Using Active Directory with Amazon QuickSight Enterprise edition - Amazon QuickSight
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Important: We've redesigned the Amazon QuickSight analysis workspace. You might encounter screenshots or procedural text that doesn't reflect the new look in the QuickSight console. We're in the process of updating screenshots and procedural text.

To find a feature or item, use the Quick search bar.

For more information on QuickSight's new look, see Introducing new analysis experience on Amazon QuickSight.

Using Active Directory with Amazon QuickSight Enterprise edition

 Applies to: Enterprise Edition 
   Intended audience: System administrators 
Note

IAM identity federation doesn't support syncing identity provider groups with Amazon QuickSight.

Amazon QuickSight Enterprise edition supports both Amazon Directory Service for Microsoft Active Directory and Active Directory Connector.

To create a new directory to be your identity manager for Amazon QuickSight, use Amazon Directory Service for Microsoft Active Directory, also known as Amazon Managed Microsoft AD. This is an Active Directory host in the Amazon Cloud that offers most of the same functionality of Active Directory. Currently, you can connect to Active Directory in any Amazon Region supported by Amazon QuickSight, except for Asia Pacific (Singapore). When you create a directory, you use it with a virtual private cloud (VPC). For more information, see VPC.

If you have an existing directory that you want to use for Amazon QuickSight, you can use Active Directory Connector. This service redirects directory requests to your Active Directory—in another Amazon Web Services Region or on-premises—without caching any information in the cloud.

For a walkthrough about creating and managing a directory with Amazon Managed Microsoft AD, see Use an Amazon Managed Microsoft AD with Amazon QuickSight? in the Amazon Knowledge Center.

When you use Amazon Directory Service to launch a directory, Amazon creates an organizational unit (OU) with the same name as your domain. Amazon also creates an administrative account with delegated administrative rights for the OU. You can create accounts, groups, and policies within the OU by using Active Directory users and groups. For more information, see Best Practices for Amazon Managed Microsoft AD in the Directory Service Administration Guide.

After you establish your directory, you use it with Amazon QuickSight by creating at least three groups for users:

  • Amazon QuickSight admins – Admins can change account settings, manage accounts. Admins can also purchase additional Amazon QuickSight user subscriptions or SPICE capacity, or cancel the subscription to Amazon QuickSight for your Amazon Web Services account.

  • Amazon QuickSight authors – Amazon QuickSight authors can create data sources, datasets, analyses, and dashboards. They can share analyses and dashboards with other Amazon QuickSight users.

  • Amazon QuickSight readers – Readers can view and interact with dashboards that were created by someone else.

You can add or refine access by applying IAM policies. For example, you can use IAM policies to allow users to subscribe themselves.

When you subscribe to Amazon QuickSight Enterprise edition and choose Active Directory as your identity provider, you can associate your AD groups with Amazon QuickSight. You can also add or change your AD groups later on.