Configure Dedicated Entra ID Directory Synchronization

📘

Prerequisites:

• Dedicated Microsoft Entra ID Connection created and configured as per AWS Documentation
  • For additional guides on configuring the feature, visit this AWS Blog Post
• Click AD Gateway must be updated to version 2.6.1, released June 27th, 2025, or higher to enable Identity Center Integration. AD Gateway Upgrade

Click can now create Dedicated Entra ID-joined WorkSpaces on managed directories. Click does not directly integrate with your Entra ID tenant, instead it performs a synchronization with AWS IAM Identity Center to get a list of users and groups. This simplifies the permissions, and ensures it is using the same user and group source as the Amazon WorkSpaces Service.

Steps to Configure AWS IAM Identity Center Synchronization

1. Create and configure Dedicated Microsoft Entra ID Connection as per AWS Documentation
2. Manage the Directory in the Click console by toggling Managed from No to Yes
3. Configure your AD Gateway Parameters via CloudFormation. Set EntraEnabled to true and configure the EntraGroupMatchTerms filter to specify which groups to synchronize. EntraGroupMatchTerms is a comma-separated, case-insensitive list of search terms, no wildcards are needed. If left blank, nothing will be synchronized.

Example EntraGroupMatchTerms Filter:

EntraGroupMatchTerms Value is Developers,sales

3. Click will automatically sync groups and users every hours. You can force a sync by navigating to Click Administration Groups and clicking Sync in the top right corner.
4. Your AWS IAM Identity Center configuration is now complete. Configure Click Automation by setting up Click Packages and assigning them to your newly-synchronized groups.