Automationscribe.com
  • Home
  • AI Scribe
  • AI Tools
  • Artificial Intelligence
  • Contact Us
No Result
View All Result
Automation Scribe
  • Home
  • AI Scribe
  • AI Tools
  • Artificial Intelligence
  • Contact Us
No Result
View All Result
Automationscribe.com
No Result
View All Result

Implement information residency with Amazon Fast extensions for Microsoft Groups

admin by admin
March 22, 2026
in Artificial Intelligence
0
Implement information residency with Amazon Fast extensions for Microsoft Groups
399
SHARES
2.3k
VIEWS
Share on FacebookShare on Twitter


Organizations with customers in a number of geographies face information residency necessities reminiscent of Normal Information Safety Regulation (GDPR) in Europe, country-specific information sovereignty legal guidelines, and inner compliance insurance policies. Amazon Fast with Microsoft 365 extensions helps Regional routing to fulfill these necessities.

Amazon Fast helps multi-Area deployments so you’ll be able to route customers to AWS Area-specific Amazon Fast assets (Fast chat brokers, Fast Flows, information bases, and extra). Regulated industries reminiscent of monetary companies, healthcare, vitality, and telecommunications generally use this sample to maintain information inside particular geographical boundaries.

For those who combine Amazon Fast with Microsoft 365 functions, on this occasion Microsoft Groups, customers should authenticate and connect with their applicable Regional Amazon Fast assets. Regional routing makes positive customers entry the chat brokers and assets they construct of their Amazon Fast Area. On this submit, we are going to present you implement information residency when deploying Amazon Fast Microsoft Groups extensions throughout a number of AWS Areas. You’ll learn to configure multi-Area Amazon Fast extensions that robotically route customers to AWS Area-appropriate assets, serving to preserve compliance with GDPR and different information sovereignty necessities.

Answer overview

On this submit, we current a real-world instance with MyCompany, a fictional world group with European headquarters accessing Amazon Fast within the Europe (Eire) Area (eu-west-1) and a US department within the US East (N. Virginia) Area (us-east-1). A single Amazon Fast account has AWS Area-specific chat brokers (MyCompany-Data-Agent-eu-west-1 and MyCompany-Data-Agent-us-east-1) containing localized company info.

Regional routing requires AWS IAM Identification Middle with a trusted token issuer (TTI) for cross-system authentication. This submit makes use of Microsoft Entra ID for group-based entry management to exhibit how organizations can robotically route customers to their applicable AWS Areas, although different identification administration approaches are potential. This submit focuses on the Amazon Fast extension for Microsoft Groups as the first instance.

The next structure diagram demonstrates automate person routing throughout a number of AWS Areas by integrating Microsoft Entra ID with IAM Identification Middle. Through the use of Microsoft Entra ID group membership to direct customers to their designated Regional Amazon Fast deployments, you’ll be able to preserve information residency inside particular geographic boundaries whereas offering a constant expertise on your world workforce.

Architecture diagram showing a 6-step integration workflow between Amazon Quick and Microsoft Teams across two AWS regions (eu-west-1 and us-east-1), including IAM Identity Center, AWS Secrets Manager, and MS Entra ID components

To implement this design, you’ll comply with a multi-phase course of that begins with AWS Administration Console configuration and concludes with the deployment of Regional add-ons to your customers. At a excessive degree, this submit exhibits you configure identification and belief one time, then repeat a small set of Regional steps per AWS Area. The next steps summarize the high-level workflow:

  1. Provoke setup on the Amazon Fast console and select the AWS Area to configure.
  2. Configure the Regional Microsoft Groups extension integration, together with an AWS Identification and Entry Administration (IAM) function and AWS Secrets and techniques Supervisor secret for that AWS Area, and belief IAM Identification Middle as a token issuer.
  3. Activate the extension in Amazon Fast to generate the Regional manifest file.
  4. Register the extension callbacks in your Microsoft Entra ID utility and full the activation callback for the applying throughout all AWS Areas.
  5. Deploy the Microsoft Groups add-on ([YOUR_COMPANY_NAME]-Groups-[AWS_REGION]) to your Regional person teams by means of Microsoft Entra ID.
  6. Map the Regional add-on to its designated information agent ([YOUR_COMPANY_NAME]-Groups-[AWS_REGION] Agent) to grant customers entry to localized information.

Conditions

Your AWS setting should have Amazon Fast lively in your goal AWS Areas, together with the identification and secret administration companies used to deal with Regional authentication. For AWS companies, you could have the next in place:

  • An lively Amazon Fast account
  • IAM Identification Middle configured and managing person identities on your group with SAML integration with Microsoft Entra ID
  • Secrets and techniques Supervisor accessible in each goal AWS Areas for storing authentication credentials
  • IAM entry to create roles and insurance policies

For Microsoft 365, you could have the next for admin entry:

  • A World Administrator or Utility Administrator function in Microsoft Entra ID
  • Entry to Microsoft 365 Admin Middle for utility deployment
  • Permissions to create and configure Enterprise functions in Microsoft Entra ID

Create Microsoft Entra ID utility

We begin by establishing the shared identification basis utilized by each AWS Area. On this first step, you create a Microsoft Entra ID utility. The Microsoft 365 extensions use the Microsoft Entra ID utility to authenticate customers towards Amazon Fast by means of IAM Identification Middle. Full the next steps to create your utility:

  1. In your Azure account, select App registrations, then select New registration.
  2. For Supported account sorts, select Accounts on this organizational listing solely (Private use solely – Single tenant).
  3. Select Register.
  4. Navigate to the applying registration’s Handle – Authentication tab.
  5. Select Add Redirect URL.
  6. Select Internet.
  7. For this submit, we use two redirect URLs, utilizing the sample https://qbs-cell001.dp.appintegrations.[AWS_REGION].prod.plato.ai.aws.dev/auth/idc-tti/callback:
    1. https://qbs-cell001.dp.appintegrations.eu-west-1.prod.plato.ai.aws.dev/auth/idc-tti/callback
    2. https://qbs-cell001.dp.appintegrations.us-east-1.prod.plato.ai.aws.dev/auth/idc-tti/callback

Microsoft Entra ID makes use of the callback URLs to return the person’s sign-in response to IAM Identification Middle for the proper AWS Area (eu-west-1 or us-east-1). Use these precise URLs—they’re the precise values required for Amazon Fast deployments.

Amazon Quick IDC Extension Authentication configuration panel showing the Redirect URI configuration tab with two Web-type callback URLs for AWS regions us-east-1 and eu-west-1.

  1. Grant the Microsoft Graph Person.Learn permission to permit the applying to check in customers and skim their fundamental profile info. This delegated permission doesn’t require admin consent.

Amazon Quick IDC Extension API permissions panel showing Microsoft Graph delegated permission User.Read configured with "No" admin consent requirement.

In subsequent steps, you will want your Microsoft tenant ID, utility consumer ID, and consumer secret worth.

Create trusted token issuer in IAM Identification Middle

On this step, you create trusted token issuers in IAM Identification Middle. A trusted token issuer is a configuration in IAM Identification Middle that validates tokens issued by Microsoft Entra ID. You should utilize it for cross-system authentication, so customers can transfer between Microsoft 365 and AWS with out repeated sign-ins. Full the next steps to configure the trusted token issuer along with your Microsoft tenant’s issuer URL and map the e-mail attribute:

  1. On the IAM Identification Middle console, select Settings within the navigation pane.
  2. Select Create trusted token issuer.
  3. For Issuer URL, enter the URL on your trusted token issuer within the format https://login.microsoftonline.com/[YOUR_TENANT_ID]/v2.0, utilizing the tenant ID you retrieved from the earlier step.
  4. For Trusted token issuer identify, enter a reputation on your trusted token issuer within the format [YOUR_COMPANY_NAME]-MS365Extensions-Belief-Token-Issuer, utilizing your organization identify.
  5. Select Create trusted token issuer.

This configuration applies to every AWS Area the place you’ll be deploying the extensions.

AWS IAM Identity Center form for creating a trusted token issuer with Microsoft Entra ID login URL, issuer name "MyCompany-MS365Extensions-Trust-Token-Issuer", and email-to-email attribute mapping for JWT identity propagation.

With the worldwide identification parts in place, now you can configure every AWS Area with its personal secrets and techniques, roles, and extension settings that implement information residency for every geographic AWS Area.

Arrange IAM permissions and Secrets and techniques Supervisor entries

On this step, you create the mandatory secrets and techniques to retailer Microsoft 365 extension credentials and IAM permissions that grant learn entry to secrets and techniques.

Create one secret per AWS Area (eu-west-1 and us-east-1) in Secrets and techniques Supervisor following the identify conference [YOUR_COMPANY_NAME]/MS365/Extensions/[AWS_REGION]:

{
    "client_id":"[YOUR_CLIENT_ID]",
    "client_secret":"[YOUR_CLIENT_SECRET]"}

Create an IAM coverage referred to as [YOUR_COMPANY_NAME]-MS365-Extensions-Coverage:

{
    "Model": "2012-10-17",
    "Assertion": [
        {
            "Sid": "SecretManagerPermissions",
            "Effect": "Allow",
            "Action": [
                "secretsmanager:GetSecretValue"
            ],
            "Useful resource": [
                "[SECRET_EU_WEST_1_ARN]",
                "[SECRET_US_EAST_1_ARN]"
            ]
        },
        {
            "Sid": "TokenIssuerPermissions",
            "Impact": "Permit",
            "Motion": [
                "sso:DescribeTrustedTokenIssuer"
            ],
            "Useful resource": "[YOUR_TTI_ARN]"
        }
    ]
}

Use the next belief relationship:

{
    "Model": "2012-10-17",
    "Assertion": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "eu-west-1.prod.appintegrations.plato.aws.internal",
                    "us-east-1.prod.appintegrations.plato.aws.internal",
                ]
            },
            "Motion": "sts:AssumeRole",
            "Situation": {}
        }
    ]
}

Every time you activate a brand new AWS Area, you could create a brand new secret in Secrets and techniques Supervisor and add the brand new secret Amazon Useful resource Title (ARN) to the Useful resource checklist within the IAM coverage. You will need to additionally add the brand new AWS Area you need to activate to the Service discipline within the IAM function belief relationship. This discipline identifies the Regional Service Principal, which is the precise AWS service identification (for instance, eu-west-1.prod.appintegrations.plato.aws.inner) that requires permission to imagine your IAM roles in that particular AWS Area.

Be aware of the created IAM function ARN. You will have it within the subsequent step.

Configure extensions in Amazon Fast

Full the next steps to create Amazon Fast managed extensions for Microsoft Groups:

  1. Sign up to the Amazon Fast console.
  2. Within the prime proper, select the profile icon.
  3. Select the EU (Eire) Area.
  4. On the drop-down menu, select Handle Fast.
  5. Beneath Permissions within the navigation pane, select Extension entry.
  6. Select Add extension entry.
  7. Arrange your trusted token issuer:
    1. For Trusted Token Issuer Arn, enter the ARN for the trusted token issuer you created.
    2. For Aud declare, enter your consumer ID.

The Viewers (Aud) declare is a safety identifier that validates the authentication token is just utilized by the precise utility it was meant for, stopping unauthorized entry from different entities. These settings are shared throughout extension accesses on this AWS Area.

Add extension access wizard Step 1 showing Trusted Token Issuer Setup with red-highlighted required input fields for Trusted Token Issuer ARN and Aud claim, and a blue warning banner about global settings impact.

  1. Choose Microsoft Groups from the accessible extension sorts.

Add extension access wizard Step 2 showing four Microsoft 365 service options — Word Add-in, Outlook Add-in, Teams bot (selected), and Slack bot — for creating extension access.

  1. Configure the extension along with your Microsoft 365 tenant ID, safety attributes, and authentication settings:
    1. Enter a reputation and non-obligatory description.
    2. For Microsoft tenant ID, enter your tenant ID.
    3. For Secrets and techniques Function ARN, enter the ARN on your Secrets and techniques Supervisor function.
    4. For Secrets and techniques ARN, enter the ARN on your secret. The ARN is Area-specific and should level to your Regional AWS assets.

Add extension access Details step showing Microsoft Teams extension configuration form with Name "Teams-access", M365 Tenant ID, Email-to-User Principal Name attribute mapping, and Authentication settings fields for Secrets Role ARN and Secrets ARN.

  1. Return to the Amazon Fast console.
  2. Select Extensions within the navigation pane, then select Create extension.
  3. Create a Microsoft Groups extension.
  4. Select the choices menu (three dots) subsequent to your extension and select Set up.

This course of creates an Enterprise utility in Microsoft Entra ID with the distinctive URLs and directions Microsoft 365 Groups wants to speak with the precise Regional AWS property. Utility set up requires permissions to put in an Enterprise utility in Microsoft Entra ID.

Amazon Quick Extensions page showing Browser-extension marked "Available" and MyCompany-extension-teams-eu-west-1 for Microsoft Teams, with context menu displaying Install option highlighted in green.

When the set up is full, the next entry shall be displayed within the Microsoft Entra ID Enterprise utility.

Microsoft Entra Enterprise applications admin portal showing search results for "qbs-cell001-prod-dub-teams" with one matching application found and its Object ID displayed.

  1. Repeat these steps to create an extension and set up the applying within the us-east-1 Area. Comply with the identical naming conference with the AWS Area suffix, and use the key ARN for the us-east-1 Area.

Amazon Quick Extensions page showing Browser-extension marked "Available" for Chrome, Firefox, and Edge, and MyCompany-extension-teams-us-east-1 for Microsoft Teams marked "Available", with context menu showing Install option highlighted in green.

Create chat brokers

After the Regional functions are deployed, you create the AWS Area-specific chat brokers that every add-on will entry. Every AWS Area maintains its personal agent with localized information bases. Full the next steps:

  1. Open the Amazon Fast console in eu-west-1.
  2. Within the navigation pane, select Chat brokers, then select Create chat agent.
  3. Create a Regional chat agent in eu-west-1 with European company information. The naming conference consists of the AWS Area identifier for straightforward administration throughout a number of Areas: [YOUR_COMPANY_NAME]-Data-Agent-eu-west-1.

Amazon Quick chat agents list filtered by "Recently used" showing MyCompany-Knowledge-Agent-eu-west-1 modified 3 minutes ago, a redacted agent entry modified 11 days ago, and My Assistant default system agent modified 3 months ago, all with Chat action buttons.

  1. Repeat these steps to create a chat agent in us-east-1 with US-specific company info, referred to as [YOUR_COMPANY_NAME]-Data-Agent-us-east-1.

Amazon Quick chat agents management list showing MyCompany-Knowledge-Agent-us-east-1 created by Me with owner permission modified 2 minutes ago, and My Assistant default system agent created by System without owner permission modified 2 months ago.

The ultimate step is deploying the proper Regional add-on to the proper person group in Microsoft 365.

Deploy Microsoft Groups functions

Within the final step, you assign every Microsoft Groups utility to their respective Regional teams. Full the next steps:

  1. In Microsoft Groups Admin Middle, select Workforce apps.
  2. Select Handle apps and filter the functions by “Amazon Fast.”

Microsoft Teams admin center app management table showing two Amazon Quick entries available to "Everyone" with "Unblocked" status, filtered by search query "amazon quick".

  1. Select on the primary utility (within the eu-west-1 Area) and select Edit Availability.
  2. Assign the extension to particular Regional person teams relatively than your entire group. This group-based deployment robotically routes your customers to their right Regional Amazon Fast account assets.

Microsoft Teams admin center Manage Apps page showing two Amazon Quick app entries with "Unblocked" status, and Edit availability side panel open with "Specific users or groups" selected and MyCompany-group-eu-west-1 (1 member) configured.

  1. Repeat the identical course of with the Microsoft Groups utility in us-east-1 Area.

The next screenshot exhibits what the configuration will appear to be in Microsoft Groups Admin Middle.

Microsoft Teams admin center Manage Apps search results showing two Amazon Quick app entries, both unblocked and available to 1 group, supported on multiple Microsoft platforms, published by Amazon.

After deployment propagates, you’ll be able to validate that customers are robotically routed to the proper Regional agent.

Confirm the implementation

EU customers can use MyCompany-Groups-eu-west-1 agent when they’re interacting with the Microsoft Groups extension. The plugin will choose the My Assistant chat agent as default, so you could select the settings (gear) icon and select the MyCompany-Data-Agent-eu-west-1 chat agent.

Microsoft Teams admin center Manage Apps search results showing two Amazon Quick app entries, both unblocked and available to 1 group, supported on multiple Microsoft platforms, published by Amazon.

Amazon Quick Settings dialog showing selected agent "MyCompany-Knowledge-Agent-eu-west-1", conversation scope set to "Agent's Associations", Web Search enabled, with Back, Save Default, and Save Current action buttons.

The next screenshot exhibits an instance of interacting with the chat agent.

Amazon Quick chat interface showing MyCompany-Knowledge-Agent-eu-west-1 active with Agent's Associations scope and Web Search enabled, displaying welcome message "Hello again! Welcome back" with thumbs up/down feedback buttons and New Chat option.

US customers can use the MyCompany-Data-Agent-us-east-1 chat agent, demonstrating profitable Regional routing with out guide configuration.

Troubleshooting

The next suggestions may also help you troubleshoot some widespread points you would possibly encounter whereas organising Amazon Fast extensions:

  • Fast extension doesn’t present in Microsoft Groups:
    • Wait 24–48 hours for Microsoft 365 deployment propagation
    • Confirm the person is within the right Microsoft Entra ID group
    • Clear the Microsoft Workplace add-on cache and restart Groups
  • Points with authentication in Amazon Fast extension:
    • Confirm the redirect URLs match precisely in Microsoft Entra ID
    • Examine the trusted token issuer configuration
    • Verify the IAM function belief relationship consists of the proper service principal
  • Flawed agent listed within the Amazon Fast extension:
    • Confirm person group membership (ought to solely be in a single Regional group)
    • Examine the manifest-to-group task in Microsoft 365 Admin Middle
    • Have the person signal out and check in once more
  • The brokers drop-down checklist within the Amazon Fast extension is empty:
    • Validate the agent is shared with customers on the Amazon Fast console
    • Confirm the agent exists in the identical AWS Area because the extension
    • Examine agent permissions are set to no less than Person degree

Clear up

To keep away from ongoing expenses, clear up the assets you created as a part of this submit when you now not want them.

Conclusion

This multi-Area Amazon Fast extension resolution for Microsoft 365 offers compliant, AWS Area-aware AI capabilities to your world workforce. The structure and implementation steps on this submit present combine enterprise AI with productiveness instruments whereas sustaining information residency and compliance boundaries.

For extra particulars on AI-powered assistants that improve productiveness with out switching functions, discuss with Extension entry. Discuss with Getting began with Amazon Fast to start out utilizing Amazon Fast at present.

Concerning the authors

“Ramón Díez Lejarazu” is an AI Strategist and Builder at Amazon Internet Companies who builds AI-powered options grounded in actual enterprise wants. He leads initiatives with the agency conviction that expertise should resolve precise issues for individuals and organizations.

“Anneline Sibanda” is an AI Builder at Amazon Internet Companies, specializing within the structure and supply of agentic and generative AI options. She is a key technical accomplice for enterprises bridging the hole between modern ideas and production-ready functions.

“David Perez Caparrós” is a Principal AI Strategist at Amazon Internet Companies, the place he helps prospects and trade companions design, deploy, and function generative AI options on AWS. With over 15 years of expertise, David has develop into a trusted advisor to organizations navigating their AI transformation journeys.

Tags: AmazonDataEnforceextensionsMicrosoftQuickresidencyTeams
Previous Post

Why Brokers Fail: The Function of Seed Values and Temperature in Agentic Loops

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular News

  • Greatest practices for Amazon SageMaker HyperPod activity governance

    Greatest practices for Amazon SageMaker HyperPod activity governance

    405 shares
    Share 162 Tweet 101

  • How Cursor Really Indexes Your Codebase

    403 shares
    Share 161 Tweet 101

  • Speed up edge AI improvement with SiMa.ai Edgematic with a seamless AWS integration

    403 shares
    Share 161 Tweet 101

  • Unlocking Japanese LLMs with AWS Trainium: Innovators Showcase from the AWS LLM Growth Assist Program

    403 shares
    Share 161 Tweet 101

  • The Good-Sufficient Fact | In direction of Knowledge Science

    403 shares
    Share 161 Tweet 101

About Us

Automation Scribe is your go-to site for easy-to-understand Artificial Intelligence (AI) articles. Discover insights on AI tools, AI Scribe, and more. Stay updated with the latest advancements in AI technology. Dive into the world of automation with simplified explanations and informative content. Visit us today!

Category

  • AI Scribe
  • AI Tools
  • Artificial Intelligence

Recent Posts

  • Implement information residency with Amazon Fast extensions for Microsoft Groups
  • Why Brokers Fail: The Function of Seed Values and Temperature in Agentic Loops
  • Escaping the SQL Jungle | In the direction of Information Science
  • Home
  • Contact Us
  • Disclaimer
  • Privacy Policy
  • Terms & Conditions

© 2024 automationscribe.com. All rights reserved.

No Result
View All Result
  • Home
  • AI Scribe
  • AI Tools
  • Artificial Intelligence
  • Contact Us

© 2024 automationscribe.com. All rights reserved.