Implement knowledge residency with Amazon Fast extensions for Microsoft Groups

Organizations with customers in a number of geographies face knowledge residency necessities akin to Normal Information Safety Regulation (GDPR) in Europe, country-specific knowledge sovereignty legal guidelines, and inside compliance insurance policies. Amazon Fast with Microsoft 365 extensions helps Regional routing to satisfy these necessities.

Amazon Fast helps multi-Area deployments so you may route customers to AWS Area-specific Amazon Fast sources (Fast chat brokers, Fast Flows, data bases, and extra). Regulated industries akin to monetary providers, healthcare, power, and telecommunications generally use this sample to maintain knowledge inside particular geographical boundaries.

In case you combine Amazon Fast with Microsoft 365 functions, on this occasion Microsoft Groups, customers should authenticate and hook up with their applicable Regional Amazon Fast sources. Regional routing makes certain customers entry the chat brokers and sources they construct of their Amazon Fast Area. On this submit, we are going to present you easy methods to implement knowledge residency when deploying Amazon Fast Microsoft Groups extensions throughout a number of AWS Areas. You’ll learn to configure multi-Area Amazon Fast extensions that mechanically route customers to AWS Area-appropriate sources, serving to preserve compliance with GDPR and different knowledge sovereignty necessities.

Answer overview

On this submit, we current a real-world instance with MyCompany, a fictional world group with European headquarters accessing Amazon Fast within the Europe (Eire) Area (eu-west-1) and a US department within the US East (N. Virginia) Area (us-east-1). A single Amazon Fast account has AWS Area-specific chat brokers (MyCompany-Data-Agent-eu-west-1 and MyCompany-Data-Agent-us-east-1) containing localized company info.

Regional routing requires AWS IAM Identification Middle with a trusted token issuer (TTI) for cross-system authentication. This submit makes use of Microsoft Entra ID for group-based entry management to show how organizations can mechanically route customers to their applicable AWS Areas, although different id administration approaches are attainable. This submit focuses on the Amazon Fast extension for Microsoft Groups as the first instance.

The next structure diagram demonstrates easy methods to automate person routing throughout a number of AWS Areas by integrating Microsoft Entra ID with IAM Identification Middle. Through the use of Microsoft Entra ID group membership to direct customers to their designated Regional Amazon Fast deployments, you may keep knowledge residency inside particular geographic boundaries whereas offering a constant expertise in your world workforce.

To implement this design, you’ll observe a multi-phase course of that begins with AWS Administration Console configuration and concludes with the deployment of Regional add-ons to your customers. At a excessive stage, this submit reveals you easy methods to configure id and belief one time, then repeat a small set of Regional steps per AWS Area. The next steps summarize the high-level workflow:

1. Provoke setup on the Amazon Fast console and select the AWS Area to configure.
2. Configure the Regional Microsoft Groups extension integration, together with an AWS Identification and Entry Administration (IAM) function and AWS Secrets and techniques Supervisor secret for that AWS Area, and belief IAM Identification Middle as a token issuer.
3. Activate the extension in Amazon Fast to generate the Regional manifest file.
4. Register the extension callbacks in your Microsoft Entra ID software and full the activation callback for the applying throughout all AWS Areas.
5. Deploy the Microsoft Groups add-on ([YOUR_COMPANY_NAME]-Groups-[AWS_REGION]) to your Regional person teams via Microsoft Entra ID.
6. Map the Regional add-on to its designated data agent ([YOUR_COMPANY_NAME]-Groups-[AWS_REGION] Agent) to grant customers entry to localized knowledge.

Conditions

Your AWS atmosphere will need to have Amazon Fast energetic in your goal AWS Areas, together with the id and secret administration providers used to deal with Regional authentication. For AWS providers, you should have the next in place:

• An energetic Amazon Fast account
• IAM Identification Middle configured and managing person identities in your group with SAML integration with Microsoft Entra ID
• Secrets and techniques Supervisor obtainable in each goal AWS Areas for storing authentication credentials
• IAM entry to create roles and insurance policies

For Microsoft 365, you should have the next for admin entry:

• A World Administrator or Utility Administrator function in Microsoft Entra ID
• Entry to Microsoft 365 Admin Middle for software deployment
• Permissions to create and configure Enterprise functions in Microsoft Entra ID

Create Microsoft Entra ID software

We begin by establishing the shared id basis utilized by each AWS Area. On this first step, you create a Microsoft Entra ID software. The Microsoft 365 extensions use the Microsoft Entra ID software to authenticate customers in opposition to Amazon Fast via IAM Identification Middle. Full the next steps to create your software:

1. In your Azure account, select App registrations, then select New registration.
2. For Supported account sorts, select Accounts on this organizational listing solely (Private use solely – Single tenant).
3. Select Register.
4. Navigate to the applying registration’s Handle – Authentication tab.
5. Select Add Redirect URL.
6. Select Internet.
7. For this submit, we use two redirect URLs, utilizing the sample https://qbs-cell001.dp.appintegrations.[AWS_REGION].prod.plato.ai.aws.dev/auth/idc-tti/callback:
   1. https://qbs-cell001.dp.appintegrations.eu-west-1.prod.plato.ai.aws.dev/auth/idc-tti/callback
   2. https://qbs-cell001.dp.appintegrations.us-east-1.prod.plato.ai.aws.dev/auth/idc-tti/callback

Microsoft Entra ID makes use of the callback URLs to return the person’s sign-in response to IAM Identification Middle for the right AWS Area (eu-west-1 or us-east-1). Use these precise URLs—they’re the precise values required for Amazon Fast deployments.

8. Grant the Microsoft Graph Consumer.Learn permission to permit the applying to register customers and browse their fundamental profile info. This delegated permission doesn’t require admin consent.

In subsequent steps, you’ll need your Microsoft tenant ID, software consumer ID, and consumer secret worth.

Create trusted token issuer in IAM Identification Middle

On this step, you create trusted token issuers in IAM Identification Middle. A trusted token issuer is a configuration in IAM Identification Middle that validates tokens issued by Microsoft Entra ID. You need to use it for cross-system authentication, so customers can transfer between Microsoft 365 and AWS with out repeated sign-ins. Full the next steps to configure the trusted token issuer along with your Microsoft tenant’s issuer URL and map the e-mail attribute:

1. On the IAM Identification Middle console, select Settings within the navigation pane.
2. Select Create trusted token issuer.
3. For Issuer URL, enter the URL in your trusted token issuer within the format https://login.microsoftonline.com/[YOUR_TENANT_ID]/v2.0, utilizing the tenant ID you retrieved from the earlier step.
4. For Trusted token issuer identify, enter a reputation in your trusted token issuer within the format [YOUR_COMPANY_NAME]-MS365Extensions-Belief-Token-Issuer, utilizing your organization identify.
5. Select Create trusted token issuer.

This configuration applies to every AWS Area the place you can be deploying the extensions.

With the worldwide id parts in place, now you can configure every AWS Area with its personal secrets and techniques, roles, and extension settings that implement knowledge residency for every geographic AWS Area.

Arrange IAM permissions and Secrets and techniques Supervisor entries

On this step, you create the required secrets and techniques to retailer Microsoft 365 extension credentials and IAM permissions that grant learn entry to secrets and techniques.

Create one secret per AWS Area (eu-west-1 and us-east-1) in Secrets and techniques Supervisor following the identify conference [YOUR_COMPANY_NAME]/MS365/Extensions/[AWS_REGION]:

{
“client_id”:”[YOUR_CLIENT_ID]”,
“client_secret”:”[YOUR_CLIENT_SECRET]”}

Create an IAM coverage referred to as [YOUR_COMPANY_NAME]-MS365-Extensions-Coverage:

{
“Model”: “2012-10-17”,
“Assertion”: [
{
“Sid”: “SecretManagerPermissions”,
“Effect”: “Allow”,
“Action”: [
“secretsmanager:GetSecretValue”
],
“Useful resource”: [
“[SECRET_EU_WEST_1_ARN]”,
“[SECRET_US_EAST_1_ARN]”
]
},
{
“Sid”: “TokenIssuerPermissions”,
“Impact”: “Permit”,
“Motion”: [
“sso:DescribeTrustedTokenIssuer”
],
“Useful resource”: “[YOUR_TTI_ARN]”
}
]
}

Use the next belief relationship:

{
“Model”: “2012-10-17”,
“Assertion”: [
{
“Effect”: “Allow”,
“Principal”: {
“Service”: [
“eu-west-1.prod.appintegrations.plato.aws.internal”,
“us-east-1.prod.appintegrations.plato.aws.internal”,
]
},
“Motion”: “sts:AssumeRole”,
“Situation”: {}
}
]
}

Every time you activate a brand new AWS Area, you should create a brand new secret in Secrets and techniques Supervisor and add the brand new secret Amazon Useful resource Title (ARN) to the Useful resource record within the IAM coverage. You have to additionally add the brand new AWS Area you wish to activate to the Service area within the IAM function belief relationship. This area identifies the Regional Service Principal, which is the precise AWS service id (for instance, eu-west-1.prod.appintegrations.plato.aws.inside) that requires permission to imagine your IAM roles in that particular AWS Area.

Be aware of the created IAM function ARN. You’ll need it within the subsequent step.

Configure extensions in Amazon Fast

Full the next steps to create Amazon Fast managed extensions for Microsoft Groups:

1. Register to the Amazon Fast console.
2. Within the prime proper, select the profile icon.
3. Select the EU (Eire) Area.
4. On the drop-down menu, select Handle Fast.
5. Below Permissions within the navigation pane, select Extension entry.
6. Select Add extension entry.
7. Arrange your trusted token issuer:
   1. For Trusted Token Issuer Arn, enter the ARN for the trusted token issuer you created.
   2. For Aud declare, enter your consumer ID.

The Viewers (Aud) declare is a safety identifier that validates the authentication token is just utilized by the precise software it was meant for, stopping unauthorized entry from different entities. These settings are shared throughout extension accesses on this AWS Area.

8. Choose Microsoft Groups from the obtainable extension sorts.

9. Configure the extension along with your Microsoft 365 tenant ID, safety attributes, and authentication settings:
   1. Enter a reputation and elective description.
   2. For Microsoft tenant ID, enter your tenant ID.
   3. For Secrets and techniques Function ARN, enter the ARN in your Secrets and techniques Supervisor function.
   4. For Secrets and techniques ARN, enter the ARN in your secret. The ARN is Area-specific and should level to your Regional AWS sources.

10. Return to the Amazon Fast console.
11. Select Extensions within the navigation pane, then select Create extension.
12. Create a Microsoft Groups extension.
13. Select the choices menu (three dots) subsequent to your extension and select Set up.

This course of creates an Enterprise software in Microsoft Entra ID with the distinctive URLs and directions Microsoft 365 Groups wants to speak with the precise Regional AWS belongings. Utility set up requires permissions to put in an Enterprise software in Microsoft Entra ID.

When the set up is full, the next entry shall be displayed within the Microsoft Entra ID Enterprise software.

14. Repeat these steps to create an extension and set up the applying within the us-east-1 Area. Comply with the identical naming conference with the AWS Area suffix, and use the key ARN for the us-east-1 Area.

Create chat brokers

After the Regional functions are deployed, you create the AWS Area-specific chat brokers that every add-on will entry. Every AWS Area maintains its personal agent with localized data bases. Full the next steps:

1. Open the Amazon Fast console in eu-west-1.
2. Within the navigation pane, select Chat brokers, then select Create chat agent.
3. Create a Regional chat agent in eu-west-1 with European company data. The naming conference contains the AWS Area identifier for straightforward administration throughout a number of Areas: [YOUR_COMPANY_NAME]-Data-Agent-eu-west-1.

4. Repeat these steps to create a chat agent in us-east-1 with US-specific company info, referred to as [YOUR_COMPANY_NAME]-Data-Agent-us-east-1.

The ultimate step is deploying the right Regional add-on to the right person group in Microsoft 365.

Deploy Microsoft Groups functions

Within the final step, you assign every Microsoft Groups software to their respective Regional teams. Full the next steps:

1. In Microsoft Groups Admin Middle, select Staff apps.
2. Select Handle apps and filter the functions by “Amazon Fast.”

3. Select on the primary software (within the eu-west-1 Area) and select Edit Availability.
4. Assign the extension to particular Regional person teams somewhat than your entire group. This group-based deployment mechanically routes your customers to their right Regional Amazon Fast account sources.

5. Repeat the identical course of with the Microsoft Groups software in us-east-1 Area.

The next screenshot reveals what the configuration will seem like in Microsoft Groups Admin Middle.

After deployment propagates, you may validate that customers are mechanically routed to the right Regional agent.

Confirm the implementation

EU customers can use MyCompany-Groups-eu-west-1 agent when they’re interacting with the Microsoft Groups extension. The plugin will choose the My Assistant chat agent as default, so you should select the settings (gear) icon and select the MyCompany-Data-Agent-eu-west-1 chat agent.

The next screenshot reveals an instance of interacting with the chat agent.

US customers can use the MyCompany-Data-Agent-us-east-1 chat agent, demonstrating profitable Regional routing with out handbook configuration.

Troubleshooting

The next ideas will help you troubleshoot some widespread points you would possibly encounter whereas establishing Amazon Fast extensions:

• Fast extension doesn’t present in Microsoft Groups:
  • Wait 24–48 hours for Microsoft 365 deployment propagation
  • Confirm the person is within the right Microsoft Entra ID group
  • Clear the Microsoft Workplace add-on cache and restart Groups
• Points with authentication in Amazon Fast extension:
  • Confirm the redirect URLs match precisely in Microsoft Entra ID
  • Examine the trusted token issuer configuration
  • Affirm the IAM function belief relationship contains the right service principal
• Mistaken agent listed within the Amazon Fast extension:
  • Confirm person group membership (ought to solely be in a single Regional group)
  • Examine the manifest-to-group task in Microsoft 365 Admin Middle
  • Have the person signal out and register once more
• The brokers drop-down record within the Amazon Fast extension is empty:
  • Validate the agent is shared with customers on the Amazon Fast console
  • Confirm the agent exists in the identical AWS Area because the extension
  • Examine agent permissions are set to at the least Consumer stage

Clear up

To keep away from ongoing prices, clear up the sources you created as a part of this submit if you happen to now not want them.

Conclusion

This multi-Area Amazon Fast extension answer for Microsoft 365 gives compliant, AWS Area-aware AI capabilities to your world workforce. The structure and implementation steps on this submit present easy methods to combine enterprise AI with productiveness instruments whereas sustaining knowledge residency and compliance boundaries.

For extra particulars on AI-powered assistants that improve productiveness with out switching functions, check with Extension entry. Seek advice from Getting began with Amazon Fast to start out utilizing Amazon Fast at the moment.

In regards to the authors

“Ramón Díez Lejarazu” is an AI Strategist and Builder at Amazon Internet Companies who builds AI-powered options grounded in actual enterprise wants. He leads tasks with the agency conviction that know-how should remedy precise issues for folks and organizations.

“Anneline Sibanda” is an AI Builder at Amazon Internet Companies, specializing within the structure and supply of agentic and generative AI options. She is a key technical accomplice for enterprises bridging the hole between progressive ideas and production-ready functions.

“David Perez Caparrós” is a Principal AI Strategist at Amazon Internet Companies, the place he helps prospects and business companions design, deploy, and function generative AI options on AWS. With over 15 years of expertise, David has change into a trusted advisor to organizations navigating their AI transformation journeys.