How do I resolve the AccessDeniedException error when I use the create-group AWS CLI command to create QuickSight groups?

Last updated: 2022-07-12

I get the following error message when I try to create Amazon QuickSight groups using the create-group AWS CLI command:

"An error occurred (AccessDeniedExeption) when calling the CreateGroup operation: Group operations are not enabled for this account"

Short description

The CreateGroup operation error occurs when you use Active Directory Connector (AD Connector) to sign in to Amazon QuickSight. QuickSight manages only the identities that are created and maintained in QuickSight. If AD Connector is set up, then AWS Directory Service for Microsoft Active Directory (AWS Managed Microsoft AD) groups are used to map users to admin, author, and reader roles. You can't use the create-group AWS Command Line Interface command to create QuickSight managed groups when managing users through AWS Managed Microsoft AD.

Resolution

Use AWS Managed Microsoft AD to create groups

You can create at least three groups after you establish your Active Directory:

  • Amazon QuickSight admins
  • Amazon QuickSight authors
  • Amazon QuickSight readers

Note: Only the Enterprise edition of QuickSight supports AD Connector and AWS Managed Microsoft AD. To learn more about using AWS Managed Microsoft AD users and groups, see Best practices for AWS Managed Microsoft AD.

Use AWS CLI Command to create groups

To create and manage QuickSight groups using the AWS CLI, you must unsubscribe from QuickSight. Then re-subscribe, and change the tool you use to identify and access QuickSight.

Note: Unsubscribing deletes all QuickSight users, data, and assets.