IAM Identity Center configurable AD sync - AWS IAM Identity Center

IAM Identity Center configurable AD sync

IAM Identity Center configurable Active Directory (AD) sync enables you to explicitly configure the identities in Microsoft Active Directory that are automatically synchronized into IAM Identity Center and control the synchronization process.

Prerequisites and considerations

Before you use configurable AD sync, be aware of the following prerequisites and considerations:

  • Specifying users and groups in Active Directory to sync

    Before you can use IAM Identity Center to assign new users and groups access to AWS accounts and to AWS managed applications or customer managed applications, you must specify the users and groups in Active Directory to sync, and then sync them into IAM Identity Center.

    • AD sync – When you make assignments for new users and groups by using the IAM Identity Center console or related assignment API actions, IAM Identity Center searches the domain controller directly for the specified users or groups, completes the assignment, and then periodically syncs the user or group metadata into IAM Identity Center.

    • Configurable AD sync – IAM Identity Center doesn't search your domain controller directly for users and groups. Instead, you must first specify the list of users and groups to sync. You can configure this list, also known as the sync scope, in one of the following ways, depending on whether you have users and groups that are already synced into IAM Identity Center, or you have new users and groups that you are syncing for the first time by using configurable AD sync.

      • Existing users and groups: If you have users and groups that are already synced into IAM Identity Center, the sync scope in configurable AD sync is prepopulated with a list of those users and groups. To assign new users or groups, you must specifically add them to the sync scope. For more information, see Add users and groups to your sync scope.

      • New users and groups: If you want to assign new users and groups access to AWS accounts and to applications, you must specify which users and groups to add to the sync scope in configurable AD sync before you can use IAM Identity Center to make the assignment. For more information, see Add users and groups to your sync scope.

  • Making assignments to nested groups in Active Directory

    Groups that are members of other groups are called nested groups (or child groups). When you make assignments to a group in Active Directory that contains nested groups, the way in which the assignments are applied depends on whether you use AD sync or configurable AD sync.

    • AD sync – When you make assignments to a group in Active Directory that contains nested groups, only the direct members of the group can access the account. For example, if you assign access to Group A, and Group B is a member of Group A, only the direct members of Group A can access the account. No members of Group B inherit the access.

    • Configurable AD sync – Using configurable AD sync to make assignments to a group in Active Directory that contains nested groups might increase the scope of users who have access to AWS accounts or to applications. In this case, the assignment applies to all users, including those in nested groups. For example, if you assign access to Group A, and Group B is a member of Group A, members of Group B also inherit this access.

  • Updating automated workflows

    If you have automated workflows that use the IAM Identity Center identity store API actions and IAM Identity Center assignment API actions to assign new users and groups access to accounts and to applications, and to sync them into IAM Identity Center, you must adjust those workflows by April 15, 2022 so that they function as expected with configurable AD sync. Configurable AD sync changes the order in which user and group assignment and provisioning occur, and the way in which queries are performed.

    • AD sync – The process of assignments occurs first. You assign users and groups access to AWS accounts and to applications. After the users and groups are assigned access, they are automatically provisioned (synced into IAM Identity Center). If you have an automated workflow, this means that when you add a new user to Active Directory, your automated workflow can query Active Directory for the user by using the identity store ListUser API action, and then assign the user access by using the IAM Identity Center assignment API actions. Because the user has an assignment, that user is automatically provisioned into IAM Identity Center.

    • Configurable AD sync – Provisioning occurs first, and it is not automatically performed. Instead, you must first explicitly add users and groups to the identity store by adding them to your sync scope. For information about the recommended steps for automating your sync configuration for configurable AD sync, see Automate your sync configuration for configurable AD sync.