# Microsoft AD directory With AWS IAM Identity Center, you can connect a self-managed directory in Active Directory (AD) or a directory in AWS Managed Microsoft AD by using AWS Directory Service. This Microsoft AD directory defines the pool of identities that administrators can pull from when using the IAM Identity Center console to assign single sign-on access. After connecting your corporate directory to IAM Identity Center, you can then grant your AD users or groups access to AWS accounts, applications, or both. AWS Directory Service helps you to set up and run a standalone AWS Managed Microsoft AD directory hosted in the AWS Cloud. You can also use Directory Service to connect your AWS resources with an existing self-managed AD. To configure AWS Directory Service to work with your self-managed AD, you must first set up trust relationships to extend authentication to the cloud. IAM Identity Center uses the connection provided by Directory Service to perform pass-through authentication to the source AD instance. When you use AWS Managed Microsoft AD as your identity source, IAM Identity Center can work with users from AWS Managed Microsoft AD or from any domain connected through an AD trust. If you want to locate your users in four or more domains, users must use the `DOMAIN\user` syntax as their user name when performing sign-ins to IAM Identity Center. **Notes** As a prerequisite step, make sure your AD Connector or directory in AWS Managed Microsoft AD in Directory Service resides within your AWS Organizations management account. IAM Identity Center does not support SAMBA 4-based Simple AD as a connected directory. IAM Identity Center cannot synchronize Foreign Security Principals (FSPs). If a group in AWS Managed Microsoft AD contains members from a trusted domain as FSPs, those members will not sync. For a demonstration on the process of using Active Directory as an identity source for IAM Identity Center, see the following YouTube video: [![AWS Videos](http://img.youtube.com/vi/https://www.youtube.com/embed/OMbob_ef7J4?si=J23xw0EGkZOo8y9n/0.jpg)](http://www.youtube.com/watch?v=https://www.youtube.com/embed/OMbob_ef7J4?si=J23xw0EGkZOo8y9n) ## Considerations for using Active Directory If you want to use Active Directory as your identity source, your configuration must meet the following prerequisites: + If you are using AWS Managed Microsoft AD, you must enable IAM Identity Center in the same AWS Region where your AWS Managed Microsoft AD directory is set up. IAM Identity Center stores the assignment data in the same Region as the directory. To administer IAM Identity Center, you might need to switch to the Region where IAM Identity Center is configured. Also, note that the AWS access portal uses the same access URL as your directory. + Use an Active Directory residing in the management account: You must have an existing AD Connector or AWS Managed Microsoft AD directory set up in AWS Directory Service, and it must reside within your AWS Organizations management account. You can connect only one AD Connector directory or one directory in AWS Managed Microsoft AD at a time. If you need to support multiple domains or forests, use AWS Managed Microsoft AD. For more information, see: + [Connect a directory in AWS Managed Microsoft AD to IAM Identity Center](connectawsad.md) + [Connect a self-managed directory in Active Directory to IAM Identity Center](connectonpremad.md) + Use an Active Directory residing in the delegated admin account: If you plan to enable IAM Identity Center delegated admin and use Active Directory as your IAM Identity Center identity source, you can use an existing AD Connector or AWS Managed Microsoft AD directory set up in AWS Directory residing in the delegated admin account. If you decide to change IAM Identity Center identity source from any other source to Active Directory, or change it from Active Directory to any other source, the directory must reside in (be owned by) the IAM Identity Center delegated administrator member account if one exists; otherwise, it must be in the management account. # Connect Active Directory and specify a user Connect Active Directory and specify a user If you are already using Active Directory, the following topics will help you prepare to connect your directory to IAM Identity Center. You can connect an AWS Managed Microsoft AD directory or a self-managed directory in Active Directory with IAM Identity Center. **Note** IAM Identity Center doesn't support SAMBA4-based Simple AD as an identity source. **AWS Managed Microsoft AD** 1. Review the guidance in [Microsoft AD directory](manage-your-identity-source-ad.md). 1. Follow the steps in [Connect a directory in AWS Managed Microsoft AD to IAM Identity Center](connectawsad.md). 1. Configure Active Directory to synchronize the user to whom you want to grant administrative permissions into IAM Identity Center. For more information, see [Synchronize an administrative user into IAM Identity Center](#sync-admin-user-from-ad). **Self-managed directory in Active Directory** 1. Review the guidance in [Microsoft AD directory](manage-your-identity-source-ad.md). 1. Follow the steps in [Connect a self-managed directory in Active Directory to IAM Identity Center](connectonpremad.md). 1. Configure Active Directory to synchronize the user to whom you want to grant administrative permissions into IAM Identity Center. For more information, see [Synchronize an administrative user into IAM Identity Center](#sync-admin-user-from-ad). **External IdP** 1. Review the guidance in [External identity providers](manage-your-identity-source-idp.md). 1. Follow the steps in [How to connect to an external identity provider](how-to-connect-idp.md). 1. Configure your IdP to provision users into IAM Identity Center. **Note** Before you set up automatic, group-based provisioning of all your workforce identities from your IdP into IAM Identity Center, we recommend that you sync the one user to whom you want to grant administrative permissions into IAM Identity Center. ## Synchronize an administrative user into IAM Identity Center After you connect your Active Directory to IAM Identity Center, you can specify a user to whom you want to grant administrative permissions, and then synchronize that user from your directory into IAM Identity Center. 1. Open the [IAM Identity Center console](https://console.aws.amazon.com/singlesignon). 1. Choose **Settings**. 1. On the **Settings** page, choose the **Identity source** tab, choose **Actions**, and then choose **Manage Sync**. 1. On the **Manage Sync** page, choose the **Users** tab, and then choose **Add users and groups**. 1. On the **Users** tab, under **User**, enter the exact user name and choose **Add**. 1. Under **Added Users and Groups**, do the following: 1. Confirm that the user to whom you want to grant administrative permissions is specified. 1. Select the check box to the left of the user name. 1. Choose **Submit**. 1. In the **Manage sync** page, the user that you specified appears in the **Users in sync scope** list. 1. In the navigation pane, choose **Users**. 1. On the **Users** page, it might take some time for the user that you specified to appear in the list. Choose the refresh icon to update the list of users. At this point, your user doesn't have access to the management account. You will set up administrative access to this account by creating an administrative permission set and assigning the user to that permission set. For more information, see [Create a permission set](howtocreatepermissionset.md). ## Provisioning when users come from Active Directory IAM Identity Center uses the connection provided by the Directory Service to synchronize user, group, and membership information from your source directory in Active Directory to the IAM Identity Center identity store. No password information is synchronized to IAM Identity Center, because user authentication takes place directly from the source directory in Active Directory. This identity data is used by applications to facilitate in-app lookup, authorization, and collaboration scenarios without passing LDAP activity back to the source directory in Active Directory. For more information above provisioning, see [User and group provisioning](users-groups-provisioning.md#user-group-provision). **Topics** + [ ## Considerations for using Active Directory ](#considerations-ad-identitysource) + [ # Connect Active Directory and specify a user ](get-started-connect-id-source-ad-idp-specify-user.md) + [ ## Provisioning when users come from Active Directory ](#provision-users-from-ad) + [ # Connect a directory in AWS Managed Microsoft AD to IAM Identity Center ](connectawsad.md) + [ # Connect a self-managed directory in Active Directory to IAM Identity Center ](connectonpremad.md) + [ # Attribute mappings between IAM Identity Center and External Identity Providers directory ](attributemappingsconcept.md) + [ # IAM Identity Center configurable AD sync ](provision-users-from-ad-configurable-ADsync.md) # Connect a directory in AWS Managed Microsoft AD to IAM Identity Center Use the following procedure to connect a directory in AWS Managed Microsoft AD that is managed by AWS Directory Service to IAM Identity Center. **To connect AWS Managed Microsoft AD to IAM Identity Center** 1. Open the [IAM Identity Center console](https://console.aws.amazon.com/singlesignon). **Note** Make sure that the IAM Identity Center console is using one of the Regions where your AWS Managed Microsoft AD directory is located before you move to the next step. 1. Choose **Settings**. 1. On the **Settings** page, choose the **Identity source** tab, and then choose **Actions > Change identity source**. 1. Under **Choose identity source**, select **Active Directory**, and then choose **Next**. 1. Under **Connect active directory**, choose a directory in AWS Managed Microsoft AD from the list, and then choose **Next**. 1. Under **Confirm change**, review the information and when ready type **ACCEPT**, and then choose **Change identity source**. **Important** To specify a user in Active Directory as an administrative user in IAM Identity Center, you must first synchronize the user to whom you want to grant administrative permissions from Active Directory into IAM Identity Center. To do so, follow the steps in [Synchronize an administrative user into IAM Identity Center](get-started-connect-id-source-ad-idp-specify-user.md#sync-admin-user-from-ad). # Connect a self-managed directory in Active Directory to IAM Identity Center Users in your self-managed directory in Active Directory (AD) can also have single sign-on access to AWS accounts and applications in the AWS access portal. To configure single sign-on access for these users, you can do either of the following: + **Create a two-way trust relationship** – When two-way trust relationships are created between AWS Managed Microsoft AD and a self-managed directory in AD, users in your self-managed directory in AD can sign in with their corporate credentials to various AWS services and business applications. One-way trusts do not work with IAM Identity Center. AWS IAM Identity Center requires a two-way trust so that it has permissions to read user and group information from your domain to synchronize user and group metadata. IAM Identity Center uses this metadata when assigning access to permission sets or applications. User and group metadata is also used by applications for collaboration, like when you share a dashboard with another user or group. The trust from Directory Service for Microsoft Active Directory to your domain permits IAM Identity Center to trust your domain for authentication. The trust in the opposite direction grants AWS permissions to read user and group metadata. For more information about setting up a two-way trust, see [When to Create a Trust Relationship](http://docs.aws.amazon.com/directoryservice/latest/admin-guide/setup_trust.html) in the *AWS Directory Service Administration Guide*. **Note** In order to use AWS applications, like IAM Identity Center to read Directory Service directory users from trusted domains, the Directory Service accounts require permissions to the userAccountControl attribute on the trusted users. Without read permissions to this attribute, AWS applications are unable to determine if the account is enabled or disabled. Read access to this attribute is provided by default when a trust is created. If you deny access to this attribute (not recommended), you will break applications like Identity Center from being able to read trusted users. The solution is to specifically allow Read access to the `userAccountControl` attribute on the AWS service accounts under the AWS Reserved OU (prefixed with AWS\$1). + **Create an AD Connector** – AD Connector is a directory gateway that can redirect directory requests to your self-managed AD without caching any information in the cloud. For more information, see [Connect to a Directory](http://docs.aws.amazon.com/directoryservice/latest/admin-guide/directory_ad_connector.html) in the *AWS Directory Service Administration Guide*. The following are considerations when using AD Connector: + If you are connecting IAM Identity Center to an AD Connector directory, any future user password resets must be done from within AD. This means that users will not be able to reset their passwords from the AWS access portal. + If you use AD Connector to connect your Active Directory Domain Service to IAM Identity Center, IAM Identity Center only has access to the users and groups of the single domain to which AD Connector attaches. If you need to support multiple domains or forests, use Directory Service for Microsoft Active Directory. **Note** IAM Identity Center does not work with SAMBA4-based Simple AD directories. # Attribute mappings between IAM Identity Center and External Identity Providers directory Attribute mappings Attribute mappings are used to map attribute types that exist in IAM Identity Center with like attributes in your external identity source such as Google Workspace, Microsoft Active Directory (AD), and Okta. IAM Identity Center retrieves user attributes from your identity source and maps them to IAM Identity Center user attributes. If your IAM Identity Center is synchronized to use an **external identity provider** (IdP), like Google Workspace, Okta, or Ping as the identity source, you'll need to map your attributes in your IdP. IAM Identity Center prefills a set of attributes for you under the **Attribute mappings** tab found on its configuration page. IAM Identity Center uses these user attributes to populate SAML assertions (as SAML attributes) that are sent to the application. These user attributes are in turn retrieved from your identity source. Each application determines the list of SAML 2.0 attributes it needs for successful single sign-on. For more information, see [Map attributes in your application to IAM Identity Center attributes](mapawsssoattributestoapp.md). IAM Identity Center also manages a set of attributes for you under the **Attribute mappings** section of your **Active Directory configuration page** if you're using Active Directory as an identity source. For more information, see [Mapping user attributes between IAM Identity Center and Microsoft AD directory](mapssoattributestocdattributes.md). ## Supported external identity provider attributes The following table lists all external identity provider (IdP) attributes supported and can be mapped to attributes you can use when configuring [Attributes for access control](attributesforaccesscontrol.md) in IAM Identity Center. When using SAML assertions, you can use whichever attributes your IdP supports. **** | Supported attributes in your IdP | | --- | | \$1\$1path:userName\$1 | | \$1\$1path:name.familyName\$1 | | \$1\$1path:name.givenName\$1 | | \$1\$1path:displayName\$1 | | \$1\$1path:nickName\$1 | | \$1\$1path:emails[primary eq true].value\$1 | | \$1\$1path:addresses[type eq "work"].streetAddress\$1 | | \$1\$1path:addresses[type eq "work"].locality\$1 | | \$1\$1path:addresses[type eq "work"].region\$1 | | \$1\$1path:addresses[type eq "work"].postalCode\$1 | | \$1\$1path:addresses[type eq "work"].country\$1 | | \$1\$1path:addresses[type eq "work"].formatted\$1 | | \$1\$1path:phoneNumbers[type eq "work"].value\$1 | | \$1\$1path:userType\$1 | | \$1\$1path:title\$1 | | \$1\$1path:locale\$1 | | \$1\$1path:timezone\$1 | | \$1\$1path:enterprise.employeeNumber\$1 | | \$1\$1path:enterprise.costCenter\$1 | | \$1\$1path:enterprise.organization\$1 | | \$1\$1path:enterprise.division\$1 | | \$1\$1path:enterprise.department\$1 | | \$1\$1path:enterprise.manager.value\$1 | ## Default mappings between IAM Identity Center and Microsoft AD Default mappings The following table lists the default mappings for user attributes in IAM Identity Center to the user attributes in your Microsoft AD directory. IAM Identity Center only supports the list of attributes in the **User attribute in IAM Identity Center** column. **** | User attribute in IAM Identity Center | Maps to this attribute in your Active Directory | | --- | --- | | displayname | \$1\$1displayname\$1 | | emails[?primary].value \$1 | \$1\$1mail\$1 | | externalid | \$1\$1objectguid\$1 | | name.givenname | \$1\$1givenname\$1 | | name.familyname | \$1\$1sn\$1 | | name.middlename | \$1\$1initials\$1 | | sid | \$1\$1objectsid\$1 | | username | \$1\$1userprincipalname\$1 | \$1 The email attribute in IAM Identity Center must be unique within the directory. **** | Group attribute in IAM Identity Center | Maps to this attribute in your Active Directory | | --- | --- | | externalid | \$1\$1objectguid\$1 | | description | \$1\$1description\$1 | | displayname | \$1\$1samaccountname\$1@\$1associateddomain\$1 | **Considerations** + If you do not have any assignments for your users and groups in IAM Identity Center when you enable configurable AD sync, the default mappings in the previous tables are used. For information about how to customize these mappings, see [Configure attribute mappings for your sync](manage-sync-configure-attribute-mapping-configurable-ADsync.md). + Certain IAM Identity Center attributes cannot be modified because they are immutable and mapped by default to specific Microsoft AD directory attributes. For example, "username" is a mandatory attribute in IAM Identity Center. If you map "username" to an AD directory attribute with an empty value, IAM Identity Center will consider the `windowsUpn` value as the default value for "username". If you want to change the attribute mapping for "username" from your current mapping, confirm IAM Identity Center flows with dependency on "username" will continue to work as expected, before making the change. ## Supported Microsoft AD attributes for IAM Identity Center Supported Microsoft AD attributes The following table lists all Microsoft AD directory attributes that are supported and that can be mapped to user attributes in IAM Identity Center. **** | Supported attributes in your Microsoft AD directory | | --- | | \$1\$1samaccountname\$1 | | \$1\$1description\$1 | | \$1\$1objectguid\$1 | | \$1\$1objectsid\$1 | | \$1\$1givenname\$1 | | \$1\$1sn\$1 | | \$1\$1initials\$1 | | \$1\$1mail\$1 | | \$1\$1userprincipalname\$1 | | \$1\$1displayname\$1 | | \$1\$1distinguishedname\$1 | | \$1\$1proxyaddresses[?type == "SMTP"].value\$1 | | \$1\$1proxyaddresses[?type == "smtp"].value\$1 | | \$1\$1useraccountcontrol\$1 | | \$1\$1associateddomain\$1 | **Considerations** + You can specify any combination of supported Microsoft AD directory attributes to map to a single mutable attribute in IAM Identity Center. ## Supported IAM Identity Center attributes for Microsoft AD Supported IAM Identity Center attributes for Microsoft AD The following table lists all IAM Identity Center attributes that are supported and that can be mapped to user attributes in your Microsoft AD directory. After you set up your application attribute mappings, you can use these same IAM Identity Center attributes to map to actual attributes used by that application. **** | Supported attributes in IAM Identity Center for Active Directory | | --- | | \$1\$1user:AD\$1GUID\$1 | | \$1\$1user:AD\$1SID\$1 | | \$1\$1user:email\$1 | | \$1\$1user:familyName\$1 | | \$1\$1user:givenName\$1 | | \$1\$1user:middleName\$1 | | \$1\$1user:name\$1 | | \$1\$1user:preferredUsername\$1 | | \$1\$1user:subject\$1 | # Mapping user attributes between IAM Identity Center and Microsoft AD directory You can use the following procedure to specify how your user attributes in IAM Identity Center should map to corresponding attributes in your Microsoft AD directory. **To map attributes in IAM Identity Center to attributes in your directory** 1. Open the [IAM Identity Center console](https://console.aws.amazon.com/singlesignon). 1. Choose **Settings**. 1. On the **Settings** page, choose the **Attributes for access control** tab, and then choose **Manage Attributes**. 1. On the **Manage attribute for access control** page, find the attribute in IAM Identity Center that you want to map and then type a value in the text box. For example, you might want to map the IAM Identity Center user attribute **`email`** to the Microsoft AD directory attribute **`${mail}`**. 1. Choose **Save changes**. # IAM Identity Center configurable AD sync IAM Identity Center configurable Active Directory (AD) sync enables you to explicitly configure the identities in Microsoft Active Directory that are automatically synchronized into IAM Identity Center and control the synchronization process. + With this sync method, you can do the following: + Control data boundaries by explicitly defining the users and groups in Microsoft Active Directory that are automatically synchronized into IAM Identity Center. You can [add users and groups](manage-sync-add-users-groups-configurable-ADsync.md) or [remove users and groups](manage-sync-remove-users-groups-configurable-ADsync.md) to change the scope of the sync at any time. + Assign synchronized users and groups single sign-on [access to AWS accounts](useraccess.md) or [access to applications](assignuserstoapp.md). The applications can be AWS managed applications or customer managed applications. + Control the synchronization process by [pausing and resuming the sync](manage-sync-pause-resume-sync-configurable-ADsync.md) as needed. This helps you regulate the load on production systems. ## Prerequisites and considerations Before you use configurable AD sync, be aware of the following prerequisites and considerations: + **Specifying users and groups in Active Directory to sync** Before you can use IAM Identity Center to assign new users and groups access to AWS accounts and to AWS managed applications or customer managed applications, you must specify the users and groups in Active Directory to sync, and then sync them into IAM Identity Center. + **Configurable AD sync** – IAM Identity Center doesn't search your domain controller directly for users and groups. Instead, you must first specify the list of users and groups to sync. You can configure this list, also known as the *sync scope*, in one of the following ways, depending on whether you have users and groups that are already synced into IAM Identity Center, or you have new users and groups that you are syncing for the first time by using configurable AD sync. + Existing users and groups: If you have users and groups that are already synced into IAM Identity Center, the sync scope in configurable AD sync is prepopulated with a list of those users and groups. To assign new users or groups, you must specifically add them to the sync scope. For more information, see [Add users and groups to your sync scope](manage-sync-add-users-groups-configurable-ADsync.md). + New users and groups: If you want to assign new users and groups access to AWS accounts and to applications, you must specify which users and groups to add to the sync scope in configurable AD sync before you can use IAM Identity Center to make the assignment. For more information, see [Add users and groups to your sync scope](manage-sync-add-users-groups-configurable-ADsync.md). + **Making assignments to nested groups in Active Directory** Groups that are members of other groups are called *nested groups* (or child groups). + **Configurable AD sync** – Using configurable AD sync to make assignments to a group in Active Directory that contains nested groups might increase the scope of users who have access to AWS accounts or to applications. In this case, the assignment applies to all users, including those in nested groups. For example, if you assign access to Group A, and Group B is a member of Group A, members of Group B also inherit this access. + **Updating automated workflows** If you have automated workflows that use the IAM Identity Center identity store API actions and IAM Identity Center assignment API actions to assign new users and groups access to accounts and to applications, and to sync them into IAM Identity Center, you must adjust those workflows by April 15, 2022 so that they function as expected with configurable AD sync. Configurable AD sync changes the order in which user and group assignment and provisioning occur, and the way in which queries are performed. + **Configurable AD sync** – Provisioning occurs first, and it is not automatically performed. Instead, you must first explicitly add users and groups to the identity store by adding them to your sync scope. For information about the recommended steps for automating your sync configuration for configurable AD sync, see [Automate your sync configuration for configurable AD sync](automate-sync-configuration-configurable-ADsync.md). **Topics** + [ ## Prerequisites and considerations ](#prerequisites-configurable-ADsync) + [ # How configurable AD sync works ](how-it-works-configurable-ADsync.md) + [ # Configure attribute mappings for your sync ](manage-sync-configure-attribute-mapping-configurable-ADsync.md) + [ # First-time Active Directory to IAM Identity Center sync setup ](manage-sync-configurable-ADsync.md) + [ # Add users and groups to your sync scope ](manage-sync-add-users-groups-configurable-ADsync.md) + [ # Remove users and groups from your sync scope ](manage-sync-remove-users-groups-configurable-ADsync.md) + [ # Pause and resume your sync ](manage-sync-pause-resume-sync-configurable-ADsync.md) + [ # Automate your sync configuration for configurable AD sync ](automate-sync-configuration-configurable-ADsync.md) # How configurable AD sync works IAM Identity Center refreshes the AD-based identity data in the identity store by using the following process. To learn more about the prerequisites, see [Prerequisites and considerations](provision-users-from-ad-configurable-ADsync.md#prerequisites-configurable-ADsync). ## Creation After you connect your self-managed directory in Active Directory or your AWS Managed Microsoft AD directory that is managed by Directory Service to IAM Identity Center, you can explicitly configure the Active Directory users and groups that you want to sync into the IAM Identity Center identity store. The identities that you choose will be synchronized every three hours or so into the IAM Identity Center identity store. Depending on the size of your directory, the sync process might take longer. Groups that are members of other groups (called *nested groups* or *child groups*) are also written to the identity store. You can only assign access to new users or groups after they are synchronized into the IAM Identity Center identity store. ## Update The identity data in the IAM Identity Center identity store stays fresh by periodically reading data from the source directory in Active Directory. IAM Identity Center syncs data from your Active Directory every hour in a sync cycle by default. It may take 30 minutes to 2 hours for the data to sync into IAM Identity Center, based on the size of your Active Directory. User and group objects that are in the sync scope and their memberships are created or updated in IAM Identity Center to map to the corresponding objects in the source directory in Active Directory. For user attributes, only the subset of attributes listed in the **Attributes for access control ** section of the IAM Identity Center console are updated in IAM Identity Center. It may take one sync cycle for any attribute updates you make in Active Directory to reflect in IAM Identity Center. You can also update the subset of users and groups that you synchronize into the IAM Identity Center identity store. You can choose to add new users or groups to this subset, or remove them. Any identities that you add are synchronized at the next scheduled sync. Identities that you remove from the subset will stop being updated in the IAM Identity Center identity store. Any user who isn't synchronized for more than 28 days will be disabled in the IAM Identity Center identity store. The corresponding user objects will be automatically disabled in the IAM Identity Center identity store during the next sync cycle, unless they are part of another group that is still part of the sync scope. ## Deletion Users and groups are deleted from the IAM Identity Center identity store when the corresponding user or group objects are deleted from the source directory in Active Directory. Alternatively, you can explicitly delete user objects from the IAM Identity Center identity store by using the IAM Identity Center console. If you use the IAM Identity Center console, you must also remove the users from the sync scope to ensure that they aren't re-synced back into IAM Identity Center during the next sync cycle. You can also pause and restart synchronization at any time. If you pause synchronization for more than 28 days, all your users will be disabled. # Configure attribute mappings for your sync For more information about available attributes, see [Attribute mappings between IAM Identity Center and External Identity Providers directory](attributemappingsconcept.md). **To configure attribute mappings in IAM Identity Center to your directory** 1. Open the [IAM Identity Center console.](https://console.aws.amazon.com/singlesignon) 1. Choose **Settings**. 1. On the **Settings** page, choose the **Identity source** tab, choose **Actions**, and then choose **Manage Sync**. 1. Under **Manage Sync**, choose **View attribute mapping**. 1. Under **Active Directory user attributes**, configure **IAM Identity Center identity store attributes** and **Active Directory user attributes**. For example, you might want to map the IAM Identity Center identity store attribute `email` to the Active Directory user directory attribute `${objectguid}`. **Note** Under **Group attributes**, **IAM Identity Center identity store attributes** and **Active Directory group attributes** cannot be changed. 1. Choose **Save changes**. This returns you to the **Manage Sync** page. # First-time Active Directory to IAM Identity Center sync setup If you are synchronizing your users and groups from Active Directory into IAM Identity Center for the first time, follow these steps. Alternatively, you can follow steps outlined in [Change your identity source](manage-your-identity-source-change.md) to change your identity source from IAM Identity Center to Active Directory. ## Guided setup 1. Open the [IAM Identity Center console](https://console.aws.amazon.com/singlesignon). **Note** Make sure that the IAM Identity Center console is using one of the AWS Regions where your AWS Managed Microsoft AD directory is located before you move to the next step. 1. Choose **Settings**. 1. At the top of the page, in the notification message, choose **Start guided setup**. 1. In **Step 1 – *optional*: Configure attribute mappings**, review the default user and group attribute mappings. If no changes are required, choose **Next**. If changes are required, make the changes, and then choose **Save changes**. 1. In **Step 2 – *optional*: Configure sync scope**, choose the **Users** tab. Then, enter the exact username of the user that you want to add to your sync scope and choose **Add**. Next, choose the **Groups** tab. Enter the exact group name of the group that you want to add to your sync scope and choose **Add**. Then, choose **Next**. If you want to add users and groups to your sync scope later, make no changes and choose **Next**. 1. In **Step 3: Review and save configuration**, confirm your **Attribute mappings** in **Step 1: Attribute mappings** and your **Users and groups** in **Step 2: Sync scope**. Choose **Save configuration**. This takes you to the **Manage Sync** page. # Add users and groups to your sync scope **Note** When adding groups to your sync scope, sync groups directly from the trusted on-premises domain rather than from groups in the AWS Managed Microsoft AD domain. Groups synced directly from the trusted domain contain actual user objects that IAM Identity Center can access and synchronize successfully. Add your Active Directory users and groups to IAM Identity Center by following these steps. **To add users** 1. Open the [IAM Identity Center console.](https://console.aws.amazon.com/singlesignon) 1. Choose **Settings**. 1. On the **Settings** page, choose the **Identity source** tab, choose **Actions**, and then choose **Manage Sync**. 1. On the **Manage Sync** page, choose the **Users** tab, and then choose **Add users and groups**. 1. On the **Users** tab, under **User**, enter the exact user name and choose **Add**. 1. Under **Added Users and Groups**, review the user that you want to add. 1. Choose **Submit**. 1. In the navigation pane, choose **Users**. If the user that you specified doesn't display in the list, choose the refresh icon to update the list of users. **To add groups** 1. Open the [IAM Identity Center console.](https://console.aws.amazon.com/singlesignon) 1. Choose **Settings**. 1. On the **Settings** page, choose the **Identity source** tab, choose **Actions**, and then choose **Manage Sync**. 1. On the **Manage Sync** page, choose the **Groups** tab, and then choose **Add users and groups**. 1. Choose the **Groups** tab. Under **Group**, enter the exact group name and choose **Add**. 1. Under **Added Users and Groups**, review the group that you want to add. 1. Choose **Submit**. 1. In the navigation pane, choose **Groups**. If the group that you specified doesn't display in the list, choose the refresh icon to update the list of groups. # Remove users and groups from your sync scope For more information about what happens when you remove users and groups from your sync scope, see [How configurable AD sync works](how-it-works-configurable-ADsync.md). **To remove users** 1. Open the [IAM Identity Center console.](https://console.aws.amazon.com/singlesignon) 1. Choose **Settings**. 1. On the **Settings** page, choose the **Identity source** tab, choose **Actions**, and then choose **Manage Sync**. 1. Choose the **Users** tab. 1. Under **Users in sync scope**, select the check box beside the user that you want to delete. To delete all users, select the check box beside **Username**. 1. Choose **Remove**. **To remove groups** 1. Open the [IAM Identity Center console.](https://console.aws.amazon.com/singlesignon) 1. Choose **Settings**. 1. On the **Settings** page, choose the **Identity source** tab, choose **Actions**, and then choose **Manage Sync**. 1. Choose the **Groups** tab. 1. Under **Groups in sync scope**, select the check box beside the user that you want to delete. To delete all groups, select the check box beside **Group name**. 1. Choose **Remove**. # Pause and resume your sync Pausing your sync pauses all future sync cycles and prevents any changes that you make to users and groups in Active Directory from being reflected in IAM Identity Center. After you resume the sync, the sync cycle picks up these changes from the next scheduled sync. **To pause your sync** 1. Open the [IAM Identity Center console.](https://console.aws.amazon.com/singlesignon) 1. Choose **Settings**. 1. On the **Settings** page, choose the **Identity source** tab, choose **Actions**, and then choose **Manage Sync**. 1. Under **Manage Sync**, choose **Pause sync**. **To resume your sync** 1. Open the [IAM Identity Center console.](https://console.aws.amazon.com/singlesignon) 1. Choose **Settings**. 1. On the **Settings** page, choose the **Identity source** tab, choose **Actions**, and then choose **Manage Sync**. 1. Under **Manage Sync**, choose **Resume sync**. **Note** If you see **Pause sync** instead of **Resume sync**, the sync from Active Directory to IAM Identity Center has already resumed. # Automate your sync configuration for configurable AD sync Automate sync configuration To ensure that your automated workflow works as expected with configurable AD sync, we recommend that you perform the following steps to automate your sync configuration. **To automate your sync configuration for configurable AD sync** 1. In Active Directory, create a *parent sync group* to contain all users and groups that you want to sync into IAM Identity Center. For example, you can name the group *IAMIdentityCenterAllUsersAndGroups*. 1. In IAM Identity Center, add the parent sync group to your configurable sync list. IAM Identity Center will synchronize all users, groups, sub-groups, and members of all groups contained within the parent sync group. 1. Use the Active Directory user and group management API actions provided by Microsoft to add or remove users and groups from the parent sync group.