# Prerequisites for Amazon Q Apps Before using Amazon Q Apps, make sure that you do the following: + **Set up your identity provider** – For web experience users to create and run their own Amazon Q Apps within a broader Amazon Q Business application environment, they must be recognized by either IAM Identity Center or AWS Identity and Access Management (IAM). These users can continue to authenticate either directly through IAM Identity Center, or through an existing enterprise identity provider connected to IAM Identity Center or IAM (like Okta, Microsoft Entra ID, and Ping Identity, among others). When users attempt to use an Amazon Q Business web experience, Amazon Q Apps authorizes their actions based on the user and group information it gathers from IAM Identity Center or IAM. To set up IAM Identity Center, see [Enable single sign-on access to your AWS applications (Application admin role)](https://docs.aws.amazon.com/singlesignon/latest/userguide/use-case-app-admin.html) in the *IAM Identity Center User Guide* . You need to complete this step before creating an Amazon Q Business application environment and using Amazon Q Apps. For a list of supported enterprise identity providers and how to connect them to your IAM Identity Center instance, see [Manage an external identity provider](https://docs.aws.amazon.com/singlesignon/latest/userguide/manage-your-identity-source-idp.html) in the *IAM Identity Center User Guide*. To set up AWS Identity and Access Management, see [Get started with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/getting-started.html) in the *AWS Identity and Access Management User Guide*. You need to complete setting up and connecting an identity provider to an IAM instance before creating an Amazon Q Business application environment and using Amazon Q Apps. For a list of supported enterprise identity providers and how to connect them to your IAM instance, see [Identity providers and federation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers.html) in the *AWS Identity and Access Management User Guide*. For an example of how to set up an Amazon Q Business application environment with IAM federation using Okta as an example, see [Configuring an Amazon Q Business application using IAM Federation](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/create-application-iam.html). **Important** As of July 1, 2024, Amazon Q Apps are available only to [Amazon Q Business Pro users](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/tiers.html#managing-sub-tiers). Amazon Q Business Lite users will no longer be able to create, run, or view Q Apps. To access, Q Apps, Lite users must upgrade to Amazon Q Business Pro. As of August 30, 2024, all Amazon Q Apps created by Lite users who did not upgrade their account to Amazon Q Business Pro have been deleted. + **Finish the Amazon Q Business setup** – Complete [setting up Amazon Q Business](https://docs.aws.amazon.com/amazonq/latest/business-use-dg/setting-up.html) and create an Amazon Q Business application environment integrated with either [IAM Identity Center](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/create-application.html) or [AWS Identity and Access Management](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/create-application-iam.html). Configuring the application environment is necessary so that you can allow users to manage their own Amazon Q Apps. Also, include a retriever and, optionally, a data source connector. + **Create an IAM role** – Configure an AWS Identity and Access Management (IAM) access role (permissions policy) for the deployed web experience for your broader application environment, including permissions for Amazon Q Apps. The admin can use the Amazon Q Business console to create the required IAM role for users as part of the configuration steps. To view and modify the required IAM access role with set permissions and [optional permissions for web experience users to view and specify approved data sources](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/deploy-experience-iam-role.html#deploy-data-source-iam-permissions ) with Amazon Q Apps, see the [IAM role for web experience users](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/deploy-experience-iam-role.html). **Note** If you are using permissions for Amazon Q Apps created prior to July 10, 2024, you must update your role with the new [Amazon Q Apps](deploy-q-apps-iam-permissions.md) permissions for your users to have access to use the [permissions to view and specify approved data sources](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/deploy-q-apps-iam-permissions.html#deploy-data-source-iam-permissions) and other future features in Q Apps. + **Quotas** *(formerly known as limits)* — There are set maximum quotas for Amazon Q Apps. For information about these quotas, see [Quotas](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/quotas-regions.html#limits).