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "QBusinessConversationPermissions",
"Effect": "Allow",
"Action": [
"qbusiness:Chat",
"qbusiness:ChatSync",
"qbusiness:ListMessages",
"qbusiness:ListConversations",
"qbusiness:PutFeedback",
"qbusiness:DeleteConversation",
"qbusiness:GetWebExperience",
"qbusiness:GetApplication",
"qbusiness:ListPlugins",
"qbusiness:GetChatControlsConfiguration",
"qbusiness:ListRetrievers",
"qbusiness:ListPluginActions",
"qbusiness:ListAttachments",
"qbusiness:GetMedia"
],
"Resource": "arn:aws:qbusiness:us-west-2:AWS-Account-ID:application/application-ID"
},
{
"Sid": "QBusinessPluginDiscoveryPermissions",
"Effect": "Allow",
"Action": [
"qbusiness:ListPluginTypeMetadata",
"qbusiness:ListPluginTypeActions"
],
"Resource": "*"
},
{
"Sid": "QBusinessRetrieverPermission",
"Effect": "Allow",
"Action": [
"qbusiness:GetRetriever"
],
"Resource": [
"arn:aws:qbusiness:us-west-2:AWS-Account-ID:application/application-ID",
"arn:aws:qbusiness:us-west-2:AWS-Account-ID:application/application-ID/retriever/*"
]
},
{
"Sid": "QBusinessAutoSubscriptionPermission",
"Effect": "Allow",
"Action": [
"user-subscriptions:CreateClaim"
],
"Condition": {
"Bool": {
"user-subscriptions:CreateForSelf": "true"
},
"StringEquals": {
"aws:CalledViaLast": "qbusiness.amazonaws.com"
}
},
"Resource": [
"*"
]
},
{
"Sid": "QAppsResourceAgnosticPermissions",
"Effect": "Allow",
"Action": [
"qapps:CreateQApp",
"qapps:PredictQApp",
"qapps:PredictProblemStatementFromConversation",
"qapps:PredictQAppFromProblemStatement",
"qapps:ListQApps",
"qapps:ListLibraryItems",
"qapps:CreateSubscriptionToken"
],
"Resource": "arn:aws:qbusiness:us-west-2:AWS-Account-ID:application/application-ID"
},
{
"Sid": "QAppsAppUniversalPermissions",
"Effect": "Allow",
"Action": [
"qapps:DisassociateQAppFromUser"
],
"Resource": "arn:aws:qapps:us-west-2:AWS-Account-ID:application/application-ID/qapp/*"
},
{
"Sid": "QAppsAppOwnerPermissions",
"Effect": "Allow",
"Action": [
"qapps:GetQApp",
"qapps:CopyQApp",
"qapps:UpdateQApp",
"qapps:DeleteQApp",
"qapps:ImportDocument",
"qapps:ImportDocumentToQApp",
"qapps:CreateLibraryItem",
"qapps:UpdateLibraryItem",
"qapps:StartQAppSession"
],
"Resource": "arn:aws:qapps:us-west-2:AWS-Account-ID:application/application-ID/qapp/*",
"Condition": {
"StringEqualsIgnoreCase": {
"qapps:UserIsAppOwner": "true"
}
}
},
{
"Sid": "QAppsPublishedAppPermissions",
"Effect": "Allow",
"Action": [
"qapps:GetQApp",
"qapps:CopyQApp",
"qapps:AssociateQAppWithUser",
"qapps:GetLibraryItem",
"qapps:CreateLibraryItemReview",
"qapps:AssociateLibraryItemReview",
"qapps:DisassociateLibraryItemReview",
"qapps:StartQAppSession"
],
"Resource": "arn:aws:qapps:us-west-2:AWS-Account-ID:application/application-ID/qapp/*",
"Condition": {
"StringEqualsIgnoreCase": {
"qapps:AppIsPublished": "true"
}
}
},
{
"Sid": "QAppsAppSessionModeratorPermissions",
"Effect": "Allow",
"Action": [
"qapps:ImportDocument",
"qapps:ImportDocumentToQAppSession",
"qapps:GetQAppSession",
"qapps:GetQAppSessionMetadata",
"qapps:UpdateQAppSession",
"qapps:UpdateQAppSessionMetadata",
"qapps:StopQAppSession"
],
"Resource": "arn:aws:qapps:us-west-2:AWS-Account-ID:application/application-ID/qapp/*/session/*",
"Condition": {
"StringEqualsIgnoreCase": {
"qapps:UserIsSessionModerator": "true"
}
}
},
{
"Sid": "AllowAssumeRoleWithSAML",
"Effect": "Allow",
"Action": [
"sts:*"
],
"Resource": "*"
},
{
"Sid": "QAppsSharedAppSessionPermissions",
"Effect": "Allow",
"Action": [
"qapps:ImportDocument",
"qapps:ImportDocumentToQAppSession",
"qapps:GetQAppSession",
"qapps:GetQAppSessionMetadata",
"qapps:UpdateQAppSession"
],
"Resource": "arn:aws:qapps:us-west-2:AWS-Account-ID:application/application-ID/qapp/*/session/*",
"Condition": {
"StringEqualsIgnoreCase": {
"qapps:SessionIsShared": "true"
}
}
}
]
}
6. Save the role and copy the IAM role ARN
3. Configure Advanced SAML Settings in Entra ID
Let’s customise the SAML claims:
- Return to your application in Entra ID
- Navigate to Single sign-on → Attributes & Claims → Edit
- Configure the Unique User Identifier (Name ID):
- Set Name identifier format to Persistent
- Set Source attribute to user.objectid
- Add a new claim:
-
- Name: PrincipalTag:Email
- Namespace: https://aws.amazon.com/SAML/Attributes
- Source attribute: user.mail
5. Create an app role:
-
- Go to Security → Permissions → Application registration → Manage → App roles
- Create a new role that combines your IAM Role ARN and Identity Provider ARN
- Example value: arn:aws:iam::123456789012:role/q-business-role,arn:aws:iam::123456789012:saml-provider/entra-id-provider
6. Assign users to the application and the newly created app role
7. Add API permissions for your application
4. Create and Configure AWS Q Business Application
Now we’ll set up the Q Business application:
- Navigate to the AWS Q Business console
- Click Create Application
- Enter a name and under Access management method, select your SAML identity provider
- Create a web experience and select the IAM role you created earlier
- For the Authentication URL, use the Entra ID URL format:
- https://myapps.microsoft.com/signin/{application-name}/{user-access-url-suffix}
- The suffix can be found in your application’s properties under User access URL
- Complete the setup and note the deployed URL (e.g., https://example.chat.qbusiness.us-west-2.on.aws/)
5. Update URLs in Both Systems
Finally, we need to update the placeholder URLs:
- Edit your IAM role’s trust policy to replace the placeholder with your actual Q Business URL ({URL}/saml)
- Return to Entra ID and update both the Identifier (Entity ID) and Reply URL with the same URL
Testing the Integration
To test your setup:
- Navigate to your Q Business deployed URL.
- You should be redirected to the Entra ID login page.
- After authentication, you’ll be redirected back to AWS Q Business, ready to use the service.
Conclusion
Integrating Microsoft Entra ID with Amazon Q Business isn’t just a backend fix—it’s a smart move that simplifies access, tightens security, and makes life easier for both users and administrators. Your team gets seamless sign-on. Your IT team gets more granular control over security policies and permissions with less overhead. And your business gets a smoother path to adopting AI tools that actually get used.
It’s a practical step that supports compliance, boosts productivity, and sets you up to scale AI tools with confidence and control.
Happy secure federating!
Accelerate Secure AI Adoption
Ready to make AI tools like Amazon Q Business seamless and secure for your team? Let’s help you implement frictionless access management that scales with confidence.
