I'm encountering issues while trying to manage an AWS Cognito User Pool Client using the AWS CLI. My goal is to either update an existing user pool client or create a new one with specific configurations, including AzureAD as an identity provider. Below are the details of my attempts and the errors I'm facing.

I've changed the userPoolId and ClientId here for security.

Attempt 1: Updating an Existing User Pool Client I ran the following command to update a user pool client:

aws cognito-idp update-user-pool-client \
    --user-pool-id myUserPoolId \
    --client-id myClientId \
    --client-name CognitoConstructVitalUserPool \
    --supported-identity-providers '["AzureAD", "COGNITO"]' \
    --callback-urls '["https://myDomain/login", "https://myDomain/api/oauth2-redirect.html", "my-://cognito"]' \
    --logout-urls '["https://myDomain/login", "my-://cognito"]' \
    --read-attributes '["email", "family_name", "given_name", "name"]' \
    --write-attributes '["email", "family_name", "given_name", "name"]' \
    --region us-east-1 \
    --allowed-o-auth-flows '["code"]' \
    --allowed-o-auth-scopes '["email", "openid", "profile"]'

However, I recieve this error: An error occurred (ResourceNotFoundException) when calling the UpdateUserPoolClient operation: User pool client does not exist.

Attempt 2: Creating a New User Pool Client Since the update failed, I attempted to create a new client with the same configuration:

aws cognito-idp create-user-pool-client \
    --user-pool-id MyUserPool \
    --client-name CognitoConstructVitalUserPool \
    --supported-identity-providers '["AzureAD", "COGNITO"]' \
    --callback-urls '["https://myDomain/login", "https://myDomain/api/oauth2-redirect.html", "my-://cognito"]' \
    --logout-urls '["https://myDomain/login", "my-://cognito"]' \
    --read-attributes '["email", "family_name", "given_name", "name"]' \
    --write-attributes '["email", "family_name", "given_name", "name"]' \
    --region us-east-1 \
    --allowed-o-auth-flows '["code"]' \
    --allowed-o-auth-scopes '["email", "openid", "profile"]'

This resulted in a different error: An error occurred (InvalidParameterException) when calling the CreateUserPoolClient operation: The provider AzureAD does not exist for User Pool MyUserPool.

Verification and Questions I’ve confirmed that the user pool ID is correct and exists in the us-east-1 region.

It seems the issue with the create-user-pool-client command is related to the AzureAD identity provider not being recognized, but I’m unsure why this is happening or how to resolve it.

For the update-user-pool-client command, it appears the client ID is invalid or missing, but I’d like to know if there’s a way to create a user pool client with a specific client ID rather than having Cognito generate one automatically.

What I Need Help With

How can I resolve the InvalidParameterException for the AzureAD provider? Does it need to be configured elsewhere in the user pool first?

What’s the correct process to either update an existing client or create a new one with this configuration?

Is it possible to specify a custom client ID when creating a user pool client via the AWS CLI?

Any guidance or examples would be greatly appreciated. Thank you!