Create a directory for WorkSpaces Personal

Personal WorkSpaces allows you to use directories managed through AWS Directory Service to store and manage information for your WorkSpaces and users. The following are options for creating a WorkSpaces Personal directory:

• Create a Simple AD directory.

• Create an AWS Directory Service for Microsoft Active Directory, also known as AWS Managed Microsoft AD.

• Connect to an existing Microsoft Active Directory by using Active Directory Connector.

• Create a trust relationship between your AWS Managed Microsoft AD directory and your on-premises domain.

• Create a dedicated Microsoft Entra ID WorkSpaces directory.

• Create a dedicated Custom WorkSpaces directory.

Identify the computer name

The Computer Name value shown for a WorkSpace in the Amazon WorkSpaces console varies, depending on which type of WorkSpace you've launched (Amazon Linux, Ubuntu, or Windows). The computer name for a WorkSpace can be in one of these formats:

• Amazon Linux: A-xxxxxxxxxxxxx

• Red Hat Enterprise Linux: R-xxxxxxxxxxxxx

• Ubuntu: U-xxxxxxxxxxxxx

• Windows: IP-Cxxxxxx or WSAMZN-xxxxxxx or EC2AMAZ-xxxxxxx

For Windows WorkSpaces, the computer name format is determined by the bundle type, and in the case of WorkSpaces created from public bundles or from custom bundles based on public images, by when the public images were created.

Starting June 22, 2020, Windows WorkSpaces launched from public bundles have the WSAMZN-xxxxxxx format for their computer names instead of the IP-Cxxxxxx format.

For custom bundles based on a public image, if the public image was created before June 22, 2020, the computer names are in the EC2AMAZ-xxxxxxx format. If the public image was created on or after June 22, 2020, the computer names are in the WSAMZN-xxxxxxx format.

For Bring Your Own License (BYOL) bundles, either the DESKTOP-xxxxxxx or the EC2AMAZ-xxxxxxx format is used for the computer names by default.

If you've specified a custom format for the computer names in your custom or BYOL bundles, your custom format overrides these defaults. To specify a custom format, see Create a custom WorkSpaces image and bundle for WorkSpaces Personal.

Important

If you change the computer name for a WorkSpace through the Windows system settings, you will no longer be able to access the WorkSpace.

Note

• Shared directories are not currently supported for use with Amazon WorkSpaces.

• If you configure your AWS Managed Microsoft AD directory for multi-Region replication, only the directory in the primary Region can be registered for use with Amazon WorkSpaces. Attempts to register the directory in a replicated Region for use with Amazon WorkSpaces will fail. Multi-Region replication with AWS Managed Microsoft AD isn't supported for use with Amazon WorkSpaces within replicated Regions.

• Simple AD and AD Connector are made available to you free of charge to use with WorkSpaces. If there are no WorkSpaces being used with your Simple AD or AD Connector directory for 30 consecutive days, this directory will be automatically deregistered for use with Amazon WorkSpaces, and you will be charged for this directory as per the AWS Directory Service pricing terms.

The following tutorials show you how to create a WorkSpaces Personal directory.

Before you begin creating a directory

• WorkSpaces is not available in every Region. Verify the supported Regions and select a Region for your WorkSpaces. For more information about the supported Regions, see WorkSpaces Pricing by AWS Region.

• Create a virtual private cloud with at least two private subnets. For more information, see Configure a VPC for WorkSpaces Personal. The VPC must be connected to your on-premises network through a virtual private network (VPN) connection or AWS Direct Connect. For more information, see AD Connector Prerequisites in the AWS Directory Service Administration Guide.

• Provide access to the internet from the WorkSpace. For more information, see Provide internet access for WorkSpaces Personal.

Create an AWS Managed Microsoft AD directory

In this tutorial, we create an AWS Managed Microsoft AD directory. For tutorials that use the other options, see Create a directory for WorkSpaces Personal.

First, create an AWS Managed Microsoft AD directory. AWS Directory Service creates two directory servers, one in each of the private subnets of your VPC. Note that there are no users in the directory initially. You will add a user in the next step when you launch the WorkSpace.

Note

• Shared directories are not currently supported for use with Amazon WorkSpaces.

• If your AWS Managed Microsoft AD directory has been configured for multi-Region replication, only the directory in the primary Region can be registered for use with Amazon WorkSpaces. Attempts to register the directory in a replicated Region for use with Amazon WorkSpaces will fail. Multi-Region replication with AWS Managed Microsoft AD isn't supported for use with Amazon WorkSpaces within replicated Regions.

To create an AWS Managed Microsoft AD directory

1. Open the WorkSpaces console at https://console.aws.amazon.com/workspaces/.

2. In the navigation pane, choose Directories.

3. Choose Create directory.

4. On the Create directory page, for WorkSpaces type choose Personal. Then, for WorkSpace device management choose AWS Directory Service.

5. Choose Create directory, which opens the Set up a directory page on the AWS Directory Service

6. Choose AWS Managed Microsoft AD, and then Next.

7. Configure the directory as follows:

   1. For Organization name, enter a unique organization name for your directory (for example, my-demo-directory). This name must be at least four characters in length, consist of only alphanumeric characters and hyphens (-), and begin or end with a character other than a hyphen.

   2. For Directory DNS, enter the fully-qualified name for the directory (for example, workspaces.demo.com).

      Important

      If you need to update your DNS server after launching your WorkSpaces, follow the procedure in Update DNS servers for WorkSpaces Personal to ensure that your WorkSpaces get properly updated.

   3. For NetBIOS name, enter a short name for the directory (for example, workspaces).

   4. For Admin password and Confirm password, enter a password for the directory administrator account. For more information about the password requirements, see Create Your AWS Managed Microsoft AD Directory in the AWS Directory Service Administration Guide.

   5. (Optional) For Description, enter a description for the directory.

   6. For VPC, select the VPC that you created.

   7. For Subnets, select the two private subnets (with the CIDR blocks 10.0.1.0/24 and 10.0.2.0/24).

   8. Choose Next Step.

8. Choose Create directory.

9. You will be brought back to the Create directory page on WorkSpaces console. The initial status of the directory is Requested and then Creating. When directory creation is complete (this might take a few minutes), the status is Active.

After you’ve created an AWS Managed Microsoft AD directory, you can register it with Amazon WorkSpaces. For more information, see Register an existing AWS Directory Service directory with WorkSpaces Personal

Create a Simple AD directory

In this tutorial, we launch a WorkSpace that uses Simple AD. For tutorials that use the other options, see Create a directory for WorkSpaces Personal.

Note

• Simple AD is not available in every Region. Verify the supported Regions and select a Region for your Simple AD directory. For more information about the supported Regions for Simple AD, see Region Availability for AWS Directory Service.

• Simple AD is made available to you free of charge to use with WorkSpaces. If there are no WorkSpaces being used with your Simple AD directory for 30 consecutive days, this directory will be automatically deregistered for use with Amazon WorkSpaces, and you will be charged for this directory as per the AWS Directory Service pricing terms.

When you create a Simple AD directory. AWS Directory Service creates two directory servers, one in each of the private subnets of your VPC. There are no users in the directory initially. Add a user after you create the WorkSpace. For more information, see Create a WorkSpace in WorkSpaces Personal

To create a Simple AD directory

1. Open the WorkSpaces console at https://console.aws.amazon.com/workspaces/.

2. In the navigation pane, choose Directories.

3. Choose Create directory.

4. On the Create directory page, for WorkSpaces type choose Personal. Then, for WorkSpace device management choose AWS Directory Service.

5. Choose Create directory, which opens the Set up a directory page on the AWS Directory Service

6. Choose Simple AD, and then Next.

7. Configure the directory as follows:

   1. For Organization name, enter a unique organization name for your directory (for example, my-example-directory). This name must be at least four characters in length, consist of only alphanumeric characters and hyphens (-), and begin or end with a character other than a hyphen.

   2. For Directory DNS name, enter the fully-qualified name for the directory (for example, example.com).

      Important

      If you need to update your DNS server after launching your WorkSpaces, follow the procedure in Update DNS servers for WorkSpaces Personal to ensure that your WorkSpaces get properly updated.

   3. For NetBIOS name, enter a short name for the directory (for example, example).

   4. For Admin password and Confirm password, enter a password for the directory administrator account. For more information about the password requirements, see How to Create a Microsoft AD Directory in the AWS Directory Service Administration Guide.

   5. (Optional) For Description, enter a description for the directory.

   6. For Directory size, choose Small.

   7. For VPC, select the VPC that you created.

   8. For Subnets, select the two private subnets (with the CIDR blocks 10.0.1.0/24 and 10.0.2.0/24).

   9. Choose Next.

8. Choose Create directory.

9. You will be brought back to the Create directory page on WorkSpaces console. The initial status of the directory is Requested and then Creating. When directory creation is complete (this might take a few minutes), the status is Active.

What happens during directory creation

WorkSpaces completes the following tasks on your behalf:

• Creates an IAM role to allow the WorkSpaces service to create elastic network interfaces and list your WorkSpaces directories. This role has the name workspaces_DefaultRole.

• Sets up a Simple AD directory in the VPC that is used to store user and WorkSpace information. The directory has an administrator account with the user name Administrator and the specified password.

• Creates two security groups, one for directory controllers and another for WorkSpaces in the directory.

After you’ve created an Simple AD directory, you can register it with Amazon WorkSpaces. For more information, see Register an existing AWS Directory Service directory with WorkSpaces Personal

Create an AD Connector

In this tutorial, we create an AD Connector. For tutorials that use the other options, see Create a directory for WorkSpaces Personal.

Create an AD Connector

Note

AD Connector is made available to you free of charge to use with WorkSpaces. If there are no WorkSpaces being used with your AD Connector directory for 30 consecutive days, this directory will be automatically deregistered for use with Amazon WorkSpaces, and you will be charged for this directory as per the AWS Directory Service pricing terms.

To delete empty directories, see Delete a directory for WorkSpaces Personal. If you delete your AD Connector directory, you can always create a new one when you want to start using WorkSpaces again.

To create an AD Connector

1. Open the WorkSpaces console at https://console.aws.amazon.com/workspaces/.

2. In the navigation pane, choose Directories.

3. Choose Create directory.

4. On the Create directory page, for WorkSpaces type choose Personal. Then, for WorkSpace device management choose AWS Directory Service.

5. Choose Create directory, which opens the Set up a directory page on the AWS Directory Service

6. Choose AWS Managed Microsoft AD, and then Next.

7. For Organization name, enter a unique organization name for your directory (for example, my-example-directory). This name must be at least four characters in length, consist of only alphanumeric characters and hyphens (-), and begin or end with a character other than a hyphen.

8. For Connected directory DNS, enter the fully-qualified name of your on-premises directory (for example, example.com).

9. For Connected directory NetBIOS name, enter the short name of your on-premises directory (for example, example).

10. For Connector account username, enter the user name of a user in your on-premises directory. The user must have permissions to read users and groups, create computer objects, and join computers to the domain.

11. For Connector account password and Confirm password, enter the password for the on-premises user.

12. For DNS address, enter the IP address of at least one DNS server in your on-premises directory.

    Important

    If you need to update your DNS server IP address after launching your WorkSpaces, follow the procedure in Update DNS servers for WorkSpaces Personal to ensure that your WorkSpaces get properly updated.

13. (Optional) For Description, enter a description for the directory.

14. Keep Size as Small.

15. For VPC, select your VPC.

16. For Subnets, select your subnets. The DNS servers that you specified must be accessible from each subnet.

17. Choose Create directory.

18. You will be brought back to the Create directory page on WorkSpaces console. The initial status of the directory is Requested and then Creating. When directory creation is complete (this might take a few minutes), the status is Active.

Create a trust relationship between your AWS Managed Microsoft AD directory and your on-premises domain

In this tutorial, we create a trust relationship between your AWS Managed Microsoft AD directory and your on-premises domain. For tutorials that use the other options, see Create a directory for WorkSpaces Personal.

Note

Launching WorkSpaces with AWS accounts in a separate trusted domain works with AWS Managed Microsoft AD when it is configured with a trust relationship to your on-premises directory. However, WorkSpaces using Simple AD or AD Connector cannot launch WorkSpaces for users from a trusted domain.

To set up the trust relationship

1. Set up AWS Managed Microsoft AD in your virtual private cloud (VPC). For more information, see Create Your AWS Managed Microsoft AD directory in the AWS Directory Service Administration Guide.

   Note

   • Shared directories are not currently supported for use with Amazon WorkSpaces.

   • If your AWS Managed Microsoft AD directory has been configured for multi-Region replication, only the directory in the primary Region can be registered for use with Amazon WorkSpaces. Attempts to register the directory in a replicated Region for use with Amazon WorkSpaces will fail. Multi-Region replication with AWS Managed Microsoft AD isn't supported for use with Amazon WorkSpaces within replicated Regions.

2. Create a trust relationship between your AWS Managed Microsoft AD and your on-premises domain. Ensure that the trust is configured as a two-way trust. For more information, see Tutorial: Create a Trust Relationship Between Your AWS Managed Microsoft AD and Your On-Premises Domain in the AWS Directory Service Administration Guide.

A one-way or two-way trust can be used to manage and authenticate with WorkSpaces, and so that WorkSpaces can be provisioned to on-premises users and groups. For more information, see Deploy Amazon WorkSpaces using a One-Way Trust Resource Domain with AWS Directory Service.

Note

• Red Hat Enterprise Linux and Ubuntu WorkSpaces use System Security Services Daemon (SSSD) for Active Directory integration, and SSSD does not support forest trust. Configure external trust instead. Two-way trust is recommended for Amazon Linux, Ubuntu, and Red Hat Enterprise Linux WorkSpaces.

• You cannot use a web browser (Web Access) to connect to Linux WorkSpaces.

Create a dedicated Microsoft Entra ID directory with WorkSpaces Personal

In this tutorial, we create Bring Your Own License (BYOL) Windows 10 and 11 personal WorkSpaces that are Microsoft Entra ID joined and enrolled to Microsoft Intune. Before creating such WorkSpaces, you need to first create a dedicated WorkSpaces Personal directory for Entra ID-joined WorkSpaces.

Note

Microsoft Entra joined personal WorkSpaces are available in all AWS regions where Amazon WorkSpaces is offered except for Africa (Cape Town), Israel (Tel Aviv), and China (Ningxia).

Contents

• Overview
• Requirements and limitations
• Step 1: Enable IAM Identity Center and synchronize with Microsoft Entra ID
• Step 2: Register a Microsoft Entra ID application to grant permissions for Windows Autopilot
• Step 3: Configure Windows Autopilot user-driven mode
• Step 4: Create an AWS Secrets Manager secret
• Step 5: Create a dedicated Microsoft Entra ID WorkSpaces directory
• Configure the IAM Identity Center application for a WorkSpaces directory (optional)

Overview

A Microsoft Entra ID personal WorkSpaces directory contains all the information needed to launch Microsoft Entra ID-joined WorkSpaces that are assigned to your users managed with Microsoft Entra ID. User information is made available to WorkSpaces through AWS IAM Identity Center, which acts as an identity broker to bring your workforce identity from Entra ID to AWS. Microsoft Windows Autopilot user-driven mode is used to accomplish WorkSpaces Intune enrollment and Entra join. The following diagram illustrates the Autopilot process.

Requirements and limitations

• Microsoft Entra ID P1 plan or higher.

• Microsoft Entra ID and Intune is enabled and have role assignments.

• Intune administrator - Required for managing Autopilot deployment profiles.

• Global administrator - Required for granting admin consent for the API permissions assigned to the application created in step 3. The application can be created without this permission. However, a Global Administrator would need to provide admin consent on the application permissions.

• Assign VDA E3/E5 user subscription licenses to users so their Windows 10 or 11 WorkSpaces can be joined to Entra ID.

• Entra ID directories only support Windows 10 or 11 Bring Your Own License personal WorkSpaces. The following are supported versions.

  • Windows 10 Version 21H2 (December 2021 Update)

  • Windows 10 Version 22H2 (November 2022 Update)

  • Windows 11 Enterprise 23H2 (October 2023 release)

  • Windows 11 Enterprise 22H2 (October 2022 release)

• Bring Your Own License (BYOL) is enabled for your AWS account and you have a valid Windows 10 or 11 BYOL image imported in your account. For more information, see Bring Your Own Windows desktop licenses in WorkSpaces.

• Microsoft Entra ID directories only support Windows 10 or 11 BYOL personal WorkSpaces.

• Microsoft Entra ID directories support only WSP protocol.

Step 1: Enable IAM Identity Center and synchronize with Microsoft Entra ID

To create Microsoft Entra ID-joined personal WorkSpaces and assign them to your Entra ID users, you have to make the user information available to AWS through IAM Identity Center. IAM Identity Center is the recommended AWS service for managing user access to AWS resources. For more information, see What is IAM Identity Center?. This is a one-time setup.

Note

A WorkSpaces Personal directory and its associated IAM Identity Center instance must be in the same AWS region.

1. Enable IAM Identity Center with your AWS Organizations, especially if you are using a multi-account environment. You can also create an account instance of IAM Identity Center. To learn more, see Enabling AWS IAM Identity Center. Each WorkSpaces directory can be associated with one IAM Identity Center instance, organization or account.

   If you are using an organization instance and trying to create a WorkSpaces directory in one of the member accounts, make sure you have the following IAM Identity Center permissions.

   • "sso:DescribeInstance"

   • "sso:CreateApplication"

   • "sso:PutApplicationGrant"

   • "sso:PutApplicationAuthenticationMethod"

   • "sso:DeleteApplication"

   • "sso:DescribeApplication"

   • "sso:getApplicationGrant"

   For more information, see Overview of managing access permissions to your IAM Identity Center resources. Also, ensure that no Service Control Policies (SCPs) are blocking these permissions. To learn more about SCPs, see Service control policies (SCPs).

2. Configure IAM Identity Center and Microsoft Entra ID to automatically synchronize selected or all users from your Entra ID tenant to your IAM Identity Center instance. For more information, see Configure SAML and SCIM with Microsoft Entra ID and IAM Identity Center and Tutorial: Configure AWS IAM Identity Center for automatic user provisioning.

3. Verify that the users you configured on Microsoft Entra ID are synchronized correctly to AWS IAM Identity Center instance. If you see an error message, "Request is unparsable, syntactically incorrect, or violates schema", from Microsoft Entra ID, it indicates that the user in Entra ID is configured in a way that IAM Identity Center doesn't support. For example, the user object in Entra ID lacks a first name, a last name, and/or a display name. For more information, see Specific users fail to synchronize into IAM Identity Center from an external SCIM provider.

Note

WorkSpaces uses Entra ID UserPrincipalName (UPN) attribute to identify individual users and the following are its limitations:

• UPNs cannot exceed 63 characters in length.

• If you change the UPN after assigning a WorkSpace to a user, the user won't be able to connect to their WorkSpace unless you change the UPN back to what it was before.

Step 2: Register a Microsoft Entra ID application to grant permissions for Windows Autopilot

WorkSpaces Personal uses Microsoft Windows Autopilot user-driven mode to enroll WorkSpaces to Microsoft Intune and join them to Microsoft Entra ID.

To allow Amazon WorkSpaces to register WorkSpaces Personal into Autopilot, you must register a Microsoft Entra ID application that grants necessary Microsoft Graph API permissions. For more information about registering an Entra ID application, see Quickstart: Register an application with the Microsoft identity platform.

We recommend providing the following API permissions in your Entra ID application.

• To create a new personal WorkSpace that needs to be joined to Entra ID, following API permission is required.

  • DeviceManagementServiceConfig.ReadWrite.All

• When you terminate a personal WorkSpace or rebuild it, the following permissions are used.

  Note

  If you don’t provide these permissions, WorkSpace will be terminated but it will not be removed from your Intune and Entra ID tenants and you will have to remove them separately.

  • DeviceManagementServiceConfig.ReadWrite.All

  • Device.ReadWrite.All

  • DeviceManagementManagedDevices.ReadWrite.All

• These permissions require admin consent. For more information, see Grant tenant-wide admin consent to an application .

Next, you must add a client secret for the Entra ID application. For more information, see Add credentials. Make sure you remember the client secret string as you will need it when creating the AWS Secrets Manager secret in Step 4.

Step 3: Configure Windows Autopilot user-driven mode

Ensure you are familiar with the Step by step tutorial for Windows Autopilot user-driven Microsoft Entra join in Intune.

To configure your Microsoft Intune for Autopilot

1. Sign into the Microsoft Intune admin center

2. Create a new Autopilot device group for personal WorkSpaces. For more information, see Create device groups for Windows Autopilot.

   1. Choose Groups, New group

   2. For Group type, choose Security.

   3. For Membership type, choose Dynamic Device.

   4. Choose Edit dynamic query to create a dynamic membership rule. The rule should be in the following format:

      (device.devicePhysicalIds -any (_ -eq "[OrderID]:WorkSpacesDirectoryName"))

      Important

      WorkSpacesDirectoryName should match the directory name of the Entra ID WorkSpaces Personal directory you create in step 5. This is because the directory name string is used as group tag when WorkSpaces registers virtual desktops into Autopilot. Additionally, group tag maps to the OrderID attribute on Microsoft Entra devices.

3. Choose Devices, Windows, Enrollment. For Enrollment Options, choose Automatic Enrollment. For MDM user scope select All.

4. Create an Autopilot deployment profile. For more information, see Create an Autopilot deployment profile.

   1. For Windows Autopilot, choose Deployment profiles, Create profile.

   2. In the Windows Autopilot deployment profiles screen, select the Create Profile drop down menu and then select Windows PC.

   3. In the Create profile screen, on On the Out-of-box experience (OOBE) page. For Deployment mode, select User-driven. For Join to Microsoft Entra ID, select Microsoft Entra joined. You can customize the computer names for your Entra ID-joined personal WorkSpaces by selecting Yes for Apply device name template, to create a template to use when naming a device during enrollment.

   4. On the Assignments page, for Assign to, choose Selected groups. Choose Select groups to include, and select the Autopilot device group you’ve just created in 2.

Step 4: Create an AWS Secrets Manager secret

You must create a secret in AWS Secrets Manager to securely store the information, including the application ID and client secret, for the Entra ID application you created in Step 2: Register a Microsoft Entra ID application to grant permissions for Windows Autopilot. This is a one-time setup.

To create an AWS Secrets Manager secret

1. Create a customer managed key on AWS Key Management Service. The key will later be used to encrypt the AWS Secrets Manager secret. Don't use the default key to encrypt your secret as the default key cannot be accessed by the WorkSpaces service. Follow the steps below to create the key.

   1. Open the AWS KMS console at https://console.aws.amazon.com/kms.

   2. To change the AWS Region, use the Region selector in the upper-right corner of the page.

   3. Choose Create key.

   4. On the Configure key page, for Key type choose Symmetric. For Key usage, choose Encrypt and decrypt.

   5. On the Review page, in the Key policy editor, ensure you allow the WorkSpaces service's principal workspaces.amazonaws.com access to the key by including following permissions in the key policy.

      {
          "Effect": "Allow",
          "Principal": {
              "Service": [
                  "workspaces.amazonaws.com"
              ]
          },
          "Action": [
              "kms:Decrypt",
              "kms:DescribeKey"
          ],
          "Resource": "*"
       }

2. Create the secret on AWS Secrets Manager, using the AWS KMS key created in previous step.

   1. Open the Secrets Manager console at https://console.aws.amazon.com/secretsmanager/.

   2. Choose Store a new secret.

   3. On the Choose secret type page, for Secret type, select Other type of secret.

   4. For Key/value pairs, in the key box, enter “application_id” into the key box, then copy the Entra ID application ID from Step 2 and paste it into the value box.

   5. Choose Add row, in the key box, enter “application_password”, then copy the Entra ID application client secret from Step 2 and paste it into the value box.

   6. Choose the AWS KMS key that you created in the previous step from the Encryption key drop-down list.

   7. Choose Next.

   8. On the Configure secret page, enter a Secret name and Description.

   9. In the Resource permissions section, choose Edit permissions.

   10. Make sure you allow the WorkSpaces service's principal workspaces.amazonaws.com access to the secret by including following resource policy in the resource permissions.

       {
         "Version" : "2012-10-17",
         "Statement" : [ {
           "Effect" : "Allow",
           "Principal" : {
             "Service" : [ "workspaces.amazonaws.com"]
           },
           "Action" : "secretsmanager:GetSecretValue",
           "Resource" : "*"
         } ]
       }

Step 5: Create a dedicated Microsoft Entra ID WorkSpaces directory

Create a dedicated WorkSpaces directory that stores information for your Microsoft Entra ID-joined WorkSpaces and Entra ID users.

To create an Entra ID WorkSpaces directory

1. Open the WorkSpaces console at https://console.aws.amazon.com/workspaces/.

2. In the navigation pane, choose Directories.

3. On the Create directory page, for WorkSpaces type choose Personal. For WorkSpace device management, choose Microsoft Entra ID.

4. For Microsoft Entra tenant ID, enter your Microsoft Entra ID tenant ID that you want your directory's WorkSpace to join to. You won't be able to change the tenant ID after the directory is created.

5. For Entra ID Application ID and password, select the AWS Secrets Manager secret that you created in Step 4 from the drop down list. You won't be able to change the secret associated with the directory after the directory is created. However, you can always update the content of the secret, including the Entra ID Application ID and its password through the AWS Secrets Manager console at https://console.aws.amazon.com/secretsmanager/.

6. For User identity source, select the IAM Identity Center instance that you configured in Step 1from the drop down list. You won't be able to change the IAM Identity Center instance associated with the directory after the directory is created.

7. For Directory name, enter a unique name for the directory (For example, WorkSpacesDirectoryName).

   Important

   The directory name should match the OrderID used to construct the dynamic query for the Autopilot device group that you created with Microsoft Intune in Step 3. The directory name string is used as the group tag when registering personal WorkSpaces into Windows Autopilot. The group tag maps to the OrderID attribute on Microsoft Entra devices.

8. (Optional) For Description, enter a description for the directory.

9. For VPC, select the VPC that you used to launch your WorkSpaces. For more information, see Configure a VPC for WorkSpaces Personal.

10. For Subnets, select two subnets of your VPC that are not from the same Availability Zone. These subnets will be used to launch your personal WorkSpaces. For more information, see Availability Zones for WorkSpaces Personal.

    Important

    Make sure the WorkSpaces launched in the subnets have internet access, which is needed when users login to the Windows desktops. For more information, see Provide internet access for WorkSpaces Personal.

11. For Configuration, select Enable dedicated WorkSpace. You must enable it to create a dedicated WorkSpaces Personal directory to launch Bring Your Own License (BYOL) Windows 10 or 11 personal WorkSpaces.

    Note

    If you don't see the Enable dedicated WorkSpace option under Configuration, your account hasn't been enabled for BYOL. To enable BYOL for your account, see Bring Your Own Windows desktop licenses in WorkSpaces.

12. (Optional) For Tags, specify the key pair value that you want to use for personal WorkSpaces in the directory.

13. Review the directory summary and choose Create directory. It takes several minutes for your directory to be connected. The initial status of the directory is Creating. When directory creation is complete, the status is Active.

An IAM Identity Center application is also automatically created on your behalf once the directory is created. To find the application’s ARN go to the directory's summary page.

You can now use the directory to launch Windows 10 or 11 personal WorkSpaces that are enrolled to Microsoft Intune and joined to Microsoft Entra ID. For more information, see Create a WorkSpace in WorkSpaces Personal.

After you've created a WorkSpaces Personal directory, you can create a personal WorkSpace. For more information, see Create a WorkSpace in WorkSpaces Personal

Configure the IAM Identity Center application for a WorkSpaces directory (optional)

A corresponding IAM Identity Center application is automatically created once a directory is created. You can find the application’s ARN in the Summary section on the directory detail page. By default, all users in the Identity Center instance can access their assigned WorkSpaces without configuring the corresponding Identity Center application. However, you can manage user access to WorkSpaces in a directory by configuring the user assignment for the IAM Identity Center application.

To configure the user assignment for the IAM Identity Center application

1. Open the IAM console at https://console.aws.amazon.com/iam/.

2. On the AWS managed applications tab, choose the application for the WorkSpaces directory. The application names are in the following format: WorkSpaces.wsd-xxxxx, where wsd-xxxxx is the WorkSpaces directory ID.

3. Choose Actions, Edit details.

4. Change the User and group assignment method from Do not require assignments to Require assignments.

5. Choose Save changes.

After you make this change, users in the Identity Center instance will lose access their assign WorkSpaces unless they are assigned to the application. To assign your users to the application, use the AWS CLI command create-application-assignment to assign users or groups to an application. For more information, see the AWS CLI Command Reference.

Create a dedicated Custom directory with WorkSpaces Personal

Before you create Windows 10 and 11 BYOL personal WorkSpaces and assign them to your users, managed with AWS IAM Identity Center Identity Providers (IdPs), you must create a dedicated Custom WorkSpaces directory. Personal WorkSpaces are not joined to any Microsoft Active Directory but can be managed with a Mobile Device Management (MDM) solution of your choice, such as JumpCloud. For more information about JumpCloud, see this article. For tutorials that use the other options, see Create a directory for WorkSpaces Personal.

Note

• Amazon WorkSpaces can't create or manage user accounts on personal WorkSpaces launched in a Custom directory. As an administrator, you will have to manage them.

• Custom WorkSpaces directory is available in all AWS regions where Amazon WorkSpaces is offered except for Africa (Cape Town), Israel (Tel Aviv), and China (Ningxia).

• Amazon WorkSpaces can't create or manage user accounts on WorkSpaces using Custom directories. To ensure the MDM agent software you use can create the user profile on the Windows WorkSpaces, contact the MDM solution providers. Creating the user profile allows your users to sign into the Windows desktop from Windows login screen.

Contents

• Requirements and limitations
• Step 1: Enable IAM Identity Center and connect with your Identity Provider
• Step 2: Create a dedicated Custom WorkSpaces directory

Requirements and limitations

• Custom WorkSpaces directories only support Windows 10 or 11 Bring Your Own License personal WorkSpaces.

• Custom WorkSpaces directories only support WSP protocol.

• Ensure you enable BYOL for your AWS account and you have your own AWS KMS server that your personal WorkSpaces can access for Windows 10 and 11 activation. For details, see Bring Your Own Windows desktop licenses in WorkSpaces.

• Ensure you pre-install the MDM agent software on the BYOL image that you imported to your AWS account.

Step 1: Enable IAM Identity Center and connect with your Identity Provider

To assign WorkSpaces to your users managed with your Identity Providers, the user information must be made available to AWS through AWS IAM Identity Center. We recommend using IAM Identity Center to manage your user's access to AWS resources. For more information, see What is IAM Identity Center?. This is a one-time setup.

To make user information available to AWS

1. Enable IAM Identity Center on AWS. You can enable IAM Identity Center with your AWS organizations, especially if you are using a multi-account environment. You can also create an account instance of IAM Identity Center. For more information, see Enabling AWS IAM Identity Center. Each WorkSpaces directory can associate with one IAM Identity Center organization or account instance. Each IAM Identity Center instance can be associated with one or more WorkSpaces Personal directory.

   If you are using an organization instance and trying to create a WorkSpaces directory in one of the member accounts, ensure you have the following IAM Identity Center permissions.

   • "sso:DescribeInstance"

   • "sso:CreateApplication"

   • "sso:PutApplicationGrant"

   • "sso:PutApplicationAuthenticationMethod"

   • "sso:DeleteApplication"

   • "sso:DescribeApplication"

   • "sso:getApplicationGrant"

   For more information, see Overview of managing access permissions to your IAM Identity Center resources. Ensure that no Service Control Policies (SCPs) are blocking these permissions. To learn more about SCPs, see Service control policies (SCPs).

2. Configure IAM Identity Center and your Identity Provider (IdP) to automatically synchronize users from your IdP to your IAM Identity Center instance. For more information, see Getting started tutorials and choose the specific tutorial for the IdP that you want to use. For example, Using IAM Identity Center to connect with your JumpCloud Directory Platform.

3. Verify that the users you configured on your IdP are synchronized correctly to AWS IAM Identity Center instance. The first synchronization can take up to an hour depending the configuration of your IdP.

Step 2: Create a dedicated Custom WorkSpaces directory

Create a dedicated WorkSpaces Personal directory that stores information about your personal WorkSpaces and your users.

To create a dedicated Custom WorkSpaces directory

1. Open the WorkSpaces console at https://console.aws.amazon.com/workspaces/.

2. In the navigation pane, choose Directories.

3. Choose Create directory.

4. On the Create directory page, for WorkSpaces type, choose Personal. For WorkSpace device management, choose Custom.

5. For User identity source, select the IAM Identity Center instance that you configured in Step 1 from the dropdown list. You won't be able to change the IAM Identity Center instance associated with the directory once the directory is created.

   Note

   You have to specify an IAM Identity Center instance for the directory or you won't be able to launch personal WorkSpaces with the directory using the WorkSpaces console. WorkSpaces directories with no associated Identity Center are only compatible with WorkSpaces Core partner solutions.

6. For Directory name, enter a unique name for the directory.

7. For VPC, select the VPC that you used to launch your WorkSpaces. For more information, see Configure a VPC for WorkSpaces Personal.

8. For Subnets, select two subnets of your VPC that are not from the same Availability Zone. These subnets will be used to launch your personal WorkSpaces. For more information, see Availability Zones for WorkSpaces Personal.

   Important

   Make sure the WorkSpaces launched in the subnets have internet access, which is needed when users login to the Windows desktops. For more information, see Provide internet access for WorkSpaces Personal.

9. For Configuration, select Enable dedicated WorkSpace. You must enable it to create a dedicated WorkSpaces Personal directory to launch Bring Your Own License (BYOL) Windows 10 or 11 personal WorkSpaces.

10. (Optional) For Tags, specify the key pair value that you want to use for personal WorkSpaces in the directory.

11. Review the directory summary and choose Create directory. It takes several minutes for your directory to be connected. The initial status of the directory is Creating. When directory creation is complete, the status is Active.

An IAM Identity Center application is also automatically created on your behalf once the directory is created. To find the application’s ARN go to the directory's summary page.

You can now use the directory to launch Windows 10 or 11 personal WorkSpaces that are enrolled to Microsoft Intune and joined to Microsoft Entra ID. For more information, see Create a WorkSpace in WorkSpaces Personal.

After you've created a WorkSpaces Personal directory, you can create a personal WorkSpace. For more information, see Create a WorkSpace in WorkSpaces Personal

To delete empty directories, see Delete a directory for WorkSpaces Personal. If you delete your Simple AD or AD Connector directory, you can always create a new one when you want to start using WorkSpaces again.