Why didn't my AD users sync to IAM Identity Center?

1 minute read

My Active Directory (AD) users didn't sync to AWS Identity and Access Management (IAM) Identity Center (successor to AWS Single Sign-On).


After connecting your AWS Managed AD or self-managed AD to IAM Identity Center, users in the default "Domain Users" group won't sync to IAM Identity Center. This is because IAM Identity Center can't read AD primary groups and their memberships.

To resolve this issue, create new groups in your Managed AD, assign users to the groups, and then sync the users to IAM Identity Center. Using new groups instead of the default "Domain Users" group allows group membership in the IAM Identity Center identity store.

For more information, see Active Directory “Domain Users” group does not properly sync into IAM Identity Center.

Related information

IAM Identity Center configurable AD sync

Connect to a Microsoft AD directory

How do I use the IAM Identity Center and the AWS access portal?

AWS OFFICIALUpdated a year ago