Review Note: This section is an early draft and undergoing reviewing and editing.
If you began using AWS SSO initially to configure single-sign-on for your AWS environment, you may be considering switching to Active Directory or another identity provider as the source of truth.
Be sure that your Active Directory domain is configured with granular AD groups for (at least) your management account, but ideally all accounts you wish to manage with AWS SSO. Consider some best practices when using AWS SSO with Active Directory (either self-managed or AWS Managed Active Directory):
When you are ready to change AWS SSO over from the internal directory to Active Directory or a Third Party Identity Provider, take note of the implications of such a change most notably all existing entitlements will be lost – so have your AD groups configured and your management account root username, password and MFA handy in case you are logged out. Alternatively you could use an IAM User in the management account as a backup. Follow this guide to switch your AWS SSO identity source.
The URL you were using to access AWS SSO may change and users may need to update their links.
As new AWS accounts are introduced, there will be some setup tasks necessary:
This could be automated when at scale to reduce overhead, as well as integration with Identity Management solutions.