Mix of 'IAM' and 'IAM Identity Center' users leads to strange behavior

Login with An administrator user, go to IDC (IAM Identity Center) and reset the users passwords

If you're using the built-in user directory of IAM Identity Center (IDC), those users cannot and never were able to log on to the standard logon page of the AWS Management Console. Instead, IDC users log on via the IDC logon portal, which they would normally access via a URL of the form https://[directory_alias].awsapps.com/start where "directory_alias" would be the alias name you chose for your environment when provisioning IDC.

It's possible that you might have had similarly named users both in IDC and some AWS account in the standard IAM service, but that's just coincidental. The users in IDC's user directory are completely unrelated to IAM users you see and can configure in the standard IAM service console. Users you create in IDC's user directory will not appear in the users view of the IAM service, and users created in IAM will not appear in IDC's user directory. By the same token, if you reset the password for a user in IDC's directory, it will not affect a similarly named IAM user, or vice versa.

*If you're using the built-in user directory of IAM Identity Center (IDC), those users cannot and never were able to log on to the standard logon page of the AWS Management Console. *

Ok, so only now I learned that there is a difference between an 'IAM user' and 'IDC user'. The fact the IAM Identity Center is the recommended tool for handling users, yet IDC users can't log on from aws.amazon.com, while IAM users can, is quite confusing. At first sight, IDC users seem kind of 'inferior' with respect to IAM users. For example, I can activate 'IAM access' so that IAM users can access billing information an create billable stuff. How can grant similar access to an IDC user, so that it can create stuff?

where "directory_alias" would be the alias name you chose for your environment when provisioning IDC.

Can I change this "directory_alias" to any name after IDC is created?

To Answer your 2nd question

Goto Identity Centre-> Settings-> Under Identity source, Select Actions, Customise URL

Here you can create your own name.

You're running into a common point of confusion between IAM and IAM Identity Center (formerly AWS SSO)—they manage access in completely different ways, and the users between them are not interchangeable.

Here's what's likely happening: IAM Identity Center users do not show up under the traditional IAM dashboard, and vice versa.

When you created an IAM user (under the IAM service), it didn't impact the IAM Identity Center directly, but attempts to log in via the AWS Console may be clashing, especially if the login portal defaults to IAM instead of Identity Center.

Password resets for IAM Identity Center users often happen via the user portal link (which looks like https://your-aws-start-url.awsapps.com/start). If you're resetting through the root account or IAM dashboard, that may not apply to Identity Center users.

What you can do: Step 1: Double-check your IAM Identity Center user portal URL. You should log in through this link, not the standard IAM sign-in.

Step 2: Go to AWS IAM Identity Center > Users, confirm the users are still active and assigned to permission sets.

Step 3: Try logging in using the start URL tied to IAM Identity Center. If successful, access should be restored.

Step 4: If login still fails, try unassigning and reassigning permission sets to those users. This often forces a refresh of credentials and login capability.

Let me know how it goes—happy to help troubleshoot further.