Using Active Directory with Amazon QuickSight - Amazon QuickSight

Using Active Directory with Amazon QuickSight

 Applies to: Enterprise Edition 

 Intended audience: System administrators 

Amazon QuickSight Enterprise edition supports both AWS Directory Service for Microsoft Active Directory and Active Directory Connector.

To create a new directory to be your identity manager for Amazon QuickSight, you use AWS Directory Service for Microsoft Active Directory, also known as AWS Managed Microsoft AD. This is a Microsoft Active Directory host in the AWS cloud, which offers most of the same functionality of Microsoft Active Directory. Curently, you can connect to Active Directory in any region supported by Amazon QuickSight, except for Asia Pacific (Singapore). When you create a directory, you use it with a virtual private cloud (VPC). For more information, see VPC.

If you have an existing directory that you want to use for Amazon QuickSight, you can use Active Directory Connector. This service redirects directory requests to your Microsoft Active Directory—in another AWS region or on-premises—without caching any information in the cloud.

There is an article available on the Knowledge Center that walks through creating and managing a directory: Use an AWS Managed Microsoft AD with Amazon QuickSight?.

When you use AWS Directory Service to launch a directory, AWS creates an organizational unit (OU) with the same name as your domain. AWS also creates an administrative account with delegated administrative rights for the OU. You can create user accounts, groups, and policies within the OU by using Active Directory users and groups. For more information, see Best Practices for AWS Managed Microsoft AD.

After you establish your directory, you use it with Amazon QuickSight by creating at least three groups for users:

  • Amazon QuickSight admins – Admins can change account settings, manage user accounts, purchase additional Amazon QuickSight user subscriptions or SPICE capacity, or cancel subscriptions to Amazon QuickSight. the subscription to Amazon QuickSight for your AWS account.

  • Amazon QuickSight authors – Amazon QuickSight Authors can create data sources, data sets, analyses, and dashboards. They can share analyses and dashboards with other Amazon QuickSight users.

  • Amazon QuickSight readers – Readers can view and interact with dashboards that were created by someone else.

You can add or refine access by applying IAM policies. For example, you can use IAM policies to allow users to subscribe themselves.

When you subscribe to Amazon QuickSight Enterprise edition and select Microsoft Active Directory as your identity provider, you get the opportunity to associate your AD groups with Amazon QuickSight. You can also add or change your AD groups later on.