AWS Security ChangesHomeSearch

AWS quicksuite documentation change

Service: quicksuite · 2025-11-22 · Documentation low

File: quicksuite/latest/userguide/outlook-extension.md

Summary

Updated documentation to add support for IAM Identity Center with Microsoft Entra ID authentication for Outlook extension, including detailed configuration steps for Azure tenant setup, trusted token issuer configuration, and IAM permissions

Security assessment

The changes add security-focused documentation about configuring secure identity propagation (SCIM), storing secrets in Secrets Manager, and setting IAM permissions. While these are security-related practices, there's no evidence they address a specific existing vulnerability. The changes primarily document proper security configuration for a new feature rather than patching a security issue.

Diff

diff --git a/quicksuite/latest/userguide/outlook-extension.md b/quicksuite/latest/userguide/outlook-extension.md
index 66f6f551c..dcde8949d 100644
--- a//quicksuite/latest/userguide/outlook-extension.md
+++ b//quicksuite/latest/userguide/outlook-extension.md
@@ -54,0 +55,13 @@ Before configuring access to the Amazon Quick Suite extension to Microsoft Outlo
+If you configured the authentication to connect to Amazon Quick Suite with IAM Identity Center, complete the following additional steps:
+
+  1. Ensure you have an IAM Identity Center instance enabled on your AWS account.
+
+  2. Use Microsoft Entra ID as your identity provider.
+
+  3. Ensure that every user under your Entra ID provider configuration has an email associated with them.
+
+  4. Set up SCIM identity propagation between the Microsoft Entra ID instance and IAM Identity Center. For detailed steps, see [Configure SAML and SCIM with Microsoft Entra ID and IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/azure-ad-idp.html).
+
+
+
+
@@ -57 +70 @@ Before configuring access to the Amazon Quick Suite extension to Microsoft Outlo
-The Microsoft Outlook extension isn't supported if you're using IAM Identity Center for end user management in Amazon Quick Suite.
+The Microsoft Outlook extension supports only Entra ID authentication with IAM Identity Center.
@@ -76,4 +88,0 @@ These default mappings ensure secure and accurate user identification across bot
-###### Note
-
-The Microsoft Outlook extension isn't supported if you're using IAM Identity Center for end user management in Amazon Quick Suite.
-
@@ -82 +91,3 @@ The Microsoft Outlook extension isn't supported if you're using IAM Identity Cen
-  * Add Microsoft Outlook extension access
+  * Add Microsoft Outlook extension access for accounts using IAM Identity Center and Entra ID
+
+  * Add Microsoft Outlook extension access for accounts using other authentication methods
@@ -91 +102,181 @@ The Microsoft Outlook extension isn't supported if you're using IAM Identity Cen
-### Add Microsoft Outlook extension access
+### Add Microsoft Outlook extension access for accounts using IAM Identity Center and Entra ID
+
+Follow these steps to set up and configure an Azure tenant on your Microsoft Azure portal:
+
+###### To set up an Azure tenant
+
+  1. In the Azure account, create a new app registration.
+
+    1. Go to **App registrations**.
+
+    2. In the **App registrations** screen, choose **New registration**. Under the **Supported account types** option, choose **Accounts in this organizational directory only (Personal use only - Single tenant)**. Once finished, choose **Register**.
+
+    3. Note the client ID. You will need this later.
+
+    4. Create a client secret for the app registration and keep note of it. You will need this later.
+
+  2. Add callback URLs for each Region in which your Outlook extension will be installed.
+
+    1. Navigate to the app registration's **Authentication** tab.
+
+    2. Choose **Platform Configurations** , **Add a platform**.
+
+    3. Choose **Web**.
+
+    4. Compose a callback URL using the following format, replacing `your-region` with your Amazon Quick Suite instance Region. The Outlook extension supports the following Regions: `ap-southeast-2`, `eu-west-1`, `us-west-2`, and `us-east-1`.
+        
+                qbs-cell001.dp.appintegrations.your-region.prod.plato.ai.aws.dev/auth/idc-tti/callback
+
+    5. Insert the callback URL as the redirect URI and choose **Configure** when done.
+
+
+
+
+Follow these steps to configure a Trusted Token Issuer on your IAM Identity Center instance in your AWS Console:
+
+###### To configure a Trusted Token Issuer
+
+  1. Go to your AWS account and navigate to your IAM Identity Center instance.
+
+  2. Navigate to **Settings** , **Authentication**.
+
+  3. Choose **Create trusted token issuer**.
+
+  4. Add the issuer URL, which should follow this template, where `Tenant ID` refers to your Entra tenant ID:
+    
+        login.microsoftonline.com/Tenant ID/v2.0
+
+###### Note
+
+The issuer URL should be the OIDC discovery endpoint of your identity without the well-known document URI path. If you include the well-known document URI path, this will not work. See [Trusted token issuer configuration settings](https://docs.aws.amazon.com/singlesignon/latest/userguide/using-apps-with-trusted-token-issuer.html).
+
+  5. Choose **Email** as the Identity Provider attribute and IAM Identity Center attribute.
+
+
+
+
+Follow these steps to set up permissions on AWS Console:
+
+###### To set up permissions
+
+  1. Navigate to Secrets Manager on AWS console.
+
+  2. Choose **Store a new secret**.
+
+  3. Choose **Other type of secret** and choose the **Plaintext** tab.
+
+  4. Your secret should be in the following format and use the app registration client ID and app registration client secret that you saved from the earlier steps:
+    
+        {
+        "client_id":"Your app registration client ID",
+        "client_secret":"Your app registration client secret"
+    }
+
+  5. Navigate to the secret you just created and save the ARN for later.
+
+  6. Now navigate to IAM on AWS console.
+
+  7. Choose **Access Management** , **Roles** in the left navigation bar.
+
+  8. Choose **Create role**.
+
+  9. Choose **Custom trust policy**.
+
+  10. Configure the role to trust our service principal for the relevant Region that you selected when configuring your Azure app registration by adding the following statement replacing `your-region` with the Region you chose when creating the Azure app registration:
+    
+        {
+        "Version": "2012-10-17", 		 	 	 
+        "Statement": [
+            {
+                "Effect": "Allow",
+                "Principal": {
+                    "Service": "your-region.prod.appintegrations.plato.aws.internal"
+                },
+                "Action": "sts:AssumeRole",
+                "Condition": {}
+            }
+        ]
+    }
+
+  11. Choose **Next**.
+
+  12. Provide a name and description and choose **Create role**.
+
+  13. Navigate to the role you just created and choose it.
+
+  14. Choose **Add Permissions** , **Create inline policy**.
+
+  15. Choose **JSON**.
+
+  16. Configure the role with permissions to read secrets from Secrets Manager and permissions to invoke `sso:DescribeTrustedTokenIssuer` by adding the following statement:
+    
+        {
+        "Version": "2012-10-17", 		 	 	 
+        "Statement": [
+            {
+                "Sid": "BasePermissions",
+                "Effect": "Allow",
+                "Action": [
+                    "secretsmanager:GetSecretValue",
+                    "sso:DescribeTrustedTokenIssuer"
+                ],
+                "Resource": "*"
+            }
+        ]
+    }
+
+  17. Provide a policy name and choose **Create policy**.
+
+  18. Copy and save the ARN of the IAM role you created for later. You will need it in the next steps.
+
+
+
+
+Now you can follow these steps to create a new extension access configuration that will allow Amazon Quick Suite to integrate with your Microsoft Outlook environment:
+
+###### To create an extension access configuration
+
+  1. Sign in to the Amazon Quick Suite console.
+
+  2. In the top right, choose the profile picture icon.
+
+  3. From the drop-down menu, choose **Manage account**.
+
+  4. Under **Permissions** , choose **Extension access**.
+
+  5. In the top right, choose **New extension access**.
+
+  6. Select **Microsoft Outlook**. Then, choose **Next**.
+
+  7. Configure the following fields:
+
+     * **Name** \- A name for your extension is pre-filled for you. You can edit this and enter a descriptive name for the Outlook extension (maximum 512 alphanumeric characters, hyphens allowed but no spaces).
+
+     * **Description (optional)** \- A description for your extension is pre-filled for you. You can edit this and enter a new description to provide additional context about this extension configuration (maximum 1000 characters).
+
+     * **M365 tenant ID** \- Enter your Microsoft 365 tenant identifier (must be 36 characters).
+
+     * **Secrets Role ARN** \- Paste the ARN of the IAM role you created from the previous steps.
+
+     * **Secrets ARN** \- Paste the ARN of the Secrets Manager secret you created from the previous steps.
+
+  8. Choose **Add** to save the new access configuration.
+
+A success message will open up on the top right of your screen.
+
+  9. From the success message, choose **View extensions** to finish installing your extension.
+