User Migration: Azure AD to AWS Managed AD

Published in

Storm Reply

7 min readOct 2, 2024

Abstract

This article outlines the migration of users and groups from Azure Active Directory (Azure AD) to AWS Managed Active Directory (AWS Managed AD) within a hybrid IT infrastructure. The environment includes on-premise resources synchronized with Azure AD via AD Connect, while the BI reporting solution is hosted on AWS EC2. The challenge lies in maintaining accurate and timely synchronization of user and group profiles between Azure AD and the AWS-based reporting application. To address this, an automated solution was developed utilizing AWS IAM Identity Center, Step Functions, and Lambda, which triggers operations that write to AWS AD using the LDAP library. Any errors are managed, and alerts are sent through SNS to notify developers. This solution enhances operational efficiency and security.

Introduction

In modern enterprise environments, managing users and groups across a hybrid infrastructure presents several challenges, particularly when involving both on-premise resources and cloud services. Organizations often rely on Active Directory (AD) for user authentication and access control, synchronized with cloud services like Azure Active Directory (Azure AD) to extend these capabilities to cloud-based applications. As businesses increasingly adopt multi-cloud and hybrid strategies, integrating user management across different cloud platforms becomes essential.

In this context, AWS Managed Active Directory (AWS Managed AD) provides a fully managed directory service that simplifies the process of extending on-premise AD identities into AWS environments. However, ensuring the synchronization of user profiles and groups between Azure AD and AWS Managed AD for cloud-based applications requires an automated, reliable solution.

This article explores a scenario in which an enterprise needs to synchronize user and group profiles from Azure AD — which is already synchronized with the on-premise AD — into an AWS-based reporting application hosted on Amazon EC2. Given that the reporting solution requires precise user and group data to manage permissions effectively, any delay or inaccuracy in synchronization can impact operations and security.

To address this, an automated synchronization solution was designed using AWS IAM Identity Center, AWS Step Functions, and AWS Lambda functions, ensuring that changes in Azure AD are reflected in AWS Managed AD in near real-time. The integration also includes error handling and developer notifications via SNS, ensuring operational efficiency and security within the environment. This article will explore the details of the solution, the challenges it solves, and the benefits it brings to hybrid IT infrastructure management.

Architecture

The solution architecture is designed to automate the synchronization of user and group profiles from Azure Active Directory (Azure AD) to AWS Managed Active Directory (AWS Managed AD), ensuring seamless integration across the hybrid IT environment. The architecture leverages several AWS services to manage the process efficiently, handle errors, and notify developers when necessary.

The flow begins with users and groups managed in Azure AD, synchronized with the on-premise Active Directory through Azure AD Connect. The goal is to ensure that the reporting application hosted on Amazon EC2 has up-to-date access to user and group information for accurate permissions management. The process involves several key steps to ensure user segregation and synchronization. Here’s a breakdown of the flow:

User Segregation with IAM Identity Center: The synchronization process starts with an event that segregates users in the respective AWS account using AWS IAM Identity Center. This step ensures that users are correctly identified and managed across the hybrid environment.
Triggering Step Functions: Upon detecting a change in user or group profiles within Azure AD, an event is generated, which triggers an AWS Step Function. This orchestration service manages the flow of tasks involved in the synchronization process.
Lambda Function for Directory Updates: The Step Function invokes a Lambda function that performs the necessary operations, such as writing or updating user and group information in AWS Managed AD. The Lambda function interacts with the directory using the LDAP library, ensuring that changes are applied accurately.
Error Handling and Notifications: To ensure reliability, any errors encountered during the process are captured and handled appropriately. If an error occurs, the system triggers an alert via Amazon SNS, notifying developers of the issue. This allows for quick resolution and ensures minimal disruption to the application’s access management.

This architecture automates the complex process of maintaining user and group synchronization between Azure AD and AWS Managed AD, enhancing both operational efficiency and security. By leveraging AWS’s scalable services, the solution provides a robust mechanism to ensure that user data is always current and accurate.

Event Handling with CloudTrail

AWS CloudTrail plays a pivotal role in automating the synchronization process between Azure AD and AWS Managed AD by acting as the trigger for subsequent steps. CloudTrail captures various API events and enables automated workflows based on changes in the identity management system.

For example, when a new user is created in AWS IAM Identity Center, CloudTrail logs the CreateUser event. This event serves as a trigger to initiate the user synchronization process with AWS Managed Microsoft AD. By capturing and reacting to these events, CloudTrail ensures that new user information is immediately reflected in the directory service, maintaining alignment between the identity systems.

CloudTrail’s event logging capabilities automate and streamline the synchronization process, reducing the need for manual intervention and ensuring that identity and access management tasks are performed efficiently and accurately across the AWS environment. This automation enhances the overall reliability and consistency of identity management within the hybrid infrastructure.

Event Bus and EventBridge Rule

The Event Bus serves as the communication channel for transmitting events between AWS accounts. In this architecture, events generated by IAM Identity Center in the workload account are sent to an Event Bus set up in a different account.

To control the flow of these events, an EventBridge Rule is defined. The rule specifies the conditions for routing events from the Event Bus to specific targets, such as Step Functions or Lambda functions. For example, when an event related to user creation or modification is detected, the rule routes it to the appropriate service that handles the next step in the synchronization process.

By using EventBridge for event routing, the architecture ensures precise control over the flow and handling of identity-related events, enhancing the efficiency and scalability of the synchronization process across multiple AWS accounts.

Step Function Workflow

In this solution, the Step Function is designed to process aws.sso-directory events received from EventBridge. The events are routed to the Step Function based on the rules specified in EventBridge.

The workflow begins with a Task that invokes a Lambda function using its ARN. This Lambda function receives the IAM event payload as input and processes the necessary synchronization tasks with AWS Managed AD.

If the Lambda invocation fails, the system automatically retries up to three times, with a 5-second interval between each attempt. This retry mechanism helps ensure robustness in case of transient errors or timeouts during the operation.

If the maximum number of retries is reached without success, the workflow transitions to the SNSErrorHandler state. This state is another Task that publishes an error message to an SNS topic, using the ARN specified in the SNS module. This notification ensures that developers are promptly alerted to any issues in the synchronization process, enabling faster troubleshooting and resolution.

AWS Managed Directory Service

AWS Managed Directory Service is a fully managed solution for setting up and administering an Active Directory (AD) infrastructure on AWS. It provides a reliable and scalable implementation of AD, eliminating the need to manage on-premise infrastructure. This service acts as the destination for synchronizing users and groups from Azure AD via IAM Identity Center.

The synchronization process is secured by TLS (Transport Layer Security) over port 636, ensuring encrypted communication for directory operations. A Root Certificate Authority (RootCA) is configured to issue certificates for authenticating these secure connections, reinforcing the security of the directory transactions.

To set up an Enterprise Root CA On Windows Server, you can use this guide.

Additionally, the administrative credentials for accessing and managing the directory are securely stored and managed using AWS Secrets Manager, which automates credential rotation and provides access controls, enhancing the security and reliability of the overall system.

By leveraging AWS Managed AD, the solution ensures high availability, performance, and simplified directory management, fully integrated with AWS’s security best practices.

Conclusion

The integration of Azure Active Directory (Azure AD) with AWS Managed Active Directory (AWS Managed AD) through this automated synchronization solution represents a strategic improvement in managing user identities within a hybrid environment. By utilizing key AWS services, the solution provides a unified and consistent approach to identity management, which greatly enhances operational efficiency, security, and scalability.

Key advantages include the reduction of manual processes, which not only minimizes potential errors but also frees up valuable resources for other critical tasks. Additionally, the architecture’s ability to adapt and respond to changes ensures that user access remains accurate and up-to-date.