SSO with AWS Managed Microsoft AD Directory Service - Something went wrong


Hi, I'm new to AWS so please be gentle with me.

Everything mentioned here is in the same region: I've setup Organisations and have a few sub accounts. An AWS Managed Microsoft Active Directory, Directory Service has been setup and AWS SSO has been enabled with the Identity Provider changed over to be the MS AD. A permission set has been created using the AdministratorAccess job function policy. This policy has been linked to each AWS account through the IAM Identity Center using an AD Group, linked to the Permission set created.

When I visit the SSO login page, I can see that the user account has been granted AdministratorAccess to the accounts where it has been linked. However, when the Management Console link is selected for any of the accounts a red banner appears at the top right of the page with the words: "Oops, something went wrong, Provide your administrator with the following info: No Access." There is also a HTTP status code of 403 which suggests that permissions have not been set correctly.

I have seen a few YT videos which walk through this process, using MS AD as the identity provider and it all just seems to work for them without any complication. I've also seen some AWS documentation which suggests that there needs to be configuration around the Directory Service and IAM to allow users to be assigned access to the Management Console there.

Any help with understanding what's wrong here would be great. A better error message wouldn't be a bad thing as searching for the above hasn't led me to any hints as to what's wrong.

asked a year ago670 views
1 Answer
Accepted Answer

Hi There

Have you changed anything as far as attribute mappings or the email field in AD? Take a look at this previous post

profile pictureAWS
answered a year ago
profile picture
reviewed 2 months ago
  • Thank you so much for answering my question, that's had me around the bend for a day or so now. It's a shame that the error isn't more specific and that the documentation that I've seen doesn't mention that an email address in the AD account as a requirement.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions