# Enabling Amazon Web Services Management Console access with Amazon Managed Microsoft AD credentials
<a name="ms_ad_management_console_access"></a>

Amazon Directory Service allows you to grant members of your directory access to the Amazon Web Services Management Console. By default, your directory members do not have access to any Amazon resources. You assign IAM roles to your directory members to give them access to the various Amazon services and resources. The IAM role defines the services, resources, and level of access that your directory members have.

Before you can grant console access to your directory members, your directory must have an access URL. For more information about how to view directory details and get your access URL, see [Viewing Amazon Managed Microsoft AD directory information](ms_ad_view_directory_info.md). For more information about how to create an access URL, see [Creating an access URL for Amazon Managed Microsoft AD](ms_ad_create_access_url.md).

For more information about how to create and assign IAM roles to your directory members, see [Granting Amazon Managed Microsoft AD users and groups access to Amazon resources with IAM roles](ms_ad_manage_roles.md).

**Topics**
+ [Enabling Amazon Web Services Management Console access](#console_enable)
+ [Disabling Amazon Web Services Management Console access](#console_disable)
+ [Setting Amazon Web Services Management Console login session length](#console_session)

**Related Amazon Security Blog Article**
+ [How to Access the Amazon Web Services Management Console Using Amazon Managed Microsoft AD and Your On-Premises Credentials](https://aws.amazon.com/blogs/security/how-to-access-the-aws-management-console-using-aws-microsoft-ad-and-your-on-premises-credentials/)

**Related Amazon Web Services re:Post Article**
+ [How can I grant access to the Amazon Web Services Management Console for an on-premises Active Directory users?](https://repost.aws/knowledge-center/enable-active-directory-console-access)

**Note**  
Access to the Amazon Web Services Management Console is a Regional feature of Amazon Managed Microsoft AD. If you are using [Multi-Region replication](ms_ad_configure_multi_region_replication.md), the following procedures must be applied separately in each Region. For more information, see [Global vs Regional features](multi-region-global-region-features.md).

## Enabling Amazon Web Services Management Console access
<a name="console_enable"></a>

By default, console access is not enabled for any directory. To enable console access for your directory users and groups, perform the following steps:

**To enable console access**

1. In the [Amazon Directory Service console](https://console.amazonaws.cn/directoryservicev2/) navigation pane, choose **Directories**.

1. On the **Directories** page, choose your directory ID.

1. On the **Directory details** page, do one of the following:
   + If you have multiple Regions showing under **Multi-Region replication**, select the Region where you want to enable access to the Amazon Web Services Management Console, and then choose the **Application management** tab. For more information, see [Primary vs additional Regions](multi-region-global-primary-additional.md).
   + If you do not have any Regions showing under **Multi-Region replication**, choose the **Application management** tab.

1. Under the **Amazon Web Services Management Console** section, choose **Enable**. Console access is now enabled for your directory.
**Important**  
Before users can sign-in to the console with your access URL, you must first add your users to the IAM role. For general information about assigning users to IAM roles, see [Assigning users or groups to an existing IAM role](assign_role.md). After the IAM roles have been assigned, users can then access the console using your access URL. For example, if your directory access URL is `example-corp.awsapps.com`, the URL to access the console is `https://example-corp.awsapps.com/console/`.

## Disabling Amazon Web Services Management Console access
<a name="console_disable"></a>

To disable Amazon Web Services Management Console access for your Amazon Managed Microsoft AD directory users and groups, perform the following steps:

**To disable console access**

1. In the [Amazon Directory Service console](https://console.amazonaws.cn/directoryservicev2/) navigation pane, choose **Directories**.

1. On the **Directories** page, choose your directory ID.

1. On the **Directory details** page, do one of the following:
   + If you have multiple Regions showing under **Multi-Region replication**, select the Region where you want to disable access to the Amazon Web Services Management Console, and then choose the **Application management** tab. For more information, see [Primary vs additional Regions](multi-region-global-primary-additional.md).
   + If you do not have any Regions showing under **Multi-Region replication**, choose the **Application management** tab.

1. Under the **Amazon Web Services Management Console** section, choose **Disable**. Console access is now disabled for your directory.

1. If any IAM roles have been assigned to users or groups in the directory, the **Disable** button may be unavailable. In this case, you must remove all IAM role assignments for the directory before proceeding, including assignments for users or groups in your directory that have been deleted, which will show as **Deleted User** or **Deleted Group**.

   After all IAM role assignments have been removed, repeat the steps above.

## Setting Amazon Web Services Management Console login session length
<a name="console_session"></a>

By default, users have 1 hour to use their session after successfully signing in to the Amazon Web Services Management Console before they are logged out. After that, users must sign in again to start the next 1 hour session before being logged off again. You can use the following procedure to change the length of time to up to 12 hours per session.

**To set Amazon Web Services Management Console login session length**

1. In the [Amazon Directory Service console](https://console.amazonaws.cn/directoryservicev2/) navigation pane, choose **Directories**.

1. On the **Directories** page, choose your directory ID.

1. On the **Directory details** page, do one of the following:
   + If you have multiple Regions showing under **Multi-Region replication**, select the Region where you want to set the login session length, and then choose the **Application management** tab. For more information, see [Primary vs additional Regions](multi-region-global-primary-additional.md).
   + If you do not have any Regions showing under **Multi-Region replication**, choose the **Application management** tab.

1. Under the **Amazon apps & services** section, choose **Amazon Management Console**. 

1. In the **Manage Access to Amazon Resource** dialog box, choose **Continue**.

1. In the **Assign users and groups to IAM roles** page, under **Set login session length**, edit the numbered value, and then choose **Save**.