# Use cases for AWS Managed Microsoft AD Use cases With AWS Managed Microsoft AD, you can share a single directory for multiple use cases. For example, you can share a directory to authenticate and authorize access for .NET applications, [Amazon RDS for SQL Server](https://aws.amazon.com/rds/sqlserver/) with [Windows authentication](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_SQLServerWinAuth.html) enabled, and [Amazon Chime](https://chime.aws/) for messaging and video conferencing. The following diagram shows some of the use cases for your AWS Managed Microsoft AD directory. These include the ability to grant your users access to external cloud applications and allow your on-premises Active Directory users to manage and have access to resources in the AWS Cloud. ![\[Use cases for your AWS Managed Microsoft AD directory like granting your users access to external cloud applications, allowing your on-premises Active Directory users to manage and have access to resources in the AWS Cloud.\]](http://docs.aws.amazon.com/directoryservice/latest/admin-guide/images/ms_ad_use_cases2.png) Use AWS Managed Microsoft AD for either of the following business use cases. **Topics** + [ # Use Case 1: Sign in to AWS applications and services with Active Directory credentials ](usecase1.md) + [ # Use Case 2: Manage Amazon EC2 instances ](usecase2.md) + [ # Use Case 3: Provide directory services to your Active Directory-aware workloads ](usecase3.md) + [ # Use Case 4: AWS IAM Identity Center to Office 365 and other cloud applications ](usecase4.md) + [ # Use Case 5: Extend your on-premises Active Directory to the AWS Cloud ](usecase5.md) + [ # Use Case 6: Share your directory to seamlessly join Amazon EC2 instances to a domain across AWS accounts ](usecase6.md) # Use Case 1: Sign in to AWS applications and services with Active Directory credentials You can enable multiple AWS applications and services such as [AWS Client VPN](https://aws.amazon.com/vpn/), [AWS Management Console](https://aws.amazon.com/console/), [AWS IAM Identity Center](https://aws.amazon.com/single-sign-on/), [Amazon Chime](https://aws.amazon.com/chime/), [Amazon Connect](https://aws.amazon.com/connect), [Amazon FSx](https://aws.amazon.com/fsx/windows/), [Quick](https://aws.amazon.com/quicksight/), [Amazon RDS for SQL Server](https://aws.amazon.com/rds/sqlserver/), [WorkDocs](https://aws.amazon.com/workdocs), [Amazon WorkMail](https://aws.amazon.com/workmail/), and [WorkSpaces](https://aws.amazon.com/workspaces/) to use your AWS Managed Microsoft AD directory. When you enable an AWS application or service in your directory, your users can access the application or service with their Active Directory credentials. For example, you can enable your users to [sign in to the AWS Management Console with their Active Directory credentials](https://aws.amazon.com/blogs/security/how-to-access-the-aws-management-console-using-aws-microsoft-ad-and-your-on-premises-credentials/). To do this, you enable the AWS Management Console as an application in your directory, and then assign your Active Directory users and groups to IAM roles. When your users sign in to the AWS Management Console, they assume an IAM role to manage AWS resources. This makes it easy for you to grant your users access to the AWS Management Console without needing to configure and manage a separate SAML infrastructure. To further enhance the end user experience you can enable [Single sign-on](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_single_sign_on.html) capabilities for WorkDocs, which provides your users the ability to access WorkDocs from a computer joined to the directory without having to enter their credentials separately. You can grant access to user accounts in your directory or in your on-premises Active Directory, so they can sign in to the AWS Management Console or through the AWS CLI using their existing credentials and permissions to manage AWS resources by assigning IAM roles directly to the existing user accounts. ## FSx for Windows File Server integration with AWS Managed Microsoft AD Integrating FSx for Windows File Server with AWS Managed Microsoft AD provides a fully managed native Microsoft Windows based Server Message Block (SMB) protocol file system that allows you to easily move your Windows-based applications and clients (that utilize shared file storage) to AWS. Although FSx for Windows File Server can be integrated with a self-managed Microsoft Active Directory, we do not discuss that scenario here. ### Common Amazon FSx use cases and resources This section provides a reference to resources on common FSx for Windows File Server integrations with AWS Managed Microsoft AD use cases. Each of the use cases in this section start with a basic AWS Managed Microsoft AD and FSx for Windows File Server configuration. For more information about how to create these configurations, see: + [Getting started with AWS Managed Microsoft AD](ms_ad_getting_started.md) + [Getting started with Amazon FSx](https://docs.aws.amazon.com/fsx/latest/WindowsGuide/getting-started.html) #### FSx for Windows File Server as persistent storage on Windows containers [Amazon Elastic Container Service (ECS)](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/Welcome.html) supports Windows containers on container instances that are launched with the Amazon ECS-optimized Windows AMI. Windows container instances use their own version of the Amazon ECS container agent. On the Amazon ECS-optimized Windows AMI, the Amazon ECS container agent runs as a service on the host. Amazon ECS supports Active Directory authentication for Windows containers through a special kind of service account called a group Managed Service Account (gMSA). Because Windows containers cannot be domain-joined, you must configure a Windows container to run with gMSA. **Related Items** + [Using FSx for Windows File Server as persistent storage on Windows Containers](https://aws.amazon.com/blogs/containers/using-amazon-fsx-for-windows-file-server-as-persistent-storage-on-windows-containers/) + [Group Managed Service Accounts](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_key_concepts_gmsa.html) #### Amazon AppStream 2.0 support [Amazon AppStream 2.0](https://docs.aws.amazon.com/appstream2/latest/developerguide/what-is-appstream.html) is a fully managed application streaming service. It provides a range of solutions for users to save and access data through their applications. Amazon FSx with WorkSpaces Applications provides a personal persistent storage drive using Amazon FSx and can be configured to provide a shared folder to access common files. **Related Items** + [Walkthrough 4: Using Amazon FSx with Amazon AppStream 2.0](https://docs.aws.amazon.com/fsx/latest/WindowsGuide/walkthrough04-fsx-with-appstream2.html) + [Using Amazon FSx with Amazon AppStream 2.0](https://aws.amazon.com/blogs/desktop-and-application-streaming/using-amazon-fsx-with-amazon-appstream-2-0/) + [Using Active Directory with WorkSpaces Applications](https://docs.aws.amazon.com/appstream2/latest/developerguide/active-directory.html) #### Microsoft SQL Server support FSx for Windows File Server can be used as a storage option for Microsoft SQL Server 2012 (starting with 2012 version 11.x) and newer system databases (including Master, Model, MSDB, and TempDB), and for Database Engine user databases. **Related Items** + [Install SQL Server with SMB fileshare storage](https://docs.microsoft.com/en-us/sql/database-engine/install-windows/install-sql-server-with-smb-fileshare-as-a-storage-option?view=sql-server-ver15) + [Simplify your Microsoft SQL Server high availability deployments using FSx for Windows File Server](https://aws.amazon.com/blogs/storage/simplify-your-microsoft-sql-server-high-availability-deployments-using-amazon-fsx-for-windows-file-server/) + [Group Managed Service Accounts](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_key_concepts_gmsa.html) #### Home folders and roaming user profile support FSx for Windows File Server can be used to store data from Active Directory user home folders and My Documents in a central location. FSx for Windows File Server can also be used to store data from Roaming User Profiles. **Related items** + [Windows home directories made easy with Amazon FSx](https://aws.amazon.com/blogs/storage/windows-home-directories-and-file-shares-made-easy-with-amazon-fsx/) + [Deploying roaming user profiles](https://docs.microsoft.com/en-us/windows-server/storage/folder-redirection/deploy-roaming-user-profiles) + [Using FSx for Windows File Server with WorkSpaces](https://aws.amazon.com/blogs/desktop-and-application-streaming/using-amazon-fsx-for-windows-file-server-with-amazon-workspaces/) #### Networked file share support Networked file shares on an FSx for Windows File Server provide a managed and scalable file sharing solution. One use case is mapped drives for clients that can be created manually or via Group Policy. **Related items** + [Walkthrough 6: Scaling out performance with Shards](https://docs.aws.amazon.com/fsx/latest/WindowsGuide/scale-out-performance.html) + [Drive mapping](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn581924(v%3Dws.11)) + [Using FSx for Windows File Server with WorkSpaces](https://aws.amazon.com/blogs/desktop-and-application-streaming/using-amazon-fsx-for-windows-file-server-with-amazon-workspaces/) #### Group policy software installation support Because the size and performance of the SYSVOL folder is limited, you should as a best practice, avoid storing data such as software installation files in that folder. As a possible solution to this, FSx for Windows File Server can be configured to store all software files that are installed using Group Policy. **Related items** + [Use Group Policy to remotely install software](https://learn.microsoft.com/en-us/troubleshoot/windows-server/group-policy/use-group-policy-to-install-software) #### Windows Server Backup target support FSx for Windows File Server can be configured as a target drive in Windows Server Backup using the UNC file share. In this case, you would specify the UNC path to your FSx for Windows File Server instead of to the attached EBS volume. **Related Items** + [Perform a system state recovery of your server](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee849849(v=ws.10)#to-perform-a-system-state-recovery-of-your-server) Amazon FSx also supports AWS Managed Microsoft AD Directory Sharing. For more information, see: + [Share your AWS Managed Microsoft AD](ms_ad_directory_sharing.md) + [Using Amazon FSx with AWS Managed Microsoft AD in a different VPC or account](https://docs.aws.amazon.com/fsx/latest/WindowsGuide/shared-mad.html) ## Amazon RDS integration with AWS Managed Microsoft AD Amazon RDS supports external authentication of database users using Kerberos with Microsoft Active Directory. Kerberos is a network authentication protocol that uses tickets and symmetric-key cryptography to eliminate the need to transmit passwords over the network. Amazon RDS support for Kerberos and Active Directory provides the benefits of single sign-on and centralized authentication of database users so you can keep your user credentials in Active Directory. To get started with this use case you will first need to set up a basic AWS Managed Microsoft AD and Amazon RDS configuration. + [Getting started with AWS Managed Microsoft AD](ms_ad_getting_started.md) + [Getting started with Amazon RDS](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_GettingStarted.html) All of the use cases referenced below will start with a base AWS Managed Microsoft AD and Amazon RDS and cover how to integrate Amazon RDS with AWS Managed Microsoft AD. + [Using Windows authentication with an Amazon RDS for SQL Server DB instance](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_SQLServerWinAuth.html) + [Using Kerberos authentication for MySQL ](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/mysql-kerberos.html) + [Using Kerberos authentication with Amazon RDS for Oracle ](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/oracle-kerberos.html) + [Using Kerberos authentication with Amazon RDS for PostgreSQL ](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/postgresql-kerberos.html) Amazon RDS also supports AWS Managed Microsoft AD Directory Sharing. For more information, see: + [Share your AWS Managed Microsoft AD](ms_ad_directory_sharing.md) + [Joining your Amazon RDS DB instances across accounts to a single shared domain](https://aws.amazon.com/blogs/database/joining-your-amazon-rds-instances-across-accounts-to-a-single-shared-domain/) For more information about joining an Amazon RDS for SQL Server to your Active Directory, see [Join Amazon RDS for SQL Server to your self-managed Active Directory](https://aws.amazon.com/blogs//database/join-amazon-rds-for-sql-server-to-your-self-managed-active-directory/). ### .NET application using Amazon RDS for SQL Server with group Managed Service Accounts You can integrate Amazon RDS for SQL Server with a basic .NET application and group Managed Service Accounts (gMSAs). For more information, see [How AWS Managed Microsoft AD Helps to Simplify the Deployment and Improve the Security of Active Directory-Integrated .NET Applications ](https://aws.amazon.com/blogs/security/how-aws-managed-microsoft-ad-helps-to-simplify-the-deployment-and-improve-the-security-of-active-directory-integrated-net-applications/) # Use Case 2: Manage Amazon EC2 instances Using familiar Active Directory administration tools, you can apply Active Directory group policy objects (GPOs) to centrally manage your Amazon EC2 for Windows or Linux instances by [joining your instances to your AWS Managed Microsoft AD domain](https://docs.aws.amazon.com/en_us/directoryservice/latest/admin-guide/ms_ad_join_instance.html). In addition, your users can sign in to your instances with their Active Directory credentials. This eliminates the need to use individual instance credentials or distribute private key (PEM) files. This makes it easier for you to instantly grant or revoke access to users by using Active Directory user administration tools you already use. # Use Case 3: Provide directory services to your Active Directory-aware workloads AWS Managed Microsoft AD is an actual Microsoft Active Directory that enables you to run traditional Active Directory-aware workloads such as [Remote Desktop Licensing Manager](https://aws.amazon.com/blogs/security/how-to-enable-the-use-of-remote-desktops-by-deploying-microsoft-remote-desktop-licensing-manager-on-aws-microsoft-ad/) and [Microsoft SharePoint and Microsoft SQL Server Always On](https://forums.aws.amazon.com/ann.jspa?annID=4636) in the AWS Cloud. AWS Managed Microsoft AD also helps you to simplify and improve the security of Active Directory-integrated .NET applications by using [group Managed Service Accounts (gMSAs) and Kerberos constrained delegation (KCD)](https://aws.amazon.com/about-aws/whats-new/2017/05/simplify-migration-and-improve-security-of-active-directory-integrated-net-applications-by-using-aws-microsoft-ad/). # Use Case 4: AWS IAM Identity Center to Office 365 and other cloud applications You can use AWS Managed Microsoft AD to provide AWS IAM Identity Center services for cloud applications. You can use Microsoft Entra Connect (formerly known as Azure Active Directory Connect) to synchronize your users into Microsoft Entra (formerly known as Azure Active Directory (Azure AD)), and then use Active Directory Federation Services (AD FS) so that your users can access [Microsoft Office 365](https://aws.amazon.com/blogs/security/how-to-enable-your-users-to-access-office-365-with-aws-microsoft-active-directory-credentials/) and other SAML 2.0 cloud applications by using their Active Directory credentials. [Integrating AWS Managed Microsoft AD with IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/manage-your-identity-source-ad.html) adds SAML capabilities to your AWS Managed Microsoft AD and / or your on-premises trusted domains. Once integrated your users can then use IAM Identity Center with services that support SAML, including the AWS Management Console and third-party cloud applications such as Office 365, Concur, and Salesforce without having to configure a SAML infrastructure. For a demonstration on the process of allowing your on-premises users to use IAM Identity Center, see the following YouTube video. **Note** AWS Single Sign-On was renamed to IAM Identity Center. [![AWS Videos](http://img.youtube.com/vi/https://www.youtube.com/embed/nuPjljOVZmU/0.jpg)](http://www.youtube.com/watch?v=https://www.youtube.com/embed/nuPjljOVZmU) # Use Case 5: Extend your on-premises Active Directory to the AWS Cloud If you already have an Active Directory infrastructure and want to use it when migrating Active Directory-aware workloads to the AWS Cloud, AWS Managed Microsoft AD can help. You can use [Active Directory trusts](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_tutorial_test_lab_trust.html) to connect AWS Managed Microsoft AD to your existing Active Directory. This means your users can access Active Directory-aware and AWS applications with their on-premises Active Directory credentials, without needing you to synchronize users, groups, or passwords. For example, your users can sign in to the AWS Management Console and Amazon WorkSpaces by using their existing Active Directory user names and passwords. Also, when you use Active Directory-aware applications such as SharePoint with AWS Managed Microsoft AD, your logged-in Windows users can access these applications without needing to enter credentials again. You can also migrate your on-premises Active Directory domain to AWS to be free of the operational burden of your Active Directory infrastructure using the [Active Directory Migration Toolkit (ADMT)](https://aws.amazon.com/blogs/security/how-to-migrate-your-on-premises-domain-to-aws-managed-microsoft-ad-using-admt/) along with the Password Export Service (PES) to perform the migration. # Use Case 6: Share your directory to seamlessly join Amazon EC2 instances to a domain across AWS accounts Sharing your directory across multiple AWS accounts enables you to manage AWS services such as [Amazon EC2](https://aws.amazon.com/ec2/) easily without the need to operate a directory for each account and each VPC. You can use your directory from any AWS account and from any [Amazon VPC](https://aws.amazon.com/vpc/) within an AWS Region. This capability makes it easier and more cost effective to manage directory-aware workloads with a single directory across accounts and VPCs. For example, you can now manage your [Windows workloads](https://aws.amazon.com/windows/) deployed in EC2 instances across multiple accounts and VPCs easily by using a single AWS Managed Microsoft AD directory. When you share your AWS Managed Microsoft AD directory with another AWS account, you can use the Amazon EC2 console or [AWS Systems Manager](https://aws.amazon.com/systems-manager/) to seamlessly join your instances from any Amazon VPC within the account and AWS Region. You can quickly deploy your directory-aware workloads on EC2 instances by eliminating the need to manually join your instances to a domain or to deploy directories in each account and VPC. For more information, see [Share your AWS Managed Microsoft AD](ms_ad_directory_sharing.md).