| Feature |
Regional availability |
|
Workforce directory with a user portal
|
|
| User access to the AWS access portal including portal sign-in and global sessions
(one sign-in for all Regions) |
All enabled Regions |
| Display of all assigned accounts |
All enabled Regions |
| Display of all assigned applications (regardless of where the applications were
created) |
All enabled Regions |
| Read access to users, groups, and memberships in the AWS Console or via
Identity Store APIs |
All enabled Regions |
| Revoke user sessions |
All enabled Regions |
| Automatic synchronization of users and groups from an external identity source
such as external IdP through SCIM API or Identity Store API |
Primary Region only |
| Configure automatic identity provisioning with SCIM |
Primary Region only |
| Configure SAML SSO with an external IdP |
Primary Region only - read access through the console in all enabled Regions |
| Create/update/delete operations on users, groups and group memberships via the
console or Identity Store APIs. |
Primary Region: available via Identity Store API but blocked in the IAM Identity
Center console when SCIM API is used for provisioning (except disable/enable user access and delete user, which are always available).
Additional
Regions: unavailable |
|
Multi-account access
|
|
| Access assigned accounts via the AWS access portal, AWS CLI, and shortcut links |
All enabled Regions |
| Manage multi-account permission sets and their assignments in the console and
APIs (including temporary elevated access) |
Primary Region only |
|
Access to applications and AWS services
|
|
| Deploy AWS managed applications through the application console and APIs |
All enabled Regions – subject to applications' regional availability and support
for deployment in additional Regions |
| Create customer managed applications through the Identity Center console and APIs |
All enabled Regions |
| Manage application metadata and assignments in the console and APIs |
Application's connected IAM Identity Center Region |
| Launch applications from the AWS access portal or directly via an application link
or bookmark |
All enabled Regions |
| SSO to Amazon EC2 instances |
All enabled Regions |
|
Trusted identity propagation
|
|
| Create a trusted token issuer |
Primary Region only |
| Trusted identity propagation with AWS managed applications |
All enabled Regions - Applications that propagate identity context to each other
must be in the same Region |
|
Other administrative features
|
|
| All other administrative features such as Region management, KMS key management,
instance management, and session management (except session revocation) |
Primary Region only - read access available in all enabled Regions for some data
(permission set assignments excluded) |
