AWS Security ChangesHomeSearch

AWS bedrock-agentcore medium security documentation change

Service: bedrock-agentcore · 2025-10-16 · Security-related medium

File: bedrock-agentcore/latest/devguide/identity-idp-microsoft.md

Summary

Restructured Microsoft Entra ID integration documentation with improved configuration details, corrected URL templates, and added tenantId parameter in outbound example

Security assessment

The change introduces backtick-wrapped `tenantId` in OpenID configuration URLs (e.g., 'login.microsoftonline.com/`tenantId`/...'), which could lead to misconfiguration if developers copy-paste without replacing the placeholder. This impacts security by potentially causing invalid token validation endpoints. The scope format change to ``entra-application-id`/.default` also introduces syntax ambiguity that could result in improperly scoped tokens.

Diff

diff --git a/bedrock-agentcore/latest/devguide/identity-idp-microsoft.md b/bedrock-agentcore/latest/devguide/identity-idp-microsoft.md
index 4a46a6f17..9f6506fa4 100644
--- a//bedrock-agentcore/latest/devguide/identity-idp-microsoft.md
+++ b//bedrock-agentcore/latest/devguide/identity-idp-microsoft.md
@@ -7,2 +6,0 @@ InboundOutbound
-Amazon Bedrock AgentCore is in preview release and is subject to change. 
-
@@ -11 +9,3 @@ Amazon Bedrock AgentCore is in preview release and is subject to change.
-You can set up Microsoft as an inbound or outbound provider using Microsoft Entra ID.
+Microsoft Entra ID can be configured as an identity provider for accessing AgentCore Gateway and Runtime, or an AgentCore Identity credential provider for outbound resource access. This allows your agents to authenticate and authorize agent users with Microsoft Entra ID as the identity provider and authorization server, or your agents to obtain credentials to access resources authorized by Microsoft Entra ID.
+
+## Inbound
@@ -13 +13 @@ You can set up Microsoft as an inbound or outbound provider using Microsoft Entr
-To add Microsoft Entra ID as an identity provider for accessing AgentCore Gateway and Runtime, you must:
+To add Microsoft Entra ID as an identity provider and authorization server for accessing AgentCore Gateway and Runtime, you must:
@@ -17 +17 @@ To add Microsoft Entra ID as an identity provider for accessing AgentCore Gatewa
-  * Provide valid `aud` claims for the token. This helps validate the tokens coming from your IDP and allows access for tokens that contain the expected claims.
+  * Enter valid `aud` claims for the token. This helps validate the tokens coming from your IDP and allows access for tokens that contain the expected claims.
@@ -24,3 +24 @@ You can configure these as part of configuration of Gateway and Runtime inbound
-Before configuring Microsoft Entra ID as your identity provider, we recommend completing the basic setup steps outlined in [Getting started with Amazon Bedrock AgentCore Identity](./identity-getting-started.html). This ensures your development environment and SDK are properly configured before adding identity provider integration.
-
-## Inbound
+Before configuring Microsoft Entra ID as your identity provider, we recommend completing the basic setup steps outlined in [Integrate with Google Drive using OAuth2](./identity-getting-started-google.html). This ensures your development environment and SDK are properly configured before adding identity provider integration.
@@ -38 +36 @@ For all token types, in your custom authorizer:
-    * For v1.0 tokens use: `https://login.microsoftonline.com/${tenantId}/.well-known/openid-configuration`
+    * For v1.0 tokens use: `https://login.microsoftonline.com/`tenantId`/.well-known/openid-configuration`
@@ -40 +38 @@ For all token types, in your custom authorizer:
-    * For v2.0 tokens use: `https://login.microsoftonline.com/${tenantId}/v2.0/.well-known/openid-configuration`
+    * For v2.0 tokens use: `https://login.microsoftonline.com/`tenantId`/v2.0/.well-known/openid-configuration`
@@ -51 +49 @@ When fetching the token from Microsoft Entra:
-  * Include in authorization URL a scope like `{entra-application-id}/.default` alongside any other scopes your application might require. This allows Microsoft to know that you intend to use the access token against resources other than Microsoft's Graph API and will result in a token that can be validated by AgentCore Identity.
+  * Include in authorization URL a scope like ``entra-application-id`/.default` alongside any other scopes your application might require. This allows Microsoft to know that you intend to use the access token against resources other than Microsoft's Graph API and will result in a token that can be validated by AgentCore Identity.
@@ -89,0 +88,2 @@ To configure the outbound Microsoft resource provider, use the following:
+                    "tenantId": "your-microsoft-entra-tenant"
+                }
@@ -91 +90,0 @@ To configure the outbound Microsoft resource provider, use the following:
-            },
@@ -100 +99 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please
-Amazon Cognito
+LinkedIn
@@ -102 +101 @@ Amazon Cognito
-Auth0 by Okta
+Notion