AWS Directory Service
Administration Guide (Version 1.0)

Enable Multi-Factor Authentication for AWS Managed Microsoft AD

Multi-factor authentication (MFA) can be enabled for your AWS Managed Microsoft AD directory to help add an extra layer of protection on top of standard username and password authentication mechanisms. When MFA is enabled, users are required to enter an authentication code (the second factor) which is provided by your virtual or hardware MFA solution, in addition to entering their username and password (the first factor). These factors together provide additional security by preventing access to your Amazon Enterprise Applications, unless users supply a valid MFA code.

To enable MFA for users of Amazon Enterprise Applications, AWS Single Sign-On and AWS Management Console, a key requirement is an MFA solution that is a Remote Authentication Dial-In User Service (RADIUS) server or a plugin to a RADIUS server already implemented in your on-premises infrastructure. RADIUS is an industry-standard client/server protocol that provides authentication, authorization, and accounting management to enable users to connect network services. The RADIUS server connects to your on-premises AD to authenticate and authorize users. You can enable multi-factor authentication for your AWS Managed Microsoft AD directory by performing the following procedure.

For more information about how to configure your RADIUS server to work with AWS Directory Service and MFA, see Multi-factor Authentication Prerequisites.


Multi-factor authentication is not available for Simple AD. However, MFA can be enabled for your AD Connector directory. For more information, see Enable Multi-Factor Authentication for AD Connector.

To enable multi-factor authentication for AWS Managed Microsoft AD

  1. In the AWS Directory Service console navigation pane, select Directories.

  2. Choose the directory ID link for your AWS Managed Microsoft AD directory.

  3. Select the Multi-Factor Authentication tab.

  4. Enter the following values, and then choose Update Directory.

    Enable Multi-Factor Authentication

    Check to enable multi-factor authentication.

    RADIUS server IP address(es)

    The IP addresses of your RADIUS server endpoints, or the IP address of your RADIUS server load balancer. You can enter multiple IP addresses by separating them with a comma (e.g.,,


    RADIUS MFA is applicable only to authenticate access to the AWS Management Console, or to Amazon Enterprise applications and services such as Amazon WorkSpaces, Amazon QuickSight, or Amazon Chime. AWS Directory Service does not support RADIUS Challenge/Response authentication. Users must have their MFA code at the time they enter their username and password. Alternatively, you must use a solution that performs MFA out-of-band such as SMS text verification for the user.


    The port that your RADIUS server is using for communications. Your on-premises network must allow inbound traffic over the default RADIUS server port (1812) from the AWS Directory Service servers.

    Shared secret code

    The shared secret code that was specified when your RADIUS endpoints were created.

    Confirm shared secret code

    Confirm the shared secret code for your RADIUS endpoints.


    Select the protocol that was specified when your RADIUS endpoints were created.

    Server timeout

    The amount of time, in seconds, to wait for the RADIUS server to respond. This must be a value between 1 and 50.

    Max retries

    The number of times that communication with the RADIUS server is attempted. This must be a value between 0 and 10.

    Multi-factor authentication is available when the RADIUS Status changes to Enabled.

Supported Amazon Enterprise Applications

All Amazon Enterprise IT Applications including Amazon WorkSpaces, Amazon WorkDocs, Amazon WorkMail, Amazon QuickSight, and access to AWS Single Sign-On and AWS Management Console are supported when using AWS Managed Microsoft AD and AD Connector with MFA.

For information about how to configure basic user access to Amazon Enterprise Applications, AWS Single Sign-On and the AWS Management Console using AWS Directory Service, see Enable Access to AWS Applications and Services and Enable Access to the AWS Management Console with AD Credentials.

Related AWS Security Blog Article