Posted On: Dec 15, 2020

AWS Single Sign-On (SSO) now synchronizes groups, in addition to user information, for customers who use Microsoft Active Directory (AD) as their identity source. You can now manage your users and groups in AD, and AWS SSO's AD sync will ensure that this information is accessible to you in a consistent manner within AWS accounts and applications. You will be able to access AD users and groups from AWS SSO-integrated applications and use them for improved collaborative experiences like searching and sharing, and fine-grained access control to application resources like dashboards. Any changes you make to user and group information in AD will automatically reflect in AWS SSO, reducing your administrative effort to manage identities in AWS.

AWS SSO synchronizes only those users and groups for which you have assigned access to AWS accounts or applications. Periodic synchronization keeps the list of users, groups and their attributes current and removes users and groups that you deleted from your AD to minimize personally identifiable information in AWS. AWS SSO also implements just-in-time (JIT) sync so that user attributes are always current as of their last authentication. This ensures that attribute based access control works as expected. Administrators are able to view users and groups from within the AWS SSO console, and users of AWS SSO integrated applications that are group enabled can search for and work with synchronized groups. For example, you can now assign an AD group as the approval group for a change request from within AWS Systems Manager Change Manager.

The AWS SSO AD synchronization capability is available in all regions supported by AWS SSO. AD sync is available to you at no additional cost and is on by default once SSO is integrated with AWS Directory Service solutions. To learn more about AWS SSO or AD sync, visit the AWS Single Sign-On User Guide or the documentation on Connecting to Your Microsoft AD Directory.