Granting QuickSight access to Active Directory users - AWS Prescriptive Guidance
Considerations and use casesPrerequisitesConfiguring access

Granting QuickSight access to Active Directory users

Note

This access approach is available only for the Enterprise edition of Amazon QuickSight. For more information, see User management for Enterprise edition in the QuickSight documentation.

Architecture diagram of an Active Directory user accessing QuickSight

The following are the characteristics of this architecture and access approach:

  • The Amazon QuickSight user record is linked to the user in Active Directory.

  • You assign QuickSight admin, author, or reader access to Active Directory groups.

  • QuickSight access is provisioned based on the mapped Active Directory group memberships.

  • User passwords are managed in Active Directory.

  • The user must log in directly through the QuickSight console at https://quicksight.aws.amazon.com/.

  • You cannot combine this QuickSight access approach with other approaches.

Considerations and use cases

You can use Microsoft Active Directory users and groups to manage access to QuickSight. QuickSight supports either the AWS Directory Service for Microsoft Active Directory (AWS Managed Microsoft AD) or Active Directory Connector (AD Connector).

AWS Managed Microsoft AD is an Active Directory host in the AWS Cloud that offers most of the same functionality of Active Directory. If you have an existing self-managed directory that you want to use for QuickSight, you can use AD Connector. This service redirects directory requests to your self-managed Active Directory—in another AWS Region or on-premises—without caching any information in the cloud. Both AD Connector and AWS Managed Microsoft AD are part of AWS Directory Service.

Your directory or directory connection in AWS Directory Service must be in the same AWS Region where you are signing up for QuickSight. When you sign up for QuickSight, you specify the Active Directory domain as well as the specific Active Directory groups that will be used for access control.

This access approach is best suited for organizations that want to use their existing Active Directory access management processes. This approach manages QuickSight access and roles through Active Directory group memberships.

An important consideration when using this approach is that it cannot be combined with other approaches. For example, you can create a hybrid access approach using IAM users and QuickSight local users. Consider this approach carefully. If you select this approach when you set up QuickSight, you are committing to it. You cannot change to a different approach later.

This is not the only access approach that uses Active Directory. In this approach, QuickSight access is provisioned based on group membership in Active Directory, and the QuickSight user record is linked directly to the Active Directory user. You can also use Active Directory as an identity source for user federation. For more information, see Federated users in this guide.

Prerequisites

Configuring access for Active Directory users

After you confirm the details of your directory, you can sign up for QuickSight. For instructions, see Signing up for a QuickSight subscription. Note the following when configuring this type of access:

  1. In the QuickSight sign-up wizard, choose Enterprise, and then choose Use Active Directory.

  2. Go to the QuickSight console, and then choose Manage access to QuickSight.

  3. Select the Active Directory groups that should have QuickSight access, and assign them QuickSight admin, author, or reader roles. For instructions, see Managing user access.