Does IAM Identity Center and AD Connector needs to be in a Organization Management Account or any member account?


We use AWS Organizations and planning to use IAM Identity Center with AD Connector to auth with corporate directory for AMG Grafana workspaces user access. AMG Grafana workspaces are provisioned in a member account. Question is, does IAM Identity Center needs to be provisioned in an org management account or can be setup in any member account? Share any links/resources supporting the correct answer. TIA

2 Answers
Accepted Answer

you can choose to delegate administration of IAM Identity Center to a member account in AWS Organizations

Enabling delegated administration provides the following benefits:

  • Minimizes the number of people who require access to the management account to help mitigate security concerns
  • Allows select administrators to assign users and groups to applications and to your organization's member accounts

profile picture
answered 6 days ago
  • The question still remains that for AMG Workspaces SSO, does IAM Identity Center must be in a managed/delegated account or it can be in any other account in the Org?


Looks like, AMG Workspaces only supports Org's managed account's IAM Identity Center for Auth not any account scoped instance, per my testing.

answered 5 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions