# Manage users in the Identity Center directory IAM Identity Center provides the following capabilities for your users and groups: + Create your users and groups. + Add your users as members to the groups. + Assign the groups with the desired level of access to your AWS accounts and applications. To manage users and groups in the IAM Identity Center store, AWS supports the API operations listed in [Identity Center Actions](https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_Operations.html). ## Provisioning when users are in IAM Identity Center When you create users and groups directly in IAM Identity Center, provisioning is automatic. These identities are immediately available for use in making assignments and for use by applications. For more information, see [User and group provisioning](users-groups-provisioning.md#user-group-provision). ## Changing your identity source If you prefer to manage users in AWS Managed Microsoft AD, you can stop using your Identity Center directory at any time and instead connect IAM Identity Center to your directory in Microsoft AD by using Directory Service. For more information, see considerations for [Changing between IAM Identity Center directory and Active Directory](manage-your-identity-source-considerations.md#changing-between-sso-and-active-directory). If you prefer to manage users in an external identity provider (IdP), you can connect IAM Identity Center to your IdP and enable automatic provisioning. For more information, see considerations for [Changing from IAM Identity Center to an external IdP](manage-your-identity-source-considerations.md#changing-from-idc-and-idp). **Topics** + [ ## Provisioning when users are in IAM Identity Center ](#provision-users-sso) + [ ## Changing your identity source ](#ad-external-idp) + [ # Add users to your Identity Center directory ](addusers.md) + [ # Add groups to your Identity Center directory ](addgroups.md) + [ # Add users to groups ](adduserstogroups.md) + [ # Delete groups in IAM Identity Center ](deletegroups.md) + [ # Delete users in IAM Identity Center ](deleteusers.md) + [ # Remove users from groups ](removeusersfromgroups.md) + [ # Edit Identity Center directory user properties ](edituser.md) # Add users to your Identity Center directory Add users Users and groups that you create in your Identity Center directory are available in IAM Identity Center only. Use the following procedure to add users to your Identity Center directory. Alternatively, you can call the AWS API operation [https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_CreateUser.html](https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_CreateUser.html) to add users. ------ #### [ Console ] **To add a user** 1. Open the [IAM Identity Center console](https://console.aws.amazon.com/singlesignon). 1. Choose **Users**. 1. Choose **Add user** and provide the following required information: 1. **Username** – This user name is required to sign in to the AWS access portal and cannot be changed later. It must be between 1 and 100 characters. 1. **Password** – You can either send an email with the password setup instructions (this is the default option) or generate a one-time password. If you are creating an administrative user and you choose to send an email, make sure that you specify an email address that you can access. 1. **Send an email to this user with password setup instructions** – This option automatically sends the user an email addressed from Amazon Web Services, with the subject line **Invitation to join AWS IAM Identity Center**. The email invites the user on behalf of your company to access the IAM Identity Center AWS access portal, and registers a password. The email invitation will expire in seven days. If this happens, you can resend the email by choosing **Reset password**, and then choosing **Send an email to the user with instructions for resetting the password**. Before the user accepts the invitation, you will see **Send email verification link**, which is meant to verify their email address. However, this step is optional and will disappear after the user accepts the invitation and registers a password. **Note** In certain Regions, IAM Identity Center sends emails to users using Amazon Simple Email Service from another AWS Region. For information about how emails are sent, see [Cross-Region emails with Amazon SES](regions.md#cross-region-calls). All emails sent by the IAM Identity Center service will come from either the address ` no-reply@signin.aws.com` or ` no-reply@login.awsapps.com`. We recommend that you configure your email system so that it accepts emails from these sender email addresses and does not handle them as junk or spam. 1. **Generate a one-time password that you can share with this user** – This option provides you with the AWS access portal URL and password details that you can manually send to the user from your email address. The user will need to verify their email address. You can initiate the process by choosing **Send email verification link**. The email verification link will expire in seven days. If this happens, you can resend the email verification link by choosing **Reset password**, and then choosing **Generate a one-time password and share the password with the user**. 1. **Email address** – The email address must be unique. 1. **Confirm email address** 1. **First name** – You must enter a name here for automatic provisioning to work. For more information, see [Provision users and groups from an external identity provider using SCIM](provision-automatically.md). 1. **Last name** – You must enter a name here for automatic provisioning to work. 1. **Display name** **Note** (Optional) If applicable, you can specify values for additional attributes such as the user's **Microsoft 365 immutable ID** to help provide the user with single sign-on access to certain business applications. 1. Choose **Next**. 1. If applicable, select one or more groups to which you want to add the user, and choose **Next**. 1. Review the information that you specified for **Step 1: Specify user details** and **Step 2: Add user to groups - optional**. Choose **Edit** by either step to make any changes. After you confirm that the correct information is specified for both steps, choose **Add user**. ------ #### [ AWS CLI ] **To add a user** The following `create-user` command creates a new user in your Identity Center directory. ``` aws identitystore create-user \ --identity-store-id d-1234567890 \ --user-name johndoe \ --name "GivenName=John,FamilyName=Doe" \ --display-name "John Doe" \ --emails "Type=work,Value=johndoe@example.com" ``` Output: ``` { "UserId": "1234567890-abcdef", "IdentityStoreId": "d-1234567890" } ``` **Note** When you create users with the `create-user` CLI command or the [https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_CreateUser.html](https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_CreateUser.html) API operation, the users do not have passwords. You can update the settings in IAM Identity Center to send these users a verification email after their first attempt to sign on so they can set up a password. If you do not enable this setting, you must generate a one-time password and share it with the user. For more information, see [Email one-time password to users created with API or CLI](userswithoutpwd.md). ------ # Add groups to your Identity Center directory Add groups Use the following procedure to add groups to your Identity Center directory. Alternatively, you can call the AWS API operation [https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_CreateGroup.html](https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_CreateGroup.html) to add groups. ------ #### [ Console ] **To add a group** 1. Open the [IAM Identity Center console](https://console.aws.amazon.com/singlesignon). 1. Choose **Groups**. 1. Choose **Create group**. 1. Enter a **Group name** and **Description - * optional***. The description should provide details on what permissions have been or will be assigned to the group. Under **Add users to group - *optional***, locate the users you want to add as members. Then select the check box next to each of them. 1. Choose **Create group**. ------ #### [ AWS CLI ] **To add a group** The following `create-group` command creates a new group in your Identity Center directory. ``` aws identitystore create-group \ --identity-store-id d-1234567890 \ --display-name "Developers" \ --description "Group that contains all developers" ``` Output: ``` { "GroupId": "1a2b3c4d-5e6f-7g8h-9i0j-1k2l3m4n5o6p", "IdentityStoreId": "d-1234567890" } ``` ------ After you add this group to your Identity Center directory, you can assign single sign-on access to the group. For more information, see [Assign user or group access to AWS accounts](assignusers.md). # Add users to groups Use the following procedure to add users as members of a group that you previously created in your Identity Center directory. Alternatively, you can call the AWS API operation [https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_CreateGroupMembership.html](https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_CreateGroupMembership.html) to add a user as a member of a group. ------ #### [ Console ] **To add a user as a member of a group** 1. Open the [IAM Identity Center console](https://console.aws.amazon.com/singlesignon). 1. Choose **Groups**. 1. Choose the **group name** that you want to update. 1. On the group details page, under **Users in this group**, choose **Add users to group**. 1. On the **Add users to group** page, under **Other users**, locate the users you want to add as members. Then, select the check box next to each of them. 1. Choose **Add users**. ------ #### [ AWS CLI ] **To add a user as a member of a group** The following `create-group-membership` command adds a user to a group in your Identity Center directory. ``` aws identitystore create-group-membership \ --identity-store-id d-1234567890 \ --group-id a1b2c3d4-5678-90ab-cdef-EXAMPLE22222 \ --member-id UserId=a1b2c3d4-5678-90ab-cdef-EXAMPLE11111 ``` Output: ``` { "MembershipId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE33333", "IdentityStoreId": "d-1234567890" } ``` ------ # Delete groups in IAM Identity Center Delete groups When you delete a group in your IAM Identity Center directory, it removes access to AWS accounts and applications for all users who are members of this group. After a group is deleted it cannot be undone. Use the following procedure to delete a group in your Identity Center directory. **Important** The instructions on this page apply to [AWS IAM Identity Center](https://aws.amazon.com/iam/identity-center/). They do not apply to [AWS Identity and Access Management](https://aws.amazon.com/iam/) (IAM). IAM Identity Center users, groups, and user credentials are different from IAM users, groups, and IAM user credentials. If you are looking for instructions on deleting groups in IAM, see [Deleting an IAM user group](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups_manage_delete.html) in the *AWS Identity and Access Management User Guide*. ------ #### [ Console ] **To delete a group** 1. Open the [IAM Identity Center console](https://console.aws.amazon.com/singlesignon). 1. Choose **Groups**. 1. There are two ways you can delete a group: + On the **Groups** page, you can select multiple groups for deletion. Select the group name that you want to delete and choose **Delete group**. + Choose the group name that you want to delete. On the group details page, choose **Delete group** . 1. You might be asked to confirm your intent to delete the group. + If you delete multiple groups at once, confirm your intent by typing **Delete** in the **Delete group** dialog box. + If you delete a single group that contains users, confirm your intent by typing the name of the group you want to delete in the **Delete group** dialog box. 1. Choose **Delete group**. If you selected multiple groups for deletion, choose **Delete *\$1* groups**. ------ #### [ AWS CLI ] **To delete a group** The following `delete-group` command deletes the specified group from your Identity Center directory. ``` aws identitystore delete-group \ --identity-store-id d-1234567890 \ --group-id a1b2c3d4-5678-90ab-cdef-EXAMPLE22222 ``` ------ # Delete users in IAM Identity Center Delete users When you delete a user in your IAM Identity Center directory, it removes their access to AWS accounts and applications. After you delete a user, you cannot undo this action. Use the following procedure to delete a user in your Identity Center directory. **Note** When you disable user access or delete a user in IAM Identity Center, that user will immediately be prevented from signing in to the AWS access portal and will not be able to create new sign in sessions. For more information, see [Understanding authentication sessions in IAM Identity Center](authconcept.md). **Important** The instructions on this page apply to [AWS IAM Identity Center](https://aws.amazon.com/iam/identity-center/). They do not apply to [AWS Identity and Access Management](https://aws.amazon.com/iam/) (IAM). IAM Identity Center users, groups, and user credentials are different from IAM users, groups, and IAM user credentials. If you are looking for instructions on deleting users in IAM, see [Deleting an IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_manage.html#id_users_deleting) in the *AWS Identity and Access Management User Guide*. ------ #### [ Console ] **To delete a user** 1. Open the [IAM Identity Center console](https://console.aws.amazon.com/singlesignon). 1. Choose **Users**. 1. There are two ways you can delete a user: + On the **Users** page, you can select multiple users for deletion. Select the username that you want to delete and choose **Delete users**. + Choose the username that you want to delete. On the user details page, choose **Delete user**. 1. If you delete multiple users at once, confirm your intent by typing ** Delete** in the **Delete user** dialog box. 1. Choose **Delete user**. If you selected multiple users for deletion, choose **Delete *\$1* users**. ------ #### [ AWS CLI ] **To delete a user** The following `delete-user` command deletes a user from your Identity Center directory. ``` aws identitystore delete-user \ --identity-store-id d-1234567890 \ --user-id a1b2c3d4-5678-90ab-cdef-EXAMPLE11111 ``` ------ # Remove users from groups Use the following procedure to remove members from a group. Alternatively, you can call the AWS API operation [https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_DeleteGroupMembership.html](https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_DeleteGroupMembership.html) to remove a user from a group. ------ #### [ Console ] **To remove a user from a group** 1. Open the [IAM Identity Center console](https://console.aws.amazon.com/singlesignon). 1. Choose **Groups**. 1. Choose the group you want to update. 1. On the group details page, under the **Users in this group**, choose the users to remove. 1. Choose **Remove users from group**. 1. On the **Remove users** dialog box, choose **Remove users from group** to verify you want to remove the users access to the account and applications that are assigned to the group. ------ #### [ AWS CLI ] **To remove a user from a group** The following `delete-group-membership` command removes a membership from a group. ``` aws identitystore delete-group-membership --identity-store-id d-1234567890 \ --membership-id a1b2c3d4-5678-90ab-cdef-EXAMPLE33333 ``` ------ # Edit Identity Center directory user properties Edit user properties Use the following procedure to edit the properties of a user in your Identity Center directory. Alternatively, you can call the AWS API operation [ UpdateUser](https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_UpdateUser.html) to update user properties. ------ #### [ Console ] **To edit user properties in IAM Identity Center** 1. Open the [IAM Identity Center console](https://console.aws.amazon.com/singlesignon). 1. Choose **Users**. 1. Choose the user that you want to edit. 1. On the user **Profile** page, next to **Profile details**, choose **Edit**. 1. On the **Edit profile details** page, update the properties as needed. Then, choose **Save changes** . **Note** (Optional) You can modify additional attributes such as **Employee number** and **Office 365 Immutable ID** to help map the user's identity in IAM Identity Center with certain business applications that users need to use. **Note** The **Email address** attribute is an editable field and the value you provide must be unique. ------ #### [ AWS CLI ] **To edit user properties in IAM Identity Center** The following `update-user` command updates the user's nickname. ``` aws identitystore update-user \ --identity-store-id d-1234567890 \ --user-id a1b2c3d4-5678-90ab-cdef-EXAMPLE11111 \ --operations '{"AttributePath":"nickName","AttributeValue":"Johnny"}' ``` ------