This guide walks you through setting up Microsoft Entra ID from scratch to work with the AWS Cognito Identity Pool for Bedrock access.
- Create Azure Account
- Access Azure Portal
- Create App Registration
- Configure Authentication
- Create Test Users
- Assign Users to Application
- Collect Required Information
- Test the Setup
If you don't have an Azure account:
- Go to https://azure.microsoft.com/free/
- Click Start free
- Sign in with a Microsoft account or create one
- Complete the registration (requires credit card for verification)
- You'll get $200 in credits and free tier access
Note: Save your tenant ID - you'll need it for configuration!
- Go to https://portal.azure.com
- Sign in with your Azure account
- Search for Microsoft Entra ID in the top search bar
- Click to access the admin center
- In Microsoft Entra ID, navigate to Applications → App registrations
- Click + New registration
Fill in the following:
- Name:
Amazon Bedrock CLI Access - Supported account types: Select based on your needs
- For enterprise: Accounts in this organizational directory only
- For broader access: Accounts in any organizational directory
- Redirect URI: Leave blank (we'll add it next)
Click Register
After registration, save these values:
- Application (client) ID:
12345678-1234-1234-1234-123456789012 - Directory (tenant) ID:
87654321-4321-4321-4321-210987654321
- In your app registration, click Authentication
- Click + Add a platform
- Select Mobile and desktop applications
- Check Add a custom redirect URI
- Enter exactly:
http://localhost:8400/callback - Click Configure
- In Authentication, scroll to Advanced settings
- Toggle Allow public client flows to Yes
- Click Save
The default User.Read permission is sufficient. No changes needed.
- Go to Identity → Users → All users
- Click + New user → Create new user
Fill in:
- User principal name:
testuser@yourdomain.onmicrosoft.com - Display name:
Test User - Password: Let me create the password (note it down)
- Usage location: Your country
- Block sign in: No
Click Create
Repeat for more test users if needed.
- Go to Identity → Applications → Enterprise applications
- Search for Amazon Bedrock CLI Access
- Click on your application
- Click Users and groups
- Click + Add user/group
- Select your test users
- Click Assign
You now have everything needed for deployment:
| Parameter | Your Value | Example |
|---|---|---|
| Provider Domain | Your tenant URL | login.microsoftonline.com/{tenant-id}/v2.0 |
| Client ID | Your Application ID | 12345678-1234-1234-1234-123456789012 |
The CLI accepts multiple formats for the Azure provider domain. Choose the format that's most convenient for you:
| Format | Example | Notes |
|---|---|---|
| Full URL with /v2.0 | login.microsoftonline.com/c56f9106-1d27-456d-bd20-3de87e595a36/v2.0 |
Recommended - Standard Azure AD v2.0 endpoint |
| Full URL without /v2.0 | login.microsoftonline.com/c56f9106-1d27-456d-bd20-3de87e595a36 |
Also supported |
| Just the tenant ID | c56f9106-1d27-456d-bd20-3de87e595a36 |
Simplest format |
| With https:// prefix | https://login.microsoftonline.com/c56f9106-1d27-456d-bd20-3de87e595a36/v2.0 |
Protocol stripped automatically |
Note: The CLI automatically extracts the tenant ID GUID from any of these formats, so you don't need to worry about formatting.
When running poetry run ccwb init, you'll be prompted for these values:
poetry run ccwb init
# The wizard will ask for:
# - Provider Domain: login.microsoftonline.com/{your-tenant-id}/v2.0
# - Client ID: 12345678-1234-1234-1234-123456789012
# - AWS Region for infrastructure: us-east-1
# - Bedrock regions: us-east-1,us-west-2
# - Enable monitoring: Yes/NoThe CLI tool will handle all the CloudFormation configuration automatically.
- Go back to your app registration
- Click Authentication
- Verify:
- Platform: Mobile and desktop applications
- Redirect URI:
http://localhost:8400/callback - Public client flows: Enabled
curl https://login.microsoftonline.com/{your-tenant-id}/v2.0/.well-known/openid-configurationShould return a JSON response with OIDC configuration.
- Ensure redirect URI is exactly:
http://localhost:8400/callback - Check for trailing slashes or typos
- Check user assignment in Enterprise Applications
- Verify the user account is active
- Go to Applications → App registrations
- Click on your application
- The Client ID is on the overview page
This error occurs during deployment if the tenant ID format is incorrect. The fix:
- If using an older version of the CLI: Upgrade to the latest version which supports multiple URL formats
- Manual workaround: When prompted for "Provider Domain", enter just your tenant ID GUID instead of the full URL:
- ✅ Use:
c56f9106-1d27-456d-bd20-3de87e595a36 - ❌ Instead of:
login.microsoftonline.com/c56f9106-1d27-456d-bd20-3de87e595a36/v2.0
- ✅ Use:
- After upgrading: The CLI now accepts all formats automatically (see Supported Provider Domain Formats)
Once you've completed this setup:
- Clone the repository:
git clone https://github.com/aws-solutions-library-samples/guidance-for-claude-code-with-amazon-bedrock.git cd claude-code-setup poetry install - Run the setup wizard:
poetry run ccwb init - Create a distribution package:
poetry run ccwb package - Test the deployment:
poetry run ccwb test --api - Distribute the
dist/folder to your users
-
Production Considerations:
- Use your specific tenant ID (not "common")
- Enable MFA for all users
- Set appropriate session timeouts
- Monitor sign-in logs regularly
-
Token Settings:
- PKCE is enabled by default for native apps
- Public client flows must be enabled
-
User Management:
- Use groups to manage access at scale
- Regular access reviews
- Disable unused accounts promptly