General category image - Addend Analytics

Adding Microsoft SSO to Your Amazon Cognito User Pool

Integrating Microsoft Single Sign-On (SSO) with Amazon Cognito is one of the most powerful ways to modernize identity management for cloud applications. As organizations scale their digital ecosystems across AWS, Azure, and SaaS apps, secure authentication and frictionless access become non-negotiable. Amazon Cognito, combined with Microsoft SSO through Azure AD, provides a robust, enterprise-grade identity stack that supports OAuth2, OpenID Connect (OIDC), and multi-provider federation.

In this guide, we will walk through how to attach Microsoft SSO (Single Sign-On) to an existing user pool in Amazon Cognito.

Step 1. Sign in to the Azure portal Console and navigate to the Azure directory to create a “New registration” for your app.

Step 2. Assuming you have already created the Cognito User Pool, add a lambda trigger in the User Pool properties.

Step 3. Select “sign-up” as the trigger type and choose “pre-signup”.

Step 4. Provide the Lambda function and add the trigger.

Step 5. Test the setup by checking the hosted UI and attempting to use a domain that should not be accessible. You should receive an error if access is restricted.

Want to integrate secure SSO across AWS and Azure?

Book a free identity architecture consultation

Why Integrate Microsoft SSO with Amazon Cognito?

Microsoft Azure AD is the identity provider for millions of organizations worldwide. Amazon Cognito, on the other hand, is AWS’s managed authentication and user pool service. Integrating these two systems enables:

  • Enterprise-grade identity federation: Users authenticate with Azure AD, while Cognito manages session tokens and user profiles.
  • Centralized authentication: No need to manage passwords in Cognito — Azure handles all authentication workflows.
  • Secure OAuth2 / OIDC integration: Microsoft SSO leverages open standards, making your architecture compliant and scalable.
  • Seamless multi-cloud identity strategy: Perfect for companies using both Azure and AWS ecosystems.
  • Reduced friction & better user experience: Users log in with familiar Microsoft credentials.

Understanding the Technical Architecture

The integration is based on OpenID Connect (OIDC), an identity layer on top of OAuth 2.0. Authentication flow works like this:

  1. User clicks Continue with MicrosoftSSO.
  2. Cognito redirects to Microsoft Azure AD.
  3. Azure authenticates the user (via password, MFA, conditional access, etc.).
  4. Azure returns a secure ID token to Cognito.
  5. Cognito maps identity claims (email, username, groups) to the user pool.
  6. User is securely signed into your AWS-hosted application.

This architecture supports serverless apps, API Gateway, AppSync, Amplify, and any OAuth2-based client.

Deeper Insights Into Each Configuration Step

Step 1 & 2: App Registration in Azure

When registering an app, Azure AD creates:

  • Application (client) ID
  • Directory (tenant) ID
  • Redirect URI endpoint
  • Authentication scopes

The redirect URI must match Cognito’s idpresponse endpoint exactly.

Step 3: Generating a Client Secret

This is Azure’s way of verifying that Cognito is an authorized application requesting authentication tokens. Secrets must be rotated periodically.

Step 4–5: Adding Microsoft as an IdP in Cognito

AWS Cognito supports multiple provider types:

  • SAML
  • OIDC
  • Social providers (Google, Facebook)
  • Custom providers

For Microsoft SSO, you choose OIDC and configure:

  • Discovery URL
  • Client ID & Secret
  • Scopes such as openid, email, profile
  • Attribute mappings

Proper attribute mapping ensures that Microsoft user fields (like email) align with Cognito user pool schema.

Step 6–7: Updating Hosted UI

Once added, Cognito immediately exposes Microsoft as a login option using a consistent OAuth2 login interface.

Security Best Practices

To ensure your identity integration is compliant and secure, follow these:

  • Use HTTPS-only domains for Cognito: Never use HTTP endpoints for redirect URIs.
  • Rotate secrets regularly: Azure client secrets expire—automate rotation using Key Vault and AWS Secrets Manager.
  • Enable Multi-Factor Authentication (MFA): Azure Conditional Access + Cognito user policies provide defense-in-depth.
  • Block legacy authentication: Disable older protocols like WS-Trust unless absolutely required.
  • Use least privilege IAM roles: Glue Cognito only to required AWS resources.

Common Issues & Troubleshooting

IssueLikely CauseFix
Redirect URI mismatchIncorrect URI in AzureCopy Cognito domain exactly
Invalid client secretExpired or deleted secretGenerate a new secret
“IdP not found” in CognitoMisconfigured provider nameEnsure names match exactly
Azure login screen loopsMissing OpenID scopeAdd openid in scopes

How Addend Analytics Helps

Addend Analytics specializes in designing secure, scalable, cloud-native architectures using AWS, Microsoft Azure, Power BI, Microsoft Fabric, and modern identity frameworks.

We help organizations:

  • Implement SSO, MFA, and IAM best practices
  • Secure multi-cloud data systems
  • Build analytics platforms that integrate with enterprise identity
  • Deploy Cognito, Azure AD, and OAuth2/OIDC authentication
  • Modernize application security with serverless infrastructure

Build Scalable, Secure Data & App Infrastructure

From BI to cloud engineering, Addend Analytics delivers end-to-end solutions.
Contact us at solutions@addendanalytics.com

Facebook
Twitter
LinkedIn

Recent Posts

Categories

Addend Analytics is a Microsoft Gold Partner based in Mumbai, India, and a branch office in the U.S.

Addend has successfully implemented 100+ Microsoft Power BI and Business Central projects for 100+ clients across sectors like Financial Services, Banking, Insurance, Retail, Sales, Manufacturing, Real estate, Logistics, and Healthcare in countries like the US, Europe, Switzerland, and Australia.

Get a free consultation now by emailing us or contacting us.

Email Us Or Contact Us