Microsoft

Microsoft can be set up as an inbound provider using Microsoft Entra ID or as an outbound provider.

To add Microsoft Entra ID as an identity provider for accessing AgentCore Gateway and Runtime, you must:

Configure discovery URL from your IDP directory. This helps AgentCore Identity get the metadata related to your OAuth authorization server and token verification keys.
Provide valid clientId or aud claims for the token. This helps validate the tokens coming from your IDP and allow access for tokens that contain expected claims.

You can configure these as part of configuration of Gateway and Runtime inbound configuration.

Inbound

We support Microsoft Entra ID for v2.0 Id Tokens.

Configurations for v2.0 Id Tokens

In custom authorizer:

Discovery URL: Discovery URL should be of the form: https://login.microsoftonline.com/${tenantId}/v2.0/.well-known/openid-configuration
Allowed audiences: aud should be the Application Id

On Microsoft Entra:

While configuring the application, Enable ID Token Issuance in Application Registration.
Include mandatory openid scope while calling the authorize and token endpoint for Microsoft Entra Id during Ingress Flows.

Outbound

To configure the outbound Microsoft resource provider, use the following:


{
        "name": "NAME",
        "credentialProviderVendor": "MicrosoftOAuth2",
        "oauth2ProviderConfigInput": {
            "microsoftOAuth2ProviderConfig": {
                "clientId": "your-client-id",
                "clientSecret": "your-client-secret",
            }
        },
    }

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Amazon Cognito

Auth0 by Okta