Using Active Directory as an identity source
If you are managing users in either your AWS Managed Microsoft AD directory using AWS Directory Service or your self-managed directory in Active Directory (AD), you can change your IAM Identity Center identity source to work with those users. We recommend that you consider connecting this identity source when you enable IAM Identity Center and choose your identity source. Doing this before you create any users and groups in the default Identity Center directory will help you avoid the additional configuration that's required if you change your identity source later.
To use Active Directory as your identity source, your configuration must meet the following prerequisites:
-
If you're using AWS Managed Microsoft AD, you must enable IAM Identity Center in the same AWS Region where your AWS Managed Microsoft AD directory is set up. IAM Identity Center stores the assignment data in the same Region as the directory. To administer IAM Identity Center, you might need to switch to the Region where IAM Identity Center is configured. Also, note that the AWS access portal uses the same access URL as your directory.
Use an Active Directory residing in the management account:
You must have an existing AD Connector or AWS Managed Microsoft AD directory set up in AWS Directory Service, and it must reside within your AWS Organizations management account. You can connect only one AD Connector directory or one directory in AWS Managed Microsoft AD at a time. If you need to support multiple domains or forests, use AWS Managed Microsoft AD. For more information, see:
Use an Active Directory residing in the delegated administrator account:
If you plan to enable an IAM Identity Center delegated administrator and use Active Directory as your IAM Identity Center identity source, you can use an existing AD Connector or AWS Managed Microsoft AD directory set up in AWS Directory residing in the delegated admin account.
If you decide to change the IAM Identity Center identity source from any other source to Active Directory, or change it from Active Directory to any other source, the directory must reside in (be owned by) the IAM Identity Center delegated administrator member account if one exists; otherwise, it must be in the management account.
This tutorial guides you through the basic set up for using Active Directory as an IAM Identity Center identity source.
If you're already using Active Directory , the following topics will help you prepare to connect your directory to IAM Identity Center.
Note
As a security best practice, we strongly recommend that you enable multi-factor authentication. If you plan to connect an AWS Managed Microsoft AD directory or a self-managed directory in Active Directory and you're not using RADIUS MFA with AWS Directory Service, enable MFA in IAM Identity Center.
AWS Managed Microsoft AD
-
Review the guidance in Connect to a Microsoft AD directory.
-
Follow the steps in Connect a directory in AWS Managed Microsoft AD to IAM Identity Center.
-
Configure Active Directory to synchronize the user to whom you want to grant administrative permissions into IAM Identity Center. For more information, see Synchronize an administrative user into IAM Identity Center.
Self-managed directory in Active Directory
-
Review the guidance in Connect to a Microsoft AD directory.
-
Follow the steps in Connect a self-managed directory in Active Directory to IAM Identity Center.
-
Configure Active Directory to synchronize the user to whom you want to grant administrative permissions into IAM Identity Center. For more information, see Synchronize an administrative user into IAM Identity Center.
After you connect your directory to IAM Identity Center, you can specify a user to whom you want to grant administrative permissions, and then synchronize that user from your directory into IAM Identity Center.
-
Open the IAM Identity Center console
. -
Choose Settings.
-
On the Settings page, choose the Identity source tab, choose Actions, and then choose Manage Sync.
-
On the Manage Sync page, choose the Users tab, and then choose Add users and groups.
-
On the Users tab, under User, enter the exact username and choose Add.
-
Under Added Users and Groups, do the following:
-
Confirm that the user to whom you want to grant administrative permissions is specified.
-
Select the check box to the left of the username.
-
Choose Submit.
-
-
In the Manage sync page, the user that you specified appears in the Users in sync scope list.
-
In the navigation pane, choose Users.
-
On the Users page, it might take some time for the user that you specified to appear in the list. Choose the refresh icon to update the list of users.
At this point, your user doesn't have access to the management account. You will set up administrative access to this account by creating an administrative permission set and assigning the user to that permission set. For more information, see Create a permission set for job functions.