Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This guide is for organizations that use Amazon Web Services (AWS) and want to migrate to Azure or adopt a multicloud strategy. This guidance compares AWS identity management solutions to similar Azure solutions.
Tip
For information about extending Microsoft Entra ID into AWS, see Microsoft Entra identity management and access management for AWS.
Core identity services
Core identity services in both platforms form the foundation of identity and access management. These services include core authentication, authorization, and accounting capabilities, and the ability to organize cloud resources into logical structures. AWS professionals can use similar capabilities in Azure. These capabilities might have architectural differences in implementation.
| AWS service | Azure service | Description |
|---|---|---|
| AWS Identity and Access Management (IAM) Identity Center | Microsoft Entra ID | Centralized identity management service that provides single sign-on (SSO), multifactor authentication (MFA), and integration with various applications |
| AWS Organizations | Azure management groups | Hierarchical organization structure to manage multiple accounts and subscriptions by using inherited policies |
| AWS IAM Identity Center | Microsoft Entra ID SSO | Centralized access management that enables users to access multiple applications by using a single set of credentials |
| AWS Directory Service | Microsoft Entra Domain Services | Managed directory services that provide ___domain join, group policy, Lightweight Directory Access Protocol (LDAP), and Kerberos or NT LAN Manager (NTLM) authentication |
Authentication and access control
Authentication and access control services in both platforms provide essential security features to verify user identities and manage resource access. These services handle MFA, access reviews, external user management, and role-based permissions.
| AWS service | Azure service | Description |
|---|---|---|
| AWS MFA | Microsoft Entra MFA | Extra security layer that requires multiple forms of verification for user sign-ins |
| AWS IAM Access Analyzer | Microsoft Entra access reviews | Tools and services to review and manage access permissions to resources |
| AWS IAM Identity Center | Microsoft Entra External ID | External user access management platform for secure cross-organization collaboration. These platforms support protocols like Security Assertion Markup Language (SAML) and OpenID Connect (OIDC). |
| AWS Resource Access Manager | Microsoft Entra role-based access control (RBAC) and Azure RBAC | Services that can share cloud resources within an organization. AWS typically shares cloud resources across multiple accounts. Azure RBAC can achieve similar resource sharing. |
Identity governance
To maintain security and compliance, you must manage identities and access. Both AWS and Azure provide solutions for identity governance. Organizations and workload teams can use these solutions to manage the lifecycle of identities, conduct access reviews, and control privileged access.
In AWS, managing the identity lifecycle, access reviews, and privileged access requires a combination of several services.
- AWS IAM handles secure access to resources.
- IAM Access Analyzer helps identify shared resources.
- AWS Organizations provides centralized management of multiple accounts.
- IAM Identity Center provides centralized access management.
- AWS CloudTrail and AWS Config enable governance, compliance, and auditing of AWS resources.
You can tailor these services to meet specific organizational needs, which helps ensure compliance and security.
In Azure, Microsoft Entra ID Governance provides an integrated solution to manage the identity lifecycle, access reviews, and privileged access. It simplifies these processes by incorporating automated workflows, access certifications, and policy enforcement. These capabilities provide a unified approach to identity governance.
Privileged access management
AWS IAM temporary elevated access is an open-source security solution that grants temporary elevated access to AWS resources via AWS IAM Identity Center. This approach ensures that users only have elevated privileges for a limited time and for specific tasks to reduce the risk of unauthorized access.
Microsoft Entra Privileged Identity Management (PIM) provides just-in-time privileged access management. You use PIM to manage, control, and monitor access to important resources and critical permissions in your organization. PIM includes features such as role activation via approval workflows, time-bound access, and access reviews to ensure that privileged roles are only granted when necessary and are fully audited.
| AWS service | Azure service | Description |
|---|---|---|
| AWS CloudTrail | Microsoft Entra privileged access audit | Comprehensive audit logging for privileged access activities |
| AWS IAM and partner products or custom automation | Microsoft Entra just-in-time access | Time-bound privileged role activation process |
Hybrid identity
Both platforms provide solutions to manage hybrid identity scenarios that integrate cloud and on-premises resources.
| AWS service | Azure service | Description |
|---|---|---|
| AWS Directory Service AD Connector | Microsoft Entra Connect | Directory synchronization tool for hybrid identity management |
| AWS IAM SAML provider | Active Directory Federation Services | Identity federation service for SSO |
| AWS Managed Microsoft AD | Microsoft Entra password hash synchronization | Password synchronization between on-premises and cloud instances |
Application and API user authentication and authorization
Both platforms provide identity services to secure application access and API authentication. These services manage user authentication, application permissions, and API access controls through identity-based mechanisms. The Microsoft identity platform serves as the Azure unified framework for authentication and authorization across applications, APIs, and services. It implements standards like OAuth 2.0 and OIDC. AWS provides similar capabilities through Amazon Cognito as part of its identity suite.
| AWS service | Microsoft service | Description |
|---|---|---|
| Amazon Cognito AWS Amplify Authentication AWS Security Token Service (STS) |
Microsoft identity platform | Comprehensive identity platform that provides authentication, authorization, and user management for applications and APIs. Both options implement OAuth 2.0 and OIDC standards but have different architectural approaches. |
Key architectural differences
- AWS approach: Distributed services that are composed together
- Microsoft approach: Unified platform that has integrated components
Developer SDK and libraries
| AWS service | Microsoft service | Description |
|---|---|---|
| AWS Amplify Authentication libraries | Microsoft Authentication Library (MSAL) | Client libraries for implementing authentication flows. MSAL provides a unified SDK across multiple platforms and languages. AWS provides separate implementations through Amplify. |
| AWS SDKs for several programming languages | MSAL for several programming languages | Language-specific SDKs to implement authentication. The Microsoft approach provides a high level of consistency across programming languages. |
OAuth 2.0 flow implementation
| AWS service | Microsoft service | Description |
|---|---|---|
| Amazon Cognito OAuth 2.0 grants | Microsoft identity platform authentication flows | Support standard OAuth 2.0 flows, including authorization code, implicit, client credentials, and device code |
| Cognito user pools authorization code flow | Microsoft identity platform authorization code flow | Implementation of the secure redirect-based OAuth flow for web applications |
| Cognito user pools Proof Key for Code Exchange (PKCE) support | Microsoft identity platform PKCE support | Enhanced security for public clients by using PKCE |
| Cognito custom authentication flows | Microsoft identity platform custom policies | Customization of authentication sequences but with different implementation |
Identity provider integration
| AWS service | Microsoft or Azure service | Description |
|---|---|---|
| Cognito identity provider federation | Microsoft identity platform external identity providers | Support for social and enterprise identity providers through OIDC and SAML protocols |
| Cognito user pools social sign-in | Microsoft identity platform social identity providers | Integration with providers like Google, Facebook, and Apple for consumer authentication |
| Cognito SAML federation | Microsoft Entra ID SAML federation | Enterprise identity federation through SAML 2.0 |
Token services
| AWS service | Microsoft or Azure service | Description |
|---|---|---|
| AWS STS | Microsoft Entra token service | Issue security tokens for application and service authentication |
| Cognito token customization | Microsoft identity platform token configuration | Customization of JSON Web Tokens by using claims and scopes |
| Cognito token validation | Microsoft identity platform token validation | Libraries and services to verify token authenticity |
Application registration and security
| AWS service | Microsoft or Azure service | Description |
|---|---|---|
| Cognito app client configuration | Microsoft Entra app registrations | Registration and configuration of applications by using the identity platform |
| AWS IAM roles for applications | Microsoft Entra Workload ID | Managed identities for application code resource access |
| Cognito resource servers | Microsoft identity platform API permissions | Configuration of protected resources and scopes |
Developer experience
| AWS service | Microsoft or Azure service | Description |
|---|---|---|
| AWS Amplify CLI | Microsoft identity platform PowerShell CLI | Command-line tools for identity configuration |
| AWS Cognito console | Microsoft Entra admin center | Management interfaces for identity services |
| Cognito hosted UI | Microsoft identity platform MSAL UI | Pre-built UIs for authentication |
| AWS AppSync with Cognito | Microsoft Graph API with MSAL | Data access patterns with authentication |
Platform-specific features
| AWS service | Microsoft service | Description |
|---|---|---|
| Cognito identity pools | No direct equivalent | AWS-specific approach to federate identities to AWS resources |
| No direct equivalent | Web Apps feature of Azure App Service Easy Auth | Platform-level authentication for web applications without code changes |
| Cognito user pool Lambda triggers | Microsoft identity platform B2C custom policies | Extensibility mechanisms for authentication flows |
| AWS Web Application Firewall with Cognito | No direct equivalent | Security policies for access control |
Contributors
Microsoft maintains this article. The following contributors wrote this article.
Principal author:
- Jerry Rhoads | Principal Partner Solutions Architect
Other contributor:
- Adam Cerini | Director, Partner Technology Strategist
To see nonpublic LinkedIn profiles, sign in to LinkedIn.
Next steps
- Plan your Microsoft Entra ID deployment
- Configure hybrid identity with Microsoft Entra Connect
- Implement Microsoft Entra PIM
- Secure applications by using the Microsoft identity platform