End of support notice: On March 31, 2027, AWS will end support for Amazon WorkMail. After March 31, 2027, you will no longer be able to access the Amazon WorkMail console or Amazon WorkMail resources. For more information, see [Amazon WorkMail end of support](https://docs.aws.amazon.com/workmail/latest/adminguide/workmail-end-of-support.html). # Working with IAM Identity Center You can enable multi-factor authentication (MFA) in Amazon WorkMail by associating your Amazon WorkMail users with IAM Identity Center. For more information, see [What is IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html). The table below describes the steps to address different scenarios. | Scenario | Steps | | --- | --- | | Associating Amazon WorkMail users to IAM Identity Center | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/workmail/latest/adminguide/identity_center_overview.html) | | Existing Amazon WorkMail users | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/workmail/latest/adminguide/identity_center_overview.html) | | Existing IAM Identity Center users | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/workmail/latest/adminguide/identity_center_overview.html) | | Connecting an external directory to IAM Identity Center | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/workmail/latest/adminguide/identity_center_overview.html) | Once the above steps are completed you can view the IAM Identity Center status, link to the AWS IAM Identity Center to manage users and groups, MFA enabled Amazon WorkMail web application URL, authentication mode, personal access token status and timeline under IAM Identity Center under **Settings** in the Amazon WorkMail console. For more information on managing MFA in the IAM Identity Center console, see [Multi-factor authentication for IAM Identity Center users .](https://docs.aws.amazon.com//singlesignon/latest/userguide/enable-mfa.html) **Note** Make sure the configuration between Amazon WorkMail and IAM Identity Center is well tested and verified. Users could lose access to their mailboxes when the configuration is not correct and complete. **Topics** + [ # Enabling IAM Identity Center in Amazon WorkMail ](enabling_identity_center.md) + [ # Assigning IAM Identity Center users and groups to Amazon WorkMail application ](assigning_usersandgroups.md) + [ # Associating Amazon WorkMail users with IAM Identity Center users ](connecting_wmusers.md) + [ # Authentication mode ](authenticate_mode.md) + [ # Configuring personal access tokens ](personal_access-token.md) + [ # Disabling IAM Identity Center ](disabling_sso.md) # Enabling IAM Identity Center in Amazon WorkMail When you enable IAM Identity Center, it acts as an authentication layer for the Amazon WorkMail users. IAM Identity Center users are managed separately from the Amazon WorkMail directory. It is recommended to use the same usernames across IAM Identity Center and Amazon WorkMail. **Note** Make sure Amazon WorkMail and IAM Identity Center are setup in the same region. **To enable IAM Identity Center, follow these steps.** 1. Open the Amazon WorkMail console at [https://console.aws.amazon.com/workmail/](https://console.aws.amazon.com/workmail/). If necessary, change the AWS Region. In the bar at the top of the console window, open the **Select a Region** list and choose a Region. For more information, see [Region and endpoints](https://docs.aws.amazon.com/general/latest/gr/rande.html) in the *Amazon Web Services General Reference*. 1. In the navigation pane, choose **Identity Center**. The **IAM Identity Center Settings** page appears. 1. Choose **Enable**. The **Enable IAM Identity Center** window appears. 1. Choose **Enable**. The **Identity Center Settings** page appears with the **Identity Center Status** displayed. 1. To add IAM Identity Center users and groups to your Amazon WorkMail Organization, follow the link under **Identity Center status**. For information on how to add users and groups, see [Manage identities in IAM Identity Center.](https://docs.aws.amazon.com/singlesignon/latest/userguide/manage-your-identity-source-sso.html). # Assigning IAM Identity Center users and groups to Amazon WorkMail application When you enable IAM Identity Center in Amazon WorkMail, WorkMail creates an application in IAM Identity Center on your behalf. By default, IAM Identity Center users must be assigned to this application or belong to a group which is assigned to this application in order to access a mailbox in the Amazon WorkMail organization. For more information, see [AWS managed applications](https://docs.aws.amazon.com/singlesignon/latest/userguide/awsapps.html) in the AWS IAM Identity Center User Guide. You can assign IAM Identity Center users and groups to Amazon WorkMail in the following ways: + By IAM Identity Center users – You can assign IAM Identity Center users to Amazon WorkMail. + By IAM Identity Center group – You can assign IAM Identity Center groups to Amazon WorkMail. By adding a group, all users under a group will have access to Amazon WorkMail. For more information on adding users and groups, see [Users, groups, and provisioning in IAM Identity Center ](https://docs.aws.amazon.com/singlesignon/latest/userguide/users-groups-provisioning.html). **Note** If you are connecting your existing identity source with IAM Identity Center, review the following before changing your directory source. Your authentication is being managed by IAM Identity Center. Amazon WorkMail will retain all Amazon WorkMail users and groups. IAM Identity Center will retain all IAM Identity Center users, groups, and assignments. You must manage Amazon WorkMail users and groups in Amazon WorkMail console. You must manage IAM Identity Center users and groups in IAM Identity Center. Users without an IAM Identity Center assignment or user association cannot access Amazon WorkMail. You must manage MFA policy controls in IAM Identity Center. When you change the IAM Identity Center source to and from Manage Active Directory in IAM Identity Center you must disable the existing IAM Identity Center configurations in Amazon WorkMail and reconfigure to associate your Amazon WorkMail users with IAM Identity Center. Users and groups synced with your IAM Identity Center directory are available to assign to your Amazon WorkMail application. For more information about IAM Identity Center user and group management, see [Get started with common tasks in IAM Identity Center.](https://docs.aws.amazon.com/singlesignon/latest/userguide/getting-started.html). **To assign IAM Identity Center users and groups to Amazon WorkMail, follow these steps.** 1. Open the Amazon WorkMail console at [https://console.aws.amazon.com/workmail/](https://console.aws.amazon.com/workmail/). If necessary, change the AWS Region. In the bar at the top of the console window, open the **Select a Region** list and choose a Region. For more information, see [Region and endpoints](https://docs.aws.amazon.com/general/latest/gr/rande.html) in the *Amazon Web Services General Reference*. 1. In the navigation pane, choose **Identity Center**. The **IAM Identity Center Settings** page appears. 1. Choose **Assign users and groups**. You can add and assign new users or assign existing users and groups. + Assign Users – You can assign individual IAM Identity Center users to the Amazon WorkMail. You can either create a new IAM Identity Center user or search for an existing user. + Assign Groups – You can also assign an IAM Identity Center group to Amazon WorkMail. All members of the group will then be assigned to Amazon WorkMail. **Note** All new IAM Identity Center users are enabled by default in IAM Identity Center. To grant access to Amazon WorkMail, you must set their password in IAM Identity Center and assign them to Amazon WorkMail. For more information, see [Add users to your Identity Center directory ](https://docs.aws.amazon.com/singlesignon/latest/userguide/addusers.html?icmpid=docs_sso_console). # Associating Amazon WorkMail users with IAM Identity Center users When a user signs in to the Amazon WorkMail web client with their IAM Identity Center user credentials, the client will open the mailbox of the associated Amazon WorkMail user. If no user in the WorkMail organization is associated with the IAM Identity Center user, WorkMail will create an association between the IAM Identity Center user signing in and the WorkMail user having the same username, if such a WorkMail user exists. Otherwise, the client will display an error message to the user. **Note** You are recommended to use the same username for a user across Amazon WorkMail and IAM Identity Center because WorkMail will create the association automatically when the user first signs in to the Amazon WorkMail web client with their IAM Identity Center user credentials. When the usernames are different, you are responsible to create the association. **To associate users, follow these steps.** 1. Open the Amazon WorkMail console at [https://console.aws.amazon.com/workmail/](https://console.aws.amazon.com/workmail/). If necessary, change the AWS Region. In the bar at the top of the console window, open the **Select a Region** list and choose a Region. For more information, see [Region and endpoints](https://docs.aws.amazon.com/general/latest/gr/rande.html) in the *Amazon Web Services General Reference*. 1. In the navigation pane, choose **Identity Center**. The **IAM Identity Center Settings** page appears. 1. Choose **Associate users**. 1. Under **Select a WorkMail user**, select the Amazon WorkMail user you wish to associate. 1. Under **Enter the IAM Identity Center user ID**, enter the ID of the IAM Identity Center user you wish to associate. You may copy the ID from the **Assigned users** tab on the **Identity Center** page. **Note** The IAM Identity Center user must be authorized to access the Amazon WorkMail application. 1. Choose **Associate users**. Once the association is successful, the Amazon WorkMail user can log into Amazon WorkMail using the MFA IAM Identity Center credentials. **Note** You can also associate Amazon WorkMail users with IAM Identity Center users when you edit the Amazon WorkMail user details. For more information, see [Editing user details](edit_user.md). # Authentication mode You can use authentication mode to allow users to log in using either their Amazon WorkMail directory credentials, their IAM Identity Center credentials, or restricting login to only IAM Identity Center credentials. There are two authentication modes available in Amazon WorkMail. **Note** The choice of authentication mode depends on your organization's security requirements and user experience preferences. It is recommended to use *IAM Identity Center only* mode as it provides enhanced security by enforcing IAM Identity Center credentials and MFA. However, before switching from the *Amazon WorkMail Directory and IAM Identity Center* mode, make sure to test the MFA process with all your users to ensure a smooth transition and avoid any impact on existing email client access. + **Amazon WorkMail Directory and IAM Identity Center (recommended for testing)** – This is the default option for you to test the IAM Identity Center associations before switching to production mode. Test mode allows users to log into the Amazon WorkMail web client using both the Amazon WorkMail directory and IAM Identity Center credentials. When you share the Amazon WorkMail web application URL from the *Organization* settings, your user can log in using their Amazon WorkMail directory credentials. When you share the MFA-enabled URL from the IAM Identity Center settings, you user can log in using their IAM credentials. + **IAM Identity Center only (recommended for production)** – This authentication mode only allows you to login into the Amazon WorkMail client mailbox using the IAM Identity Center credentials. For any existing Amazon WorkMail users, the Amazon WorkMail directory credentials are no longer valid for both the Amazon WorkMail web application and any existing email clients. You can request a personal access token to access the mailbox using any email clients. To avoid losing access to mailboxes, make sure MFA is enabled for all Amazon WorkMail users. **To enable authentication mode, follow these steps.** 1. Under the **Identity Center Settings** page, choose the **Authentication Mode** tab. 1. Choose **Edit**. The **Edit authentication mode** page appears. 1. Select one of the following: + *IAM Identity Center only* + *Amazon WorkMail Directory and IAM Identity Center* 1. Choose **Save**. # Configuring personal access tokens You can enable personal access token for Amazon WorkMail users to access their mailboxes using desktop and mobile email clients. After IAM Identity Center is enabled, by default, the personal access token status is set to active and is valid for 365 days. After enabling IAM Identity Center, your users’ existing credentials will no longer be valid to log into their email clients. Your users can generate the personal access token from the Amazon WorkMail web application and use it to log into any email clients. You can edit the personal access token expiration and when the token expires, your user can generate a new one. **Note** Your user can only view and copy your personal access token once when you create them in Amazon WorkMail. If you lose your personal access token, you will need to generate a new one for security reasons. Amazon WorkMail only allows personal access tokens for mailbox access when the Amazon WorkMail user is associated with an IAM Identity Center user who is authorized to access the Amazon WorkMail application. The personal access token configurations are listed below: + Active – When the personal access token status set to *Active*, your user can generate personal access token from Amazon WorkMail and use it to log in to any email client within the token's lifetime. + Inactive – When the personal access token status is set to *Inactive*, your user will not be able to generate or use personal access tokens to access mailboxes. + Token lifetime – By default, the personal access token is valid for 365 days. You have the option to change the personal access token lifetime. When you leave the lifetime setting blank, the token will have an indefinite lifetime and never expire. **To configure personal access tokens, follow these steps.** 1. Under the **Identity Center Settings** page, choose the **Personal access token configuration** tab. 1. Choose **Edit**. The **Edit personal token configuration** page appears. 1. Under **Token status**, slide the **Active** button to enable personal access token. 1. In the **Token lifetime (in days)** text box, enter the number of days the personal access token can be activated. 1. Choose **Save**. # Disabling IAM Identity Center You can disable IAM Identity Center from the Amazon WorkMail console. Once disabled, you cannot access the mailbox using the IAM Identity Center credentials or personal access tokens. It is recommended to reset all user passwords and the Amazon WorkMail users will revert to using the Amazon WorkMail Directory credentials. **Note** Check the following: After disabling IAM Identity Center, your Amazon WorkMail and IAM Identity Center users and groups will remain unchanged. The existing user associations will continue to exist. Your authentication will revert to being managed by Amazon WorkMail directory, instead of IAM Identity Center. **To disable IAM Identity Center, follow these steps.** 1. Under the **Identity Center Settings** page, choose **Disable**. The **Disable IAM Identity Center** page appears. 1. Choose **Confirm**.