# Managing member accounts with AWS Organizations
<a name="orgs-manage_accounts_members"></a>

A *member account* is an AWS account, other than the management account, that is part of an organization.

This topic describes how to manage member accounts with AWS Organizations.

**Topics**
+ [Best practices for member accounts](orgs_best-practices_member-acct.md)
+ [Creating a member account](orgs_manage_accounts_create.md)
+ [Accessing member accounts](orgs_manage_accounts_access.md)
+ [Closing a member account](orgs_manage_accounts_close.md)
+ [Protecting member accounts from closure](orgs_account_close_policy.md)
+ [Removing a member account](orgs_manage_accounts_remove.md)
+ [Leaving an organization from a member account](orgs_manage_accounts_leave-as-member.md)
+ [Updating the account name for a member account](orgs_manage_accounts_update_name.md)
+ [Updating the root user email for a member account](orgs_manage_accounts_update_primary_email.md)

# Best practices for member accounts
<a name="orgs_best-practices_member-acct"></a>

Follow these recommendations to help protect the security of the member accounts in your organization. These recommendations assume that you also adhere to the [best practice of using the root user only for those tasks that truly require it](https://docs.aws.amazon.com/IAM/latest/UserGuide/root-user-best-practices.html).

**Topics**
+ [Define account name and attributes](#bp_member-acct_define-acct)
+ [Efficiently scale your environment and account usage](#bp_member-acct_efficiently-scale)
+ [Enable root access management to simplify managing root user credentials for member accounts](#bp_member-acct_root-access-management)

## Define account name and attributes
<a name="bp_member-acct_define-acct"></a>

For your member accounts, use a naming structure and email address that reflects the account usage. For example, `Workloads+fooA+dev@domain.com` for `WorkloadsFooADev`, `Workloads+fooB+dev@domain.com` for `WorkloadsFooBDev`. If you have custom tags defined for your organization, we recommend that you assign those tags on accounts that reflect account usage, cost center, environment, and project. This makes it easier to identify, organize, and search for accounts. 

## Efficiently scale your environment and account usage
<a name="bp_member-acct_efficiently-scale"></a>

As you scale, before creating new accounts, make sure accounts for similar needs do not already exist, to avoid unnecessary duplication. AWS accounts should be based on common access requirements. If you are planning to reuse the accounts, such as a sandbox account or equivalent, we recommend that you clean up unneeded resources or workloads from the accounts, but save the accounts for a future use.

Before closing accounts, note that they are subject to close account quota limits. For more information, see [Quotas and service limits for AWS Organizations](orgs_reference_limits.md). Consider implementing a cleanup process to reuse accounts instead of closing them and creating new ones when possible. This way, you will avoid running into incurring costs from running resources, and reaching [CloseAccount API](https://docs.aws.amazon.com/organizations/latest/APIReference/API_CloseAccount.html) limits. 

## Enable root access management to simplify managing root user credentials for member accounts
<a name="bp_member-acct_root-access-management"></a>

We recommend you enable root access management to help you monitor and remove root user credentials for member accounts. Root access management prevents recovery of root user credentials, improving account security in your organization.
+ Remove root user credentials for member accounts to prevent sign in to the root user. This also prevents member accounts from recovery of the root user.
+ Assume a privileged session to perform the following tasks on member accounts:
  + Remove a misconfigured bucket policy that denies all principals from accessing an Amazon S3 bucket.
  + Delete an Amazon Simple Queue Service resource-based policy that denies all principals from accessing an Amazon SQS queue.
  + Allow a member account to recover their root user credentials. The person with access to the root user email inbox for the member account can reset the root user password and sign in as the member account root user.

After root access management is enabled, newly created member accounts are secure-by-default, having no root user credentials, which eliminates the need for additional security, such as MFA after provisioning.

For more information, see [Centralize root user credentials for member accounts](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#id_root-user-access-management) in the *AWS Identity and Access Management User Guide*. 

### Use an SCP to restrict what the root user in your member accounts can do
<a name="bp_member-acct_use-scp"></a>

We recommend that you create a service control policy (SCP) in the organization and attach it to the organization's root so that it applies to all member accounts. For more information, see [Secure your Organizations account root user credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/root-user-best-practices.html#ru-bp-organizations).

You can deny all root actions except a specific root only action that you must perform in your member account. For example, the following SCP prevents the root user in any member account from making any AWS service API calls except “Updating a S3 bucket policy that was misconfigured and denies access to all principals” (one of the actions that requires root credentials). For more information, see [Tasks that require root user credentials ](https://docs.aws.amazon.com/IAM/latest/UserGuide/root-user-tasks.html) in the *IAM User Guide*.

------
#### [ JSON ]

****  

```
{
 "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Effect": "Deny",
            "NotAction":[
            "s3:GetBucketPolicy",
            "s3:PutBucketPolicy",
            "s3:DeleteBucketPolicy"
                 ],
            "Resource": "*",
            "Condition": {
 "ArnLike": { "aws:PrincipalArn": "arn:aws:iam::*:root" }
            }
        }
    ]
 }
```

------

In the majority of circumstances, any administrative tasks can be performed by an AWS Identity and Access Management (IAM) role in the member account that has relevant administrator permissions. Any such roles should have suitable controls applied to limit, log, and monitor activities.

# Creating a member account in an organization with AWS Organizations
<a name="orgs_manage_accounts_create"></a>

This topic describes how to create AWS accounts within your organization in AWS Organizations. For information about creating a single AWS account, see the [Getting Started Resource Center](https://aws.amazon.com/getting-started/).

## Considerations before creating a member account
<a name="orgs_manage_accounts_create-considerations"></a>

**Organizations automatically creates the IAM role `OrganizationAccountAccessRole` for the member account**

When you create a member account in your organization, Organizations automatically creates the IAM role `OrganizationAccountAccessRole` in the member account that enables users and roles in the management account to exercise full administrative control over the member account. Any additional accounts attached to the same managed policy will be updated automatically whenever the policy gets updated. This role is subject to any [service control policies (SCPs)](orgs_manage_policies_scps.md) that apply to the member account.

**Organizations automatically creates the service-linked role `AWSServiceRoleForOrganizations` for the member account**

When you create a member account in your organization, Organizations automatically creates service-linked role `AWSServiceRoleForOrganizations` in the member account that enables integration with select AWS services. You must configure the other services to allow the integration. For more information, see [AWS Organizations and service-linked roles](orgs_integrate_services.md#orgs_integrate_services-using_slrs).

**Member accounts can only be created in the root of an organization**

Member accounts in an organization can only be created in the root of an organization. After you create a member account root of an organization, you can move it between OUs. For more information, see [Moving accounts to an organizational unit (OU) or between the root and OUs with AWS Organizations](move_account_to_ou.md).

**Policies attached to the root immediately apply**

If you have any policies attached to the root, those policies immediately apply to all users and roles in the created account.

If you have [enabled service trust for another AWS service](orgs_integrate_services_list.md) for your organization, that trusted service can create service-linked roles or perform actions in any member account in the organization, including your created account.

**Member accounts must opt in to receive marketing emails**

Member accounts that you create as part of an organization are not automatically subscribed to AWS marketing emails. To opt-in your accounts to receive marketing emails, see [https://pages.awscloud.com/communication-preferences](https://pages.awscloud.com/communication-preferences).

**Member accounts for organizations managed by AWS Control Tower should be created in AWS Control Tower**

If your organization is managed by AWS Control Tower, we recommend that you create your member accounts using the AWS Control Tower account factory in the AWS Control Tower console or using the AWS Control Tower APIs.

If you create an member account in Organizations when the organization is managed by AWS Control Tower, the account won't be enrolled with AWS Control Tower. For more information, see [Referring to Resources Outside of AWS Control Tower](https://docs.aws.amazon.com/controltower/latest/userguide/external-resources.html#ungoverned-resources) in the *AWS Control Tower User Guide*.

## Create a member account
<a name="orgs_manage_accounts_create-new"></a>

After you sign in to the organization's management account, you can create member accounts that are part of your organization.

When you create an account using the following procedure, AWS Organizations automatically copies the following **Primary contact** information from the management account to the new member account:
+ Phone number
+ Company name
+ Website URL
+ Address

Organizations also copies the communication language and Marketplace information (vendor of the account in some AWS Regions) from the management account.

**Minimum permissions**  
To create a member account in your organization, you must have the following permissions:  
`organizations:DescribeOrganization` – required only when using the Organizations console
`organizations:CreateAccount`

### AWS Management Console
<a name="orgs_manage_accounts_create-new-console"></a>

**To create an AWS account that is automatically part of your organization**

1. Sign in to the [AWS Organizations console](https://console.aws.amazon.com/organizations/v2). You must sign in as an IAM user, assume an IAM role, or sign in as the root user ([not recommended](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials)) in the organization’s management account.

1. On the **[AWS accounts](https://console.aws.amazon.com/organizations/v2/home/accounts)** page, choose **Add an AWS account**.

1. On the **[Add an AWS account](https://console.aws.amazon.com/organizations/v2/home/accounts/add/create)** page, choose **Create an AWS account** (it is chosen by default). 

1. On the **[Create an AWS account](https://console.aws.amazon.com/organizations/v2/home/accounts/add/create)** page, for **AWS account name** enter the name that you want to assign to the account. This name helps you distinguish the account from all other accounts in the organization and is separate from the IAM alias or the email name of the owner.

1. For **Email address of the account's owner**, enter the email address of the account's owner. This email address cannot already be associated with another AWS account because it becomes the user name credential for the root user of the account.

1. (Optional) Specify the name to assign to the IAM role that is automatically created in the new account. This role grants the organization's management account permission to access the newly created member account. If you don't specify a name, AWS Organizations gives the role a default name of `OrganizationAccountAccessRole`. We recommend that you use the default name across all of your accounts for consistency.
**Important**  
Remember this role name. You need it later to grant access to the new account for users and roles in the management account.

1. (Optional) In the **Tags** section, add one or more tags to the new account by choosing **Add tag** and then entering a key and an optional value. Leaving the value blank sets it to an empty string; it isn't `null`. You can attach up to 50 tags to an account.

1. Choose **Create AWS account**.
   + If you get an error that indicates that you exceeded your account quota for the organization, see [I get a "quota exceeded" message when I try to add an account to my organization](orgs_troubleshoot.md#troubleshoot_general_error-adding-account).
   + If you get an error that indicates that you can't add an account because your organization is still initializing, wait one hour and try again.
   + You can also check the AWS CloudTrail log for information on whether the account creation was successful. For more information, see [Logging and monitoring in AWS Organizations](orgs_security_incident-response.md).
   + If the error persists, contact [AWS Support](https://console.aws.amazon.com/support/home#/).

   The **[AWS accounts](https://console.aws.amazon.com/organizations/v2/home/accounts)** page appears, with your new account added to the list.

1. Now that the account exists and has an IAM role that grants administrator access to users in the management account, you can access the account by following the steps in [Accessing member accounts in an organization with AWS Organizations](orgs_manage_accounts_access.md).

### AWS CLI & AWS SDKs
<a name="orgs_manage_accounts_create-new-cli-sdk"></a>

The following code examples show how to use `CreateAccount`.

------
#### [ .NET ]

**SDK for .NET**  
 There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/Organizations#code-examples). 

```
    using System;
    using System.Threading.Tasks;
    using Amazon.Organizations;
    using Amazon.Organizations.Model;

    /// <summary>
    /// Creates a new AWS Organizations account.
    /// </summary>
    public class CreateAccount
    {
        /// <summary>
        /// Initializes an Organizations client object and uses it to create
        /// the new account with the name specified in accountName.
        /// </summary>
        public static async Task Main()
        {
            IAmazonOrganizations client = new AmazonOrganizationsClient();
            var accountName = "ExampleAccount";
            var email = "someone@example.com";

            var request = new CreateAccountRequest
            {
                AccountName = accountName,
                Email = email,
            };

            var response = await client.CreateAccountAsync(request);
            var status = response.CreateAccountStatus;

            Console.WriteLine($"The staus of {status.AccountName} is {status.State}.");
        }
    }
```
+  For API details, see [CreateAccount](https://docs.aws.amazon.com/goto/DotNetSDKV3/organizations-2016-11-28/CreateAccount) in *AWS SDK for .NET API Reference*. 

------
#### [ CLI ]

**AWS CLI**  
**To create a member account that is automatically part of the organization**  
The following example shows how to create a member account in an organization. The member account is configured with the name Production Account and the email address of susan@example.com. Organizations automatically creates an IAM role using the default name of OrganizationAccountAccessRole because the roleName parameter is not specified. Also, the setting that allows IAM users or roles with sufficient permissions to access account billing data is set to the default value of ALLOW because the IamUserAccessToBilling parameter is not specified. Organizations automatically sends Susan a "Welcome to AWS" email:  

```
aws organizations create-account --email susan@example.com --account-name "Production Account"
```
The output includes a request object that shows that the status is now `IN_PROGRESS`:  

```
{
        "CreateAccountStatus": {
                "State": "IN_PROGRESS",
                "Id": "car-examplecreateaccountrequestid111"
        }
}
```
You can later query the current status of the request by providing the Id response value to the describe-create-account-status command as the value for the create-account-request-id parameter.  
For more information, see Creating an AWS Account in Your Organization in the *AWS Organizations Users Guide*.  
+  For API details, see [CreateAccount](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/organizations/create-account.html) in *AWS CLI Command Reference*. 

------

# Accessing member accounts in an organization with AWS Organizations
<a name="orgs_manage_accounts_access"></a>

When you create an account in your organization, in addition to the root user, AWS Organizations automatically creates an IAM role that is by default named `OrganizationAccountAccessRole`. You can specify a different name when you create it, however we recommend that you name it consistently across all of your accounts. AWS Organizations doesn't create any other users or roles.

To access the accounts in your organization, you must use one of the following methods:

**Minimum permissions**  
To access an AWS account from any other account in your organization, you must have the following permission:  
`sts:AssumeRole` – The `Resource` element must be set to either an asterisk (\$1) or the account ID number of the account with the user who needs to access the new member account 

------
#### [ Using the root user (Not recommended for everyday tasks) ]

When you create new member account in your organization, the account has no root user credentials by default. Member accounts can't sign in to their root user or perform password recovery for their root user unless account recovery is enabled.

You can [centralize root access for member accounts](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-enable-root-access.html) to remove root user credentials for existing member accounts in your organization. Deleting root user credentials removes the root user password, access keys, signing certificates, and deactivates multi-factor authentication (MFA). These member accounts do not have root user credentials, can't sign in as a root user, and are prevented from recovering the root user password. New accounts you create in Organizations have no root user credentials by default.

Contact your administrator if you need to perform a task that requires root user credentials on a member account where root user credentials are not present.

To access your member account as the root user, you must go through the process for password recovery. For more information, see [I forgot my root user password for my AWS account](https://docs.aws.amazon.com/signin/latest/userguide/troubleshooting-sign-in-issues.html#troubleshoot-forgot-root-password) in the *AWS Sign-In User Guide*. 

If you must access a member account using the root user, follow these best practices:
+ Don't use the root user to access your account except to create other users and roles with more limited permissions. Then sign in as one of those users or roles.
+ [Enable multi-factor authentication (MFA) on the root user](https://docs.aws.amazon.com/IAM/latest/UserGuide/root-user-best-practices.html#ru-bp-mfa). Reset the password, and [assign an MFA device to the root user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable.html).

For the complete list of tasks that require you to sign in as the root user, see [Tasks that require root user credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#root-user-tasks) in the *IAM User Guide*. For additional root user security recommendations, see [Root user best practices for your AWS account](https://docs.aws.amazon.com/IAM/latest/UserGuide/root-user-best-practices.html) in the *IAM User Guide*.

------
#### [ Using trusted access for IAM Identity Center ]

Use [AWS IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html) and enable trusted access for IAM Identity Center with AWS Organizations. This allows users to sign in to the AWS access portal with their corporate credentials and access resources in their assigned management account or member accounts.

For more information, see [Multi-account permissions](https://docs.aws.amazon.com/singlesignon/latest/userguide/manage-your-accounts.html) in the *AWS IAM Identity Center User Guide.* For information about setting up trusted access for IAM Identity Center, see [AWS IAM Identity Center and AWS Organizations](services-that-can-integrate-sso.md).

------
#### [ Using the IAM role OrganizationAccountAccessRole ]

If you create an account by using the tools provided as part of AWS Organizations, you can access the account by using the preconfigured role named `OrganizationAccountAccessRole` that exists in all new accounts that you create this way. For more information, see [Accessing a member account that has OrganizationAccountAccessRole with AWS Organizations](orgs_manage_accounts_access-cross-account-role.md).

If you invite an existing account to join your organization and the account accepts the invitation, you can then choose to create an IAM role that allows the management account to access the invited member account. This role is intended to be identical to the role automatically added to an account that is created with AWS Organizations.

To create this role, see [Creating OrganizationAccountAccessRole for an invited account with AWS Organizations](orgs_manage_accounts_create-cross-account-role.md).

After you create the role, you can access it using the steps in [Accessing a member account that has OrganizationAccountAccessRole with AWS Organizations](orgs_manage_accounts_access-cross-account-role.md).

------

**Topics**
+ [Creating an IAM access role](orgs_manage_accounts_create-cross-account-role.md)
+ [Using the IAM access role](orgs_manage_accounts_access-cross-account-role.md)

# Creating OrganizationAccountAccessRole for an invited account with AWS Organizations
<a name="orgs_manage_accounts_create-cross-account-role"></a>

By default, if you create a member account as part of your organization, AWS automatically creates a role in the account that grants administrator permissions to IAM users in the management account who can assume the role. By default, that role is named `OrganizationAccountAccessRole`. For more information, see [Accessing a member account that has OrganizationAccountAccessRole with AWS Organizations](orgs_manage_accounts_access-cross-account-role.md).

However, member accounts that you *invite* to join your organization ***do not*** automatically get an administrator role created. You have to do this manually, as shown in the following procedure. This essentially duplicates the role automatically set up for created accounts. We recommend that you use the same name, `OrganizationAccountAccessRole`, for your manually created roles for consistency and ease of remembering.

------
#### [ AWS Management Console ]

**To create an AWS Organizations administrator role in a member account**

1. Sign in to the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). You must sign in as an IAM user, assume an IAM role, or sign in as the root user ([not recommended](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials)) in the member account. The user or role must have permission to create IAM roles and policies.

1. In the IAM console, navigate to **Roles** and then choose **Create role**.

1. Choose **AWS account**, and then select **Another AWS account**.

1. Enter the 12-digit account ID number of the management account that you want to grant administrator access to. Under **Options**, please note the following:
   + For this role, because the accounts are internal to your company, you should **not** choose **Require external ID**. For more information about the external ID option, see [When should I use an external ID?](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html#external-id-use) in the *IAM User Guide*. 
   + If you have MFA enabled and configured, you can optionally choose to require authentication using an MFA device. For more information about MFA, see [Using multi-factor authentication (MFA) in AWS](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html) in the *IAM User Guide*. 

1. Choose **Next**.

1. On the **Add permissions** page, choose the AWS managed policy named `AdministratorAccess` and then choose **Next**.

1. On the **Name, review, and create** page, specify a role name and an optional description. We recommend that you use `OrganizationAccountAccessRole`, for consistency with the default name assigned to the role in new accounts. To commit your changes, choose **Create role**.

1. Your new role appears on the list of available roles. Choose the new role's name to view its details, paying special note to the link URL that is provided. Give this URL to users in the member account who need to access the role. Also, note the **Role ARN** because you need it in step 15.

1. Sign in to the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). This time, sign in as a user in the management account who has permissions to create policies and assign the policies to users or groups.

1. Navigate to **Policies** and then choose **Create policy**.

1. For **Service**, choose **STS**.

1. For **Actions**, start typing **AssumeRole** in the **Filter** box and then select the check box next to it when it appears.

1. Under **Resources**, ensure that **Specific** is selected and then choose **Add ARNs**.

1. Enter the AWS member account ID number and then enter the name of the role that you previously created in steps 1–8. Choose **Add ARNs**.

1. If you're granting permission to assume the role in multiple member accounts, repeats steps 14 and 15 for each account.

1. Choose **Next**.

1. On the **Review and create** page, enter a name for the new policy and then choose **Create policy** to save your changes.

1. Choose **User groups** in the navigation pane and then choose the name of the group (not the check box) that you want to use to delegate administration of the member account.

1. Choose the **Permissions** tab.

1. Choose **Add permissions**, choose **Attach policies**, and then select the policy that you created in steps 11–18.

------

The users who are members of the selected group now can use the URLs that you captured in step 9 to access each member account's role. They can access these member accounts the same way as they would if accessing an account that you create in the organization. For more information about using the role to administer a member account, see [Accessing a member account that has OrganizationAccountAccessRole with AWS Organizations](orgs_manage_accounts_access-cross-account-role.md). 

# Accessing a member account that has OrganizationAccountAccessRole with AWS Organizations
<a name="orgs_manage_accounts_access-cross-account-role"></a>

When you create a member account using the AWS Organizations console, AWS Organizations *automatically* creates an IAM role named `OrganizationAccountAccessRole` in the account. This role has full administrative permissions in the member account. The scope of access for this role includes all principals in the management account, such that the role is configured to grant that access to the organization's management account.

You can create an identical role for an invited member account by following the steps in [Creating OrganizationAccountAccessRole for an invited account with AWS Organizations](orgs_manage_accounts_create-cross-account-role.md).

To use this role to access the member account, you must sign in as a user from the management account that has permissions to assume the role. To configure these permissions, perform the following procedure. We recommend that you grant permissions to groups instead of users for ease of maintenance.

------
#### [ AWS Management Console ]

**To grant permissions to members of an IAM group in the management account to access the role**

1. Sign in to the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/) as a user with administrator permissions in the management account. This is required to delegate permissions to the IAM group whose users will access the role in the member account.

1. <a name="step-create-policy"></a>Start by creating the managed policy that you need later in [Step 14](#step-choose-group). 

   In the navigation pane, choose **Policies** and then choose **Create policy**.

1. On the Visual editor tab, choose **Choose a service**, enter **STS** in the search box to filter the list, and then choose the **STS** option.

1. In the **Actions** section, enter **assume** in the search box to filter the list, and then choose the **AssumeRole** option.

1. In the **Resources** section, choose **Specific**, choose** Add ARNs**

1. In the **Specify ARN(s)** section, choose **Other account** for Resource in.

1. Enter the ID of the member account you just created

1. For **Resource role name with path**, enter the name of the role that you created in the previous section (we recommended naming it `OrganizationAccountAccessRole`).

1. Choose **Add ARNs** when the dialog box displays the correct ARN.

1. (Optional) If you want to require multi-factor authentication (MFA), or restrict access to the role from a specified IP address range, then expand the Request conditions section, and select the options you want to enforce.

1. Choose **Next**.

1. On the **Review and create** page, enter a name for the new policy. For example : **GrantAccessToOrganizationAccountAccessRole**. You can also add an optional description. 

1. <a name="step-end-policy"></a>Choose **Create policy** to save your new managed policy.

1. <a name="step-choose-group"></a>Now that you have the policy available, you can attach it to a group.

   In the navigation pane, choose **User groups** and then choose the name of the group (not the check box) whose members you want to be able to assume the role in the member account. If necessary, you can create a new group.

1. Choose the **Permissions** tab, choose **Add permissions**, and then choose **Attach policies**.

1. (Optional) In the **Search** box, you can start typing the name of your policy to filter the list until you can see the name of the policy you just created in [Step 2](#step-create-policy) through [Step 13](#step-end-policy). You can also filter out all of the AWS managed policies by choosing **All types** and then choosing **Customer managed**.

1. Check the box next to your policy, and then choose **Attach policies**.

------

IAM users that are members of the group now have permissions to switch to the new role in the AWS Organizations console by using the following procedure.

------
#### [ AWS Management Console ]

**To switch to the role for the member account**

When using the role, the user has administrator permissions in the new member account. Instruct your IAM users who are members of the group to do the following to switch to the new role. 

1. From the upper-right corner of the AWS Organizations console, choose the link that contains your current sign-in name and then choose **Switch Role**.

1. Enter the administrator-provided account ID number and role name.

1. For **Display Name**, enter the text that you want to show on the navigation bar in the upper-right corner in place of your user name while you are using the role. You can optionally choose a color.

1. Choose **Switch Role**. Now all actions that you perform are done with the permissions granted to the role that you switched to. You no longer have the permissions associated with your original IAM user until you switch back.

1. When you finish performing actions that require the permissions of the role, you can switch back to your normal IAM user. Choose the role name in the upper-right corner (whatever you specified as the **Display Name**) and then choose **Back to *UserName***.

------

# Closing a member account in an organization with AWS Organizations
<a name="orgs_manage_accounts_close"></a>

If you no longer need a member account in your organization, you can close it from the [AWS Organizations console](https://console.aws.amazon.com/organizations/v2) following the instructions in this topic. You can only close a member account using the AWS Organizations console if your organization is in [All features](orgs_getting-started_concepts.md#feature-set-all) mode.

You can also close an AWS account directly from the [**Account** page](https://console.aws.amazon.com/billing/home#/account) in the AWS Management Console after signing in as the root user. For step-by-step instructions, see [Close an AWS account](https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-closing.html) in the *AWS Account Management Guide*. 

To close a management account, see [Closing a management account in your organization](orgs_manage_accounts_close_management.md).

## Close a member account
<a name="orgs_account_close_proc"></a>

When you sign in to the organization's management account, you can close member accounts that are part of your organization. To do this, complete the following steps.

**Important**  
Before you close your member account, we highly recommend that you review considerations and understand the impact for closing an account. For more information, see [What you need to know before closing your account](https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-closing.html#close-account-considerations) and [What to expect after you close your account](https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-closing.html#what-to-expect-after-closure) in the *AWS Account Management Guide*.

------
#### [ AWS Management Console ]

**To close a member account from the AWS Organizations console**

1. Sign in to the [AWS Organizations console](https://console.aws.amazon.com/organizations/v2). You must sign in as an IAM user, or sign in as the root user ([not recommended](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials)) in the organization’s management account.

1. On the **[AWS accounts](https://console.aws.amazon.com/organizations/v2/home/accounts)** page, find and choose the name of the member account you want to close. You can navigate the OU hierarchy, or look at a flat list of accounts without the OU structure. 

1. Choose **Close** next to the account name at the top of the page. This option is only available when an AWS organization is in [All features](orgs_getting-started_concepts.md#feature-set-all) mode.
**Note**  
If your organization is using [Consolidated billing](orgs_getting-started_concepts.md#feature-set-cb-only) mode, you won't be able to see the **Close** button in the console. To close an account in consolidated billing mode, sign in to the account you want to close as the root user. On the **Accounts** page, choose the **Close account** button, enter your account ID, and then choose the **Close account** button.

1. Read and ensure that you understand the account closure guidance.

1. Enter the member account ID, and then choose **Close account**. 

**Note**  
Any member account that you close will display a `CLOSED` label next to its account name in the AWS Organizations console for up to 90 days after the original closure date. After 90 days, the member account will be permanently closed and will no longer be displayed in the AWS Organizations console. Please note that it may take a few days for the account to be removed from the organization after permanent closure.

**To close a member account from the Accounts page**

Optionally, you can close an AWS member account directly from the **Accounts** page in the AWS Management Console. For step-by-step guidance, follow the instructions in [Close an AWS account](https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-closing.html) in the *AWS Account Management Guide*.

------
#### [ AWS CLI & AWS SDKs ]

**To close an AWS account**  
You can use one of the following commands to close an AWS account:
+ AWS CLI: [close-account](https://docs.aws.amazon.com/cli/latest/reference/organizations/close-account.html)

  ```
  $ aws organizations close-account \
      --account-id 123456789012
  ```

  This command produces no output when successful.
+ AWS SDKs: [CloseAccount](https://docs.aws.amazon.com/organizations/latest/APIReference/API_CloseAccount.html)

------

# Protecting member accounts from closure with AWS Organizations
<a name="orgs_account_close_policy"></a>

To protect member accounts from accidental closure, create an IAM policy that specifies which accounts are exempt. This policy prevents closure of protected member accounts.

Create an IAM policy to deny account closure using one of these methods:
+ Explicitly list protected accounts in the policy's `Resource` element using their ARNs.
+ Tag individual accounts and use the `aws:ResourceTag` global condition key to prevent closure of tagged accounts.

**Note**  
Service Control Policies (SCPs) don't affect IAM principals in the management account.

## Example IAM policies that prevent member account closures
<a name="orgs_close_account_policy_examples"></a>

The following code examples show two different methods you can use to restrict member accounts from closing their account.

------
#### [ Prevent member accounts with tags from getting closed  ]

You can attach the following policy to an identity in your management account. This policy prevents principals in the management account from closing any member account that is tagged with the `aws:ResourceTag` tag global condition key, the `AccountType` key and the `Critical` tag value.

```
{
    "Version": "2012-10-17",		 	 	 
    "Statement": [
        {
            "Sid": "PreventCloseAccountForTaggedAccts",
            "Effect": "Deny",
            "Action": "organizations:CloseAccount",
            "Resource": "*",
            "Condition": {
                "StringEquals": {"aws:ResourceTag/AccountType": "Critical"}
            }
        }
    ]
}
```

------
#### [ Prevent member accounts listed in this policy from getting closed ]

You can attach the following policy to an identity in your management account. This policy prevents principals in the management account from closing member accounts explicitly specified in the `Resource` element. 

```
{
    "Version": "2012-10-17",		 	 	 
    "Statement": [
        {
            "Sid": "PreventCloseAccount",
            "Effect": "Deny",
            "Action": "organizations:CloseAccount",
            "Resource": [
                "arn:aws:organizations::555555555555:account/o-12345abcdef/123456789012",
                "arn:aws:organizations::555555555555:account/o-12345abcdef/123456789014"
            ]
        }
    ]
}
```

------

# Removing a member account from an organization with AWS Organizations
<a name="orgs_manage_accounts_remove"></a>

 Removing a member account does not close the account, instead it removes the member account from the organization. The former member account becomes a standalone AWS account that is no longer managed by AWS Organizations.

Afterwards, the account is no longer subject to any policies and is responsible for its own bill payments. The organization's management account is no longer charged for any expenses accrued by the account after it's been removed from the organization.

## Considerations
<a name="orgs_manage_account-before-remove"></a>

**IAM access roles created by the management account are not automatically deleted**

When you remove a member account from the organization, any IAM role that was created to enable access by the organization's management account isn't automatically deleted. If you want to terminate this access from the former organization's management account, then you must manually delete the IAM role. For information about how to delete a role, see [Deleting roles or instance profiles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_manage_delete.html) in the *IAM User Guide*.

**You can remove an account from your organization only if the account has the information that is required for it to operate as a standalone account**

You can remove an account from your organization only if the account has the information that is required for it to operate as a standalone account. When you create an account in an organization using the AWS Organizations console, API, or AWS CLI commands, all the information that is required of standalone accounts is *not* automatically collected.

For each account that you want to make standalone, you must choose a support plan, provide and verify the required contact information, and provide a current payment method. AWS uses the payment method to charge for any billable (not AWS Free Tier) AWS activity that occurs while the account isn't attached to an organization. To remove an account that doesn't yet have this information, follow the steps in [Leaving an organization from a member account with AWS Organizations](orgs_manage_accounts_leave-as-member.md).

**You must wait until at least four days after the account was created**

To remove an account that you created in the organization, you must wait until at least four days after the account was created. Invited accounts aren't subject to this waiting period. 

**The owner of the account that leaves becomes responsible for all new costs accrued**

At the moment the account successfully leaves the organization, the owner of the AWS account becomes responsible for all new AWS costs accrued, and the account's payment method is used. The management account of the organization is no longer responsible.

**The account cannot be a delegated administrator account for any AWS service enabled for the organization**

The account that you want to remove must not be a delegated administrator account for any AWS service enabled for your organization. If the account is a delegated administrator, you must first change the delegated administrator account to another account that is remaining in the organization. For more information about how to disable or change the delegated administrator account for an AWS service, see the documentation for that service.

**The account no longer has access to cost and usage data**

When a member account leaves an organization, that account no longer has access to cost and usage data from the time range when the account was a member of the organization. However, the management account of the organization can still access the data. If the account rejoins the organization, the account can access that data again.

**Tags attached to the account are deleted**

When a member account leaves an organization, all tags attached to the account are deleted.

**Principals in the account are no longer affected by any organization policies**

The principals in the account are no longer affected by any [policies](orgs_manage_policies.md) that applied in the organization. This means that restrictions imposed by SCPs are gone, and the users and roles in the account might have more permissions than they had before. Other organization policy types can no longer be enforced or processed. 

**The account is no longer be covered by organization agreements**

If a member account is removed from an organization, that member account will no longer be covered by organization agreements. Management account administrators should communicate this to member accounts before removing member accounts from the organization, so that member accounts can put new agreements in place if necessary. A list of active organization agreements can be viewed in the AWS Artifact console on the [AWS Artifact Organization Agreements](https://console.aws.amazon.com/artifact/home?#!/agreements?tab=organizationAgreements) page.

**Integration with other services might be disabled**

Integration with other services might be disabled. If you remove an account from an organization that has integration with an AWS service enabled, the users in that account can no longer use that service.

## Remove a member account from an organization
<a name="orgs_manage_accounts_remove-member-account"></a>

When you sign in to the organization's management account, you can remove member accounts from the organization that you no longer need. To do this, complete the following procedure. This procedure applies only to member accounts. To remove the management account, you must [delete the organization](orgs_manage_org_delete.md).

**Minimum permissions**  
To remove one or more member accounts from your organization, you must sign in as a user or role in the management account with the following permissions:  
`organizations:DescribeOrganization` – required only when using the Organizations console
`organizations:RemoveAccountFromOrganization` 
If you choose to sign in as a user or role in a member account in step 5, then that user or role must have the following permissions:  
`organizations:DescribeOrganization` – required only when using the Organizations console.
`organizations:LeaveOrganization` – Note that the organization administrator can apply a policy to your account that removes this permission, preventing you from removing your account from the organization.
If you sign in as an IAM user and the account is missing payment information, the user must have either `aws-portal:ModifyBilling` and `aws-portal:ModifyPaymentMethods` permissions (if the account has not yet migrated to fine-grained permissions) OR `payments:CreatePaymentInstrument` and `payments:UpdatePaymentPreferences` permissions (if the account has migrated to fine-grained permissions). Also, the member account must have IAM user access to billing enabled. If this isn't already enabled, see [Activating Access to the Billing and Cost Management Console](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/grantaccess.html#ControllingAccessWebsite-Activate) in the *AWS Billing User Guide*.

------
#### [ AWS Management Console ]

**To remove a member account from your organization**

1. Sign in to the [AWS Organizations console](https://console.aws.amazon.com/organizations/v2). You must sign in as an IAM user, assume an IAM role, or sign in as the root user ([not recommended](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials)) in the organization’s management account.

1. On the **[AWS accounts](https://console.aws.amazon.com/organizations/v2/home/accounts)** page, find and choose the check box![\[Blue checkmark icon indicating confirmation or completion of a task.\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/checkbox-selected.png) next to each member account that you want to remove from your organization. You can navigate the OU hierarchy or enable **View AWS accounts only** to see a flat list of accounts without the OU structure. If you have a lot of accounts, you might have to choose **Load more accounts in '*ou-name*'** at the bottom of the list to find all of those you want to move.

   On the **[AWS accounts](https://console.aws.amazon.com/organizations/v2/home/accounts)** page, find and choose the name of the member account that you want to remove from your organization. You might have to expand OUs (choose the ![\[Gray cloud icon representing cloud computing or storage services.\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/console-expand.png)) to find the account that you want.

1. Choose **Actions**, then under **AWS account**, choose **Remove from organization**.

1. In the **Remove account '*account-name*' (\$1*account-id-num*) from organization?** dialog box, choose **Remove account**.

1. If AWS Organizations fails to remove one or more of the accounts, it's typically because you have not provided all the required information for the account to operate as a standalone account. Perform the following steps:

   1. Sign in to the failed accounts. We recommend that you sign in to the member account by choosing **Copy link**, and then pasting it into the address bar of a new incognito browser window. If you do not see **Copy link**, use [this link](https://portal.aws.amazon.com/gp/aws/developer/registration/index.html?client=organizations&enforcePI=True) to go the **Sign up for AWS** page and complete the missing registration steps. If you don't use an incognito window, you're signed out of the management account and won't be able to navigate back to this dialog box.

   1. The browser takes you directly to the sign-up process to complete any steps that are missing for this account. Complete all the steps presented. They might include the following:
      + Provide contact information
      + Provide a valid payment method
      + Verify the phone number
      + Select a support plan option

   1. After you complete the last sign-up step, AWS automatically redirects your browser to the AWS Organizations console for the member account. Choose **Leave organization**, and then confirm your choice in the confirmation dialog box. You are redirected to the **Getting Started** page of the AWS Organizations console, where you can view any pending invitations for your account to join other organizations.

   1. Remove the IAM roles that grant access to your account from the organization.
**Important**  
If your account was created in the organization, then Organizations automatically created an IAM role in the account that enabled access by the organization's management account. If the account was invited to join, then Organizations did not automatically create such a role, but you or another administrator might have created one to get the same benefits. In either case, when you remove the account from the organization, any such role isn't automatically deleted. If you want to terminate this access from the former organization's management account, then you must manually delete this IAM role. For information about how to delete a role, see [Deleting roles or instance profiles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_manage_delete.html) in the *IAM User Guide*.

------
#### [ AWS CLI & AWS SDKs ]

**To remove a member account from your organization**  
You can use one of the following commands to remove a member account:
+ AWS CLI: [remove-account-from-organization](https://docs.aws.amazon.com/cli/latest/reference/organizations/remove-account-from-organization.html)

  ```
  $ aws organizations remove-account-from-organization \
      --account-id 123456789012
  ```

  This command produces no output when successful.
+ AWS SDKs: [RemoveAccountFromOrganization](https://docs.aws.amazon.com/organizations/latest/APIReference/API_RemoveAccountFromOrganization.html)

After the member account has been removed from the organization, make sure to remove the IAM roles that grant access to your account from the organization.

**Important**  
If your account was created in the organization, then Organizations automatically created an IAM role in the account that enabled access by the organization's management account. If the account was invited to join, then Organizations did not automatically create such a role, but you or another administrator might have created one to get the same benefits. In either case, when you remove the account from the organization, any such role isn't automatically deleted. If you want to terminate this access from the former organization's management account, then you must manually delete this IAM role. For information about how to delete a role, see [Deleting roles or instance profiles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_manage_delete.html) in the *IAM User Guide*.

Member accounts can remove themselves with [leave-organization](https://docs.aws.amazon.com/cli/latest/reference/organizations/leave-organization.html) instead. For more information, see [Leaving an organization from a member account with AWS Organizations](orgs_manage_accounts_leave-as-member.md).

------

# Leaving an organization from a member account with AWS Organizations
<a name="orgs_manage_accounts_leave-as-member"></a>

When you sign in to a member account, you can leave an organization. The management account can't leave the organization using this technique. To remove the management account, you must [delete the organization](orgs_manage_org_delete.md).

## Considerations
<a name="orgs_manage_accounts_leave-as-member-considerations"></a>

**An account’s status with an organization affects what cost and usage data is visible**

Accounts maintain access to all past invoices delivered to them and all bills data generated by them, regardless of organizations membership changes. However, Cost Explorer data visibility is tied to current organizations membership. The table below shows how three common account transitions affect data visibility:


****  

|  | Invoice availability | Bills availability (e.g., Bills page) | Cost Explorer availability | 
| --- | --- | --- | --- | 
| Scenario 1Member account leaves organizationA and becomes a standalone account | The account maintains access to all historical invoices delivered to it. | The account maintains access to all historical bills data it generated as a member of organizationA. | The account loses access to historical cost and usage data it generated as a member of organizationA. | 
| Scenario 2Member account leaves organizationA and joins organizationB | The account maintains access to all historical invoices delivered to it. | The account maintains access to all historical bills data it generated as a member of organizationA. | The account loses access to historical cost and usage data it generated as a member of organizationA. | 
| Scenario 3Account rejoins an organization that it previously belonged to | The account maintains access to all historical invoices delivered to it. | The account maintains access to all historical bills data it generated (regardless if generated as a standalone account or as a member of another organization). | The account regains access to cost and usage data for the full range of time it was a member of the organization, but loses access to all historical cost and usage generated outside of its current organization. | 

**The account is no longer covered by organization agreements that were accepted on its behalf**

If you leave an organization, you are no longer covered by organization agreements that were accepted on your behalf by the management account of the organization. You can view a list of these organization agreements in the AWS Artifact console on the [AWS Artifact Organization Agreements](https://console.aws.amazon.com/artifact/home?#!/agreements?tab=organizationAgreements) page. Before leaving the organization, you should determine (with the assistance of your legal, privacy, or compliance teams where appropriate) whether it is necessary for you to have new agreement(s) in place.

**The account’s quota limits may change and could cause impact**

Leaving an organization as a member account may affect the service quota limits available to that account. If you have automated workloads that require higher limits, please revisit your quotas in service quotas console after leaving the organization to ensure uninterrupted experience. Please contact [AWS Support Center](https://console.aws.amazon.com/support/home#/) after leaving the organization for assistance.

## Leave an organization from a member account
<a name="orgs_manage_accounts_leave-as-member-steps"></a>

To leave an organization, complete the following procedure.

**Minimum permissions**  
To leave an organization, you must have the following permissions:  
`organizations:DescribeOrganization` – required only when using the Organizations console.
`organizations:LeaveOrganization` – Note that the organization administrator can apply a policy to your account that removes this permission, preventing you from removing your account from the organization.
If you sign in as an IAM user and the account is missing payment information, the user must have either `aws-portal:ModifyBilling` and `aws-portal:ModifyPaymentMethods` permissions (if the account has not yet migrated to fine-grained permissions) OR `payments:CreatePaymentInstrument` and `payments:UpdatePaymentPreferences` permissions (if the account has migrated to fine-grained permissions). Also, the member account must have IAM user access to billing enabled. If this isn't already enabled, see [Activating Access to the Billing and Cost Management Console](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/grantaccess.html#ControllingAccessWebsite-Activate) in the *AWS Billing User Guide*.

------
#### [ AWS Management Console ]

**To leave an organization from your member account**

1. Sign in to the AWS Organizations console at [AWS Organizations console](https://console.aws.amazon.com/organizations/v2). You must sign in as an IAM user, assume an IAM role, or sign in as the root user ([not recommended](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials)) in a member account.

   By default, you don't have access to the root user password in a member account that was created using AWS Organizations. If required, recover the root user password by following the steps in **Using the root user (Not recommended for everyday tasks)** in [Accessing member accounts in an organization with AWS Organizations](orgs_manage_accounts_access.md).

1. On the **[Organizations Dashboard](https://console.aws.amazon.com/organizations/v2/home/dashboard)** page, choose **Leave this organization**.

1. In the **Confirm leaving the organization?** dialog box, choose **Leave organization**. When prompted, confirm your choice to remove the account. After you have confirmed, you are redirected to the **Getting Started** page of the AWS Organizations console, where you can view any pending invitations for your account to join other organizations.

   If you see a **You can't leave the organization yet** message, your account doesn't have all the required information to operate as a standalone account. If this is the case, proceed to the next step.

1. If the **Confirm leaving the organization?** dialog box displays the message **You can't leave the organization yet**, choose the **Complete the account sign-up steps** link.

   If you do not see the **Complete the account sign-up steps** link, use [this link](https://portal.aws.amazon.com/gp/aws/developer/registration/index.html?client=organizations&enforcePI=True) to go the **Sign up for AWS** page complete the missing registration steps.

1. On the **Sign up for AWS** page, enter all of the required information necessary for this to become a standalone account. This might include the following types of information:
   + Contact name and address
   + Valid payment method
   + Phone number verification
   + Support plan options

1. When you see the dialog box stating that the sign-up process is complete, choose **Leave organization**.

   A confirmation dialog box appears. Confirm your choice to remove the account. You are redirected to the **Getting Started** page of the AWS Organizations console, where you can view any pending invitations for your account to join other organizations.

1. Remove the IAM roles that grant access to your account from the organization.
**Important**  
If your account was created in the organization, then Organizations automatically created an IAM role in the account that enabled access by the organization's management account. If the account was invited to join, then Organizations did not automatically create such a role, but you or another administrator might have created one to get the same benefits. In either case, when you remove the account from the organization, any such role isn't automatically deleted. If you want to terminate this access from the former organization's management account, then you must manually delete this IAM role. For information about how to delete a role, see [Deleting roles or instance profiles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_manage_delete.html) in the *IAM User Guide*.

------
#### [ AWS CLI & AWS SDKs ]

**To leave an organization as a member account**  
You can use one of the following commands to leave an organization:
+ AWS CLI: [leave-organization](https://docs.aws.amazon.com/cli/latest/reference/organizations/leave-organization.html)

  The following example causes the account whose credentials are used to run the command to leave the organization.

  ```
  $ aws organizations leave-organization
  ```

  This command produces no output when successful.
+ AWS SDKs: [LeaveOrganization](https://docs.aws.amazon.com/organizations/latest/APIReference/API_LeaveOrganization.html)

After the member account has left the organization, make sure to remove the IAM roles that grant access to your account from the organization.

**Important**  
If your account was created in the organization, then Organizations automatically created an IAM role in the account that enabled access by the organization's management account. If the account was invited to join, then Organizations did not automatically create such a role, but you or another administrator might have created one to get the same benefits. In either case, when you remove the account from the organization, any such role isn't automatically deleted. If you want to terminate this access from the former organization's management account, then you must manually delete this IAM role. For information about how to delete a role, see [Deleting roles or instance profiles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_manage_delete.html) in the *IAM User Guide*.

Member accounts can also be removed by a user in the management account with [remove-account-from-organization](https://docs.aws.amazon.com/cli/latest/reference/organizations/remove-account-from-organization.html) instead. For more information, see [Remove a member account from an organization](orgs_manage_accounts_remove.md#orgs_manage_accounts_remove-member-account).

------

# Updating the account name for a member account with AWS Organizations
<a name="orgs_manage_accounts_update_name"></a>

When you sign in to your organization's management account, you can update the account name for a member account. To learn how to update a member account name, follow the steps in [Update the account name for any AWS account in your organization](https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-update-acct-name.html#update-account-name-orgs) in the *AWS Account Management Reference Guide*.

# Updating the root user email address for a member account with AWS Organizations
<a name="orgs_manage_accounts_update_primary_email"></a>

For increased security and administrative resilience, IAM principals in the management account (that have the necessary IAM permissions) can centrally update a root user email address (also referred to as the primary email address) for any of their member accounts without having to sign into each account individually. This gives administrators in the management account (or in a delegated administrator account) more control over their member accounts. It also ensures that root user email addresses from any member accounts across your AWS Organizations can be kept up to date, even when you may have lost access to the original root user email address or administrative credentials.

When the root user email address is changed centrally by a management account administrator, both the password and MFA configuration will remain the same as they were before the change. Note that MFA can be bypassed by a user with control of an account’s root user email address and primary contact phone number. 

To update the root user email address of a member account in your organization, your organization must have previously enabled [all features](orgs_getting-started_concepts.md#feature-set-all) mode. AWS Organizations in consolidated billing mode or accounts that are not part of an organization, cannot update their root user email address centrally. Users that want to change the root user email address for accounts that are unsupported by the API should continue to use the Billing Console to manage their root user email address.

For step-by-step instructions on how to update your member account's root user email address, see [Update the root user email for any AWS account in your organization](https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-update-root-user-email.html#root-user-email-orgs) in the *AWS Account Management Reference Guide*.