# Managing organization accounts as Detective member accounts
Managing organization member accounts

In the organization behavior graph, the Detective administrator account determines which organization accounts to enable as member accounts. By default, new organization accounts are not enabled as member accounts. Their status is **Not a member**. The Detective administrator account can configure Detective to automatically enable new organization accounts as member accounts in the organization behavior graph.

The Detective administrator can configure Detective to enable new organization accounts as member accounts automatically. When you choose to enable organization accounts automatically, then Detective begins to enable new accounts as member accounts as they are added to the organization. Detective does not enable existing organization accounts that are not yet enabled. 

The Detective can enable organization accounts as member accounts manually, if you do not want to automatically enable new organization accounts. They can also manually enable disassociated organization accounts. The Detective administrator cannot enable an organization account as a member account if the organization behavior graph already has the maximum 1,200 enabled accounts. In this case, the organization account status remains **Not a member**.

The Detective administrator also can disassociate organization accounts from the organization behavior graph. To stop ingesting data from an organization account in the organization behavior graph, you can disassociate the account. Existing data for that account remains in the behavior graph.

**Topics**
+ [

# Enabling new organization accounts as Detective member accounts
](accounts-orgs-members-autoenable.md)
+ [

# Enabling organization accounts as Detective member accounts
](accounts-orgs-members-enable.md)
+ [

# Disassociating organization accounts as Detective member accounts
](accounts-orgs-members-disassociate.md)

# Enabling new organization accounts as Detective member accounts
Enabling new organization accounts

The Detective administrator account can configure Detective to automatically enable new organization accounts as member accounts in the organization behavior graph.

When new accounts are added to your organization, they are added to the list on the **Account management** page. For organization accounts, **Type** is **By organization**.

By default, new organization accounts are not enabled as member accounts. Their status is **Not a member**.

When you choose to enable organization accounts automatically, then Detective begins to enable new accounts as member accounts as they are added to the organization. Detective does not enable existing organization accounts that are not yet enabled.

Detective can enable organization accounts as member accounts only if the maximum number of member accounts for a behavior graph is 1,200. If your behavior graph already contains 1,200 member accounts, then new accounts cannot be enabled.

------
#### [ Console ]

On the **Account management** page, the **Automatically enable new organization accounts** setting determines whether to automatically enable accounts as they are added to an organization.

**To automatically enable new organization accounts as member accounts**

1. Open the Amazon Detective console at [https://console.aws.amazon.com/detective/](https://console.aws.amazon.com/detective/).

1. In the Detective navigation pane, choose **Account management**.

1. Toggle **Automatically enable new organization accounts** to the on position.

------
#### [ DetectiveAPI/AWS CLI ]

To determine whether to automatically enable new organization accounts as Detective member accounts, the administrator account can use the Detective API or the AWS Command Line Interface.

To view and manage the configuration, you must provide the behavior graph ARN. To obtain the ARN, use the [https://docs.aws.amazon.com/detective/latest/APIReference/API_ListGraphs.html](https://docs.aws.amazon.com/detective/latest/APIReference/API_ListGraphs.html) operation.

**To view the current configuration for automatically enabling organization accounts**
+ **Detective API:** Use the [https://docs.aws.amazon.com/detective/latest/APIReference/API_DescribeOrganizationConfiguration.html](https://docs.aws.amazon.com/detective/latest/APIReference/API_DescribeOrganizationConfiguration.html) operation.

  In the response, if new organization accounts are enabled automatically, then `AutoEnable` is `true`.
+ **AWS CLI:** At the command line, run the [https://docs.aws.amazon.com/cli/latest/reference/detective/describe-organization-configuration.html](https://docs.aws.amazon.com/cli/latest/reference/detective/describe-organization-configuration.html) command.

  ```
  aws detective describe-organization-configuration --graph-arn <behavior graph ARN>
  ```

  **Example**

  ```
  aws detective describe-organization-configuration --graph-arn arn:aws:detective:us-east-1:111122223333:graph:123412341234
  ```

**To automatically enable new organization accounts**
+ **Detective API:** Use the [https://docs.aws.amazon.com/detective/latest/APIReference/API_UpdateOrganizationConfiguration.html](https://docs.aws.amazon.com/detective/latest/APIReference/API_UpdateOrganizationConfiguration.html) operation. To automatically enable new organization accounts, set `AutoEnable` to `true`.
+ **AWS CLI:** At the command line, run the [https://docs.aws.amazon.com/cli/latest/reference/detective/update-organization-configuration.html](https://docs.aws.amazon.com/cli/latest/reference/detective/update-organization-configuration.html) command.

  ```
  aws detective update-organization-configuration --graph-arn <behavior graph ARN> --auto-enable | --no-auto-enable
  ```

  Example

  ```
  aws detective update-organization-configuration --graph-arn arn:aws:detective:us-east-1:111122223333:graph:123412341234 --auto-enable
  ```

------

# Enabling organization accounts as Detective member accounts


If you do not automatically enable new organization accounts, then you can enable those accounts manually. You must also manually enable accounts that you disassociated.

## Determining whether an account can be enabled


You cannot enable an organization account as a member account if the organization behavior graph already has the maximum 1,200 enabled accounts. In this case, the organization account status remains **Not a member**. The account does not contribute data to the behavior graph.

As soon as the member account can be enabled, Detective automatically changes the member account status to **Enabled**. For example, the member account status changes to **Enabled** if the administrator account removes other member accounts to make space for an account.

------
#### [ Console ]

From the **Account management** page, you can enable organization accounts as member accounts.

**To enable organization accounts as member accounts**

1. Open the Amazon Detective console at [https://console.aws.amazon.com/detective/](https://console.aws.amazon.com/detective/).

1. In the Detective navigation pane, choose **Account management**.

1. To view the list of accounts that are not currently enabled, choose **Not enabled**.

1. You can either select specific organization accounts, or enable all organization accounts.

   To enable selected organization accounts:

   1. Select each organization account that you want to enable.

   1. Choose **Enable accounts**.

   To enable all organization accounts, choose **Enable all organization accounts**.

------
#### [ Detective API/AWS CLI ]

You can use the Detective API or the AWS Command Line Interface to enable organization accounts as member accounts in the organization behavior graph. To get the ARN of your behavior graph to use in the request, use the [https://docs.aws.amazon.com/detective/latest/APIReference/API_ListGraphs.html](https://docs.aws.amazon.com/detective/latest/APIReference/API_ListGraphs.html) operation.

**To enable organization accounts as member accounts**
+ **Detective API:** Use the [https://docs.aws.amazon.com/detective/latest/APIReference/API_CreateMembers.html](https://docs.aws.amazon.com/detective/latest/APIReference/API_CreateMembers.html) operation. You must provide the graph ARN.

  For each account, specify the account identifier. Organization accounts in the organization behavior graph do not receive an invitation. You do not need to provide an email address or other invitation information.
+ **AWS CLI:** At the command line, run the [https://docs.aws.amazon.com/cli/latest/reference/detective/create-members.html](https://docs.aws.amazon.com/cli/latest/reference/detective/create-members.html) command.

  ```
  aws detective create-members --accounts AccountId=<AWS account ID> --graph-arn <behavior graph ARN>
  ```

  **Example**

  ```
  aws detective create-members --accounts AccountId=444455556666 AccountId=123456789012 --graph-arn arn:aws:detective:us-east-1:111122223333:graph:123412341234
  ```

------

# Disassociating organization accounts as Detective member accounts
Disassociating organization accounts

To stop ingesting data from an organization account in the organization behavior graph, you can disassociate the account. Existing data for that account remains in the behavior graph.

When you disassociate an organization member account, the status of that account changes to **Not a member**. Detective no longer ingests data from that account into your behavior graph. Existing data for this account remains in the behavior graph, and the account remains in the list. 

------
#### [ Console ]

From the **Account management** page, you can disassociate organization accounts as member accounts.To disassociate organization accounts as member accounts (console)

1. Open the Amazon Detective console at [https://console.aws.amazon.com/detective/](https://console.aws.amazon.com/detective/).

1. In the Detective navigation pane, choose **Account management**.

1. To display the list of enabled accounts, choose **Enabled**.

1. Select the check box for each account to disassociate.

1. Choose **Actions**. Then choose **Disable accounts**.

   The account status for the disassociated accounts changes to **Not a member**.

------
#### [ Detective API/AWS CLI ]

To get the ARN of your behavior graph to use in the request, use the [https://docs.aws.amazon.com/detective/latest/APIReference/API_ListGraphs.html](https://docs.aws.amazon.com/detective/latest/APIReference/API_ListGraphs.html) operation.

**To disassociate organization accounts from the organization behavior graph**
+ **Detective API:** Use the [https://docs.aws.amazon.com/detective/latest/APIReference/API_DeleteMembers.html](https://docs.aws.amazon.com/detective/latest/APIReference/API_DeleteMembers.html) operation. Specify the graph ARN and the list of account identifiers for the member accounts to disassociate.
+ **AWS CLI:** At the command line, run the [https://docs.aws.amazon.com/cli/latest/reference/detective/delete-members.html](https://docs.aws.amazon.com/cli/latest/reference/detective/delete-members.html) command.

  ```
  aws detective delete-members --account-ids <account ID list> --graph-arn <behavior graph ARN>
  ```

  **Example**

  ```
  aws detective delete-members --account-ids 444455556666 123456789012 --graph-arn arn:aws:detective:us-east-1:111122223333:graph:123412341234
  ```

------