# Create a directory for WorkSpaces Personal
WorkSpaces Personal allows you to use directories managed through Directory Service to store and manage information for your WorkSpaces and users. Use the following options to create a WorkSpaces Personal directory:
+ Create a Simple AD directory.
+ Create an AWS Directory Service for Microsoft Active Directory, also known as AWS Managed Microsoft AD.
+ Connect to an existing Microsoft Active Directory by using Active Directory Connector.
+ Create a trust relationship between your AWS Managed Microsoft AD directory and your on-premises domain.
+ Create a dedicated Microsoft Entra ID WorkSpaces directory.
+ Create a dedicated Custom WorkSpaces directory.
**Note**
Shared directories are not currently supported for use with Amazon WorkSpaces.
If you configure your AWS Managed Microsoft AD directory for multi-Region replication, only the directory in the primary Region can be registered for use with Amazon WorkSpaces. Attempts to register the directory in a replicated Region for use with Amazon WorkSpaces will fail. Multi-Region replication with AWS Managed Microsoft AD isn't supported for use with Amazon WorkSpaces within replicated Regions.
Simple AD and AD Connector are made available to you free of charge to use with WorkSpaces. If there are no WorkSpaces being used with your Simple AD or AD Connector directory for 30 consecutive days, this directory will be automatically deregistered for use with Amazon WorkSpaces, and you will be charged for this directory as per the [AWS Directory Service pricing terms](https://aws.amazon.com/directoryservice/pricing/).
## Before you create a directory
+ WorkSpaces is not available in every Region. Verify the supported Regions and select a Region for your WorkSpaces. For more information about the supported Regions, see [WorkSpaces Pricing by AWS Region](https://aws.amazon.com/workspaces/pricing/).
+ Create a virtual private cloud with at least two private subnets. For more information, see [Configure a VPC for WorkSpaces Personal](amazon-workspaces-vpc.md). The VPC must be connected to your on-premises network through a virtual private network (VPN) connection or Direct Connect. For more information, see [AD Connector Prerequisites](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/prereq_connector.html) in the *AWS Directory Service Administration Guide*.
+ Provide access to the internet from the WorkSpace. For more information, see [Provide internet access for WorkSpaces Personal](amazon-workspaces-internet-access.md).
For information about how to delete an empty directory, see [Delete a directory for WorkSpaces Personal](delete-workspaces-directory.md). If you delete your Simple AD or AD Connector directory, you can always create a new one when you want to start using WorkSpaces again.
**Topics**
+ [
## Before you create a directory
](#prereqs-tutorials)
+ [
# Identify the computer name for your WorkSpaces Personal directory
](wsp-directory-identify-computer.md)
+ [
# Create an AWS Managed Microsoft AD directory for WorkSpaces Personal
](launch-workspace-microsoft-ad.md)
+ [
# Create a Simple AD directory for WorkSpaces Personal
](launch-workspace-simple-ad.md)
+ [
# Create an AD Connector for WorkSpaces Personal
](launch-workspace-ad-connector.md)
+ [
# Create a trust relationship between your AWS Managed Microsoft AD directory and your on-premises domain for WorkSpaces Personal
](launch-workspace-trusted-domain.md)
+ [
# Create a dedicated Microsoft Entra ID directory with WorkSpaces Personal
](launch-entra-id.md)
+ [
# Create a dedicated Custom directory with WorkSpaces Personal
](launch-custom.md)
# Identify the computer name for your WorkSpaces Personal directory
The **Computer Name** value shown for a WorkSpace in the Amazon WorkSpaces console varies, depending on which type of WorkSpace you've launched (Amazon Linux, Ubuntu, or Windows). The computer name for a WorkSpace can be in one of these formats:
+ **Amazon Linux**: A-*xxxxxxxxxxxxx*
+ **Red Hat Enterprise Linux**: R-*xxxxxxxxxxxxx*
+ **Rocky Linux**: R-*xxxxxxxxxxxxx*
+ **Ubuntu**: U-*xxxxxxxxxxxxx*
+ **Windows**: IP-C*xxxxxx* or WSAMZN-*xxxxxxx* or EC2AMAZ-*xxxxxxx*
For Windows WorkSpaces, the computer name format is determined by the bundle type, and in the case of WorkSpaces created from public bundles or from custom bundles based on public images, by when the public images were created.
Starting June 22, 2020, Windows WorkSpaces launched from public bundles have the WSAMZN-*xxxxxxx* format for their computer names instead of the IP-C*xxxxxx* format.
For custom bundles based on a public image, if the public image was created before June 22, 2020, the computer names are in the EC2AMAZ-*xxxxxxx* format. If the public image was created on or after June 22, 2020, the computer names are in the WSAMZN-*xxxxxxx* format.
For Bring Your Own License (BYOL) bundles, either the DESKTOP-*xxxxxxx* or the EC2AMAZ-*xxxxxxx* format is used for the computer names by default.
If you've specified a custom format for the computer names in your custom or BYOL bundles, your custom format overrides these defaults. To specify a custom format, see [Create a custom WorkSpaces image and bundle for WorkSpaces Personal](create-custom-bundle.md).
**Important**
After a WorkSpace is created, you can safely change its computer name. For example, you can execute a PowerShell script with the command `Rename-Computer` on your WorkSpace or remotely. The updated computer name value will then be shown for a WorkSpace in the Amazon WorkSpaces console.
# Create an AWS Managed Microsoft AD directory for WorkSpaces Personal
In this tutorial, we create an AWS Managed Microsoft AD directory. For tutorials that use the other options, see [Create a directory for WorkSpaces Personal](launch-workspaces-tutorials.md).
First, create an AWS Managed Microsoft AD directory. Directory Service creates two directory servers, one in each of the private subnets of your VPC. Note that there are no users in the directory initially. You will add a user in the next step when you launch the WorkSpace.
**Note**
Shared directories are not currently supported for use with Amazon WorkSpaces.
If your AWS Managed Microsoft AD directory has been configured for multi-Region replication, only the directory in the primary Region can be registered for use with Amazon WorkSpaces. Attempts to register the directory in a replicated Region for use with Amazon WorkSpaces will fail. Multi-Region replication with AWS Managed Microsoft AD isn't supported for use with Amazon WorkSpaces within replicated Regions.
**To create an AWS Managed Microsoft AD directory**
1. Open the WorkSpaces console at [https://console.aws.amazon.com/workspaces/v2/home](https://console.aws.amazon.com/workspaces/v2/home).
1. In the navigation pane, choose **Directories**.
1. Choose **Create directory**.
1. On the **Create directory** page, for **WorkSpaces type** choose **Personal**. Then, for **WorkSpace device management** choose **AWS Directory Service**.
1. Choose **Create directory**, which opens the **Set up a directory** page on the AWS Directory Service
1. Choose **AWS Managed Microsoft AD**, and then **Next**.
1. Configure the directory as follows:
1. For **Organization name**, enter a unique organization name for your directory (for example, my-demo-directory). This name must be at least four characters in length, consist of only alphanumeric characters and hyphens (-), and begin or end with a character other than a hyphen.
1. For **Directory DNS**, enter the fully-qualified name for the directory (for example, workspaces.demo.com).
**Important**
If you need to update your DNS server after launching your WorkSpaces, follow the procedure in [Update DNS servers for WorkSpaces Personal](update-dns-server.md) to ensure that your WorkSpaces get properly updated.
1. For **NetBIOS name**, enter a short name for the directory (for example, workspaces).
1. For **Admin password** and **Confirm password**, enter a password for the directory administrator account. For more information about the password requirements, see [Create Your AWS Managed Microsoft AD Directory](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/create_managed_ad.html) in the *AWS Directory Service Administration Guide*.
1. (Optional) For **Description**, enter a description for the directory.
1. For **VPC**, select the VPC that you created.
1. For **Subnets**, select the two private subnets (with the CIDR blocks `10.0.1.0/24` and `10.0.2.0/24`).
1. Choose **Next Step**.
1. Choose **Create directory**.
1. You will be brought back to the Create directory page on WorkSpaces console. The initial status of the directory is `Requested` and then `Creating`. When directory creation is complete (this might take a few minutes), the status is `Active`.
After you’ve created an AWS Managed Microsoft AD directory, you can register it with Amazon WorkSpaces. For more information, see [Register an existing Directory Service directory with WorkSpaces Personal](register-deregister-directory.md)
# Create a Simple AD directory for WorkSpaces Personal
In this tutorial, we launch a WorkSpace that uses Simple AD. For tutorials that use the other options, see [Create a directory for WorkSpaces Personal](launch-workspaces-tutorials.md).
**Note**
Simple AD is not available in every AWS Region. Verify the supported Regions and [ select a Region](https://docs.aws.amazon.com/awsconsolehelpdocs/latest/gsg/getting-started.html#select-region) for your Simple AD directory. For more information about the supported Regions for Simple AD, see [ Region Availability for AWS Directory Service](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/regions.html).
Simple AD is made available to you free of charge to use with WorkSpaces. If there are no WorkSpaces being used with your Simple AD directory for 30 consecutive days, this directory will be automatically deregistered for use with Amazon WorkSpaces, and you will be charged for this directory as per the [AWS Directory Service pricing terms](https://aws.amazon.com/directoryservice/pricing/).
[ Simple AD](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/simple_ad_getting_started.html) currently supports only IPv4 addressing, meaning that when creating a directory, the associated VPC will be configured with an IPv4 CIDR block and does not support IPv6 networks.
When you create a Simple AD directory. Directory Service creates two directory servers, one in each of the private subnets of your VPC. There are no users in the directory initially. Add a user after you create the WorkSpace. For more information, see [Create a WorkSpace in WorkSpaces Personal](create-workspaces-personal.md)
**To create a Simple AD directory**
1. Open the WorkSpaces console at [https://console.aws.amazon.com/workspaces/v2/home](https://console.aws.amazon.com/workspaces/v2/home).
1. In the navigation pane, choose **Directories**.
1. Choose **Create directory**.
1. On the **Create directory** page, for **WorkSpaces type** choose **Personal**. Then, for **WorkSpace device management** choose **AWS Directory Service**.
1. Choose **Create directory**, which opens the **Set up a directory** page on the AWS Directory Service
1. Choose **Simple AD**, and then **Next**.
1. Configure the directory as follows:
1. For **Organization name**, enter a unique organization name for your directory (for example, my-example-directory). This name must be at least four characters in length, consist of only alphanumeric characters and hyphens (-), and begin or end with a character other than a hyphen.
1. For **Directory DNS name**, enter the fully-qualified name for the directory (for example, example.com).
**Important**
If you need to update your DNS server after launching your WorkSpaces, follow the procedure in [Update DNS servers for WorkSpaces Personal](update-dns-server.md) to ensure that your WorkSpaces get properly updated.
1. For **NetBIOS name**, enter a short name for the directory (for example, example).
1. For **Admin password** and **Confirm password**, enter a password for the directory administrator account. For more information about the password requirements, see [How to Create a Microsoft AD Directory](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/create_managed_ad.html) in the *AWS Directory Service Administration Guide*.
1. (Optional) For **Description**, enter a description for the directory.
1. For **Directory size**, choose **Small**.
1. For **VPC**, select the VPC that you created.
1. For **Subnets**, select the two private subnets (with the CIDR blocks `10.0.1.0/24` and `10.0.2.0/24`).
1. Choose **Next**.
1. Choose **Create directory**.
1. You will be brought back to the Create directory page on WorkSpaces console. The initial status of the directory is `Requested` and then `Creating`. When directory creation is complete (this might take a few minutes), the status is `Active`.
**What happens during directory creation**
WorkSpaces completes the following tasks on your behalf:
+ Creates an IAM role to allow the WorkSpaces service to create elastic network interfaces and list your WorkSpaces directories. This role has the name `workspaces_DefaultRole`.
+ Sets up a Simple AD directory in the VPC that is used to store user and WorkSpace information. The directory has an administrator account with the user name Administrator and the specified password.
+ Creates two security groups, one for directory controllers and another for WorkSpaces in the directory.
After you’ve created an Simple AD directory, you can register it with Amazon WorkSpaces. For more information, see [Register an existing Directory Service directory with WorkSpaces Personal](register-deregister-directory.md)
# Create an AD Connector for WorkSpaces Personal
In this tutorial, we create an AD Connector. For tutorials that use the other options, see [Create a directory for WorkSpaces Personal](launch-workspaces-tutorials.md).
## Create an AD Connector
**Note**
AD Connector is made available to you free of charge to use with WorkSpaces. If there are no WorkSpaces being used with your AD Connector directory for 30 consecutive days, this directory will be automatically deregistered for use with Amazon WorkSpaces, and you will be charged for this directory as per the [AWS Directory Service pricing terms](https://aws.amazon.com/directoryservice/pricing/).
To delete empty directories, see [Delete a directory for WorkSpaces Personal](delete-workspaces-directory.md). If you delete your AD Connector directory, you can always create a new one when you want to start using WorkSpaces again.
**To create an AD Connector**
1. Open the WorkSpaces console at [https://console.aws.amazon.com/workspaces/v2/home](https://console.aws.amazon.com/workspaces/v2/home).
1. In the navigation pane, choose **Directories**.
1. Choose **Create directory**.
1. On the **Create directory** page, for **WorkSpaces type** choose **Personal**. Then, for **WorkSpace device management** choose **AWS Directory Service**.
1. Choose **Create directory**, which opens the **Set up a directory** page on the AWS Directory Service
1. Choose **AWS Managed Microsoft AD**, and then **Next**.
1. For **Organization name**, enter a unique organization name for your directory (for example, my-example-directory). This name must be at least four characters in length, consist of only alphanumeric characters and hyphens (-), and begin or end with a character other than a hyphen.
1. For **Connected directory DNS**, enter the fully-qualified name of your on-premises directory (for example, example.com).
1. For **Connected directory NetBIOS name**, enter the short name of your on-premises directory (for example, example).
1. For **Connector account username**, enter the user name of a user in your on-premises directory. The user must have permissions to read users and groups, create computer objects, and join computers to the domain.
1. For **Connector account password** and **Confirm password**, enter the password for the on-premises user.
1. For **DNS address**, enter the IP address of at least one DNS server in your on-premises directory.
**Important**
If you need to update your DNS server IP address after launching your WorkSpaces, follow the procedure in [Update DNS servers for WorkSpaces Personal](update-dns-server.md) to ensure that your WorkSpaces get properly updated.
1. (Optional) For **Description**, enter a description for the directory.
1. Keep **Size** as **Small**.
1. For **VPC**, select your VPC.
1. For **Subnets**, select your subnets. The DNS servers that you specified must be accessible from each subnet.
1. Choose **Create directory**.
1. You will be brought back to the Create directory page on WorkSpaces console. The initial status of the directory is `Requested` and then `Creating`. When directory creation is complete (this might take a few minutes), the status is `Active`.
# Create a trust relationship between your AWS Managed Microsoft AD directory and your on-premises domain for WorkSpaces Personal
In this tutorial, we create a trust relationship between your AWS Managed Microsoft AD directory and your on-premises domain. For tutorials that use the other options, see [Create a directory for WorkSpaces Personal](launch-workspaces-tutorials.md).
**Note**
Launching WorkSpaces with AWS accounts in a separate trusted domain works with AWS Managed Microsoft AD when it is configured with a trust relationship to your on-premises directory. However, WorkSpaces using Simple AD or AD Connector cannot launch WorkSpaces for users from a trusted domain.
**To set up the trust relationship**
1. Set up AWS Managed Microsoft AD in your virtual private cloud (VPC). For more information, see [Create Your AWS Managed Microsoft AD directory](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/create_managed_ad.html) in the *AWS Directory Service Administration Guide*.
**Note**
Shared directories are not currently supported for use with Amazon WorkSpaces.
If your AWS Managed Microsoft AD directory has been configured for multi-Region replication, only the directory in the primary Region can be registered for use with Amazon WorkSpaces. Attempts to register the directory in a replicated Region for use with Amazon WorkSpaces will fail. Multi-Region replication with AWS Managed Microsoft AD isn't supported for use with Amazon WorkSpaces within replicated Regions.
1. Create a trust relationship between your AWS Managed Microsoft AD and your on-premises domain. Ensure that the trust is configured as a two-way trust. For more information, see [Tutorial: Create a Trust Relationship Between Your AWS Managed Microsoft AD and Your On-Premises Domain](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/tutorial_setup_trust.html) in the *AWS Directory Service Administration Guide*.
A one-way or two-way trust can be used to manage and authenticate with WorkSpaces, and so that WorkSpaces can be provisioned to on-premises users and groups. For more information, see [Deploy Amazon WorkSpaces using a One-Way Trust Resource Domain with AWS Directory Service](https://aws.amazon.com/getting-started/hands-on/deploy-workspaces-one-way-trust/).
**Note**
Red Hat Enterprise Linux, Rocky Linux, and Ubuntu WorkSpaces use System Security Services Daemon (SSSD) for Active Directory integration, and SSSD does not support forest trust. Configure external trust instead. Two-way trust is recommended for Amazon Linux, Ubuntu, Rocky Linux, and Red Hat Enterprise Linux WorkSpaces.
You cannot use a web browser (Web Access) to connect to Linux WorkSpaces.
# Create a dedicated Microsoft Entra ID directory with WorkSpaces Personal
In this tutorial, we create Bring Your Own License (BYOL) Windows 10 and 11 personal WorkSpaces that are Microsoft Entra ID joined and enrolled to Microsoft Intune. Before creating such WorkSpaces, you need to first create a dedicated WorkSpaces Personal directory for Entra ID-joined WorkSpaces.
**Note**
Microsoft Entra joined personal WorkSpaces are available in all AWS regions where Amazon WorkSpaces is offered except for Africa (Cape Town), Israel (Tel Aviv), and China (Ningxia).
**Contents**
+ [
## Overview
](#entra-overview)
+ [
## Requirements and limitations
](#entra-requirements-limitation)
+ [
## Step 1: Enable IAM Identity Center and synchronize with Microsoft Entra ID
](#entra-step-1)
+ [
## Step 2: Register a Microsoft Entra ID application to grant permissions for Windows Autopilot
](#entra-step-2)
+ [
## Step 3: Configure Windows Autopilot user-driven mode
](#entra-step-3)
+ [
## Step 4: Create an AWS Secrets Manager secret
](#entra-step-4)
+ [
## Step 5: Create a dedicated Microsoft Entra ID WorkSpaces directory
](#entra-step-5)
+ [
## Configure the IAM Identity Center application for a WorkSpaces directory (optional)
](#configure-iam-directory)
+ [
## Create a cross-Region IAM Identity Center integration (optional)
](#create-cross-region-iam-identity-integration)
## Overview
A Microsoft Entra ID personal WorkSpaces directory contains all the information needed to launch Microsoft Entra ID-joined WorkSpaces that are assigned to your users managed with Microsoft Entra ID. User information is made available to WorkSpaces through AWS IAM Identity Center, which acts as an identity broker to bring your workforce identity from Entra ID to AWS. Microsoft Windows Autopilot user-driven mode is used to accomplish WorkSpaces Intune enrollment and Entra join. The following diagram illustrates the Autopilot process.
![\[Diagram showing WorkSpaces client, service, and agent interacting with AWS and Azure components for authentication and device management.\]](http://docs.aws.amazon.com/workspaces/latest/adminguide/images/autopilot.jpg)
## Requirements and limitations
+ Microsoft Entra ID P1 plan or higher.
+ Microsoft Entra ID and Intune is enabled and have role assignments.
+ Intune administrator - Required for managing Autopilot deployment profiles.
+ Global administrator - Required for granting admin consent for the API permissions assigned to the application created in [ step 3](https://docs.aws.amazon.com/workspaces/latest/adminguide/launch-workspaces-tutorials.html#entra-step-3). The application can be created without this permission. However, a Global Administrator would need to provide admin consent on the application permissions.
+ Assign Windows 10/11 VDA E3 or E5 user subscription licenses to your WorkSpaces users.
+ Entra ID directories only support Windows 10 or 11 Bring Your Own License personal WorkSpaces. The following are supported versions.
+ Windows 10 Version 21H2 (December 2021 Update)
+ Windows 10 Version 22H2 (November 2022 Update)
+ Windows 11 Enterprise 23H2 (October 2023 release)
+ Windows 11 Enterprise 22H2 (October 2022 release)
+ Windows 11 Enterprise 24H2 (October 2024 release)
+ Windows 11 Enterprise 25H2 (September 2025 release)
+ Bring Your Own License (BYOL) is enabled for your AWS account and you have a valid Windows 10 or 11 BYOL image imported in your account. For more information, see [Bring Your Own Windows desktop licenses in WorkSpaces](byol-windows-images.md).
+ Microsoft Entra ID directories only support Windows 10 or 11 BYOL personal WorkSpaces.
+ Microsoft Entra ID directories support only DCV protocol.
+ If you are using a firewall for your WorkSpaces, make sure it does not block the outbound traffic to the endpoints for Microsoft Intune and Windows Autopilot. Please review [Network endpoints for Microsoft Intune - Microsoft Intune](https://learn.microsoft.com/en-us/intune/intune-service/fundamentals/intune-endpoints?tabs=north-america) and [Windows Autopilot requirements](https://learn.microsoft.com/en-us/autopilot/requirements?tabs=networking) for details.
+ Microsoft Entra ID directories do not support Microsoft Entra ID tenants in Government Community Cloud High (GCCH) and Department of Defense (DoD) environments.
## Step 1: Enable IAM Identity Center and synchronize with Microsoft Entra ID
To create Microsoft Entra ID-joined personal WorkSpaces and assign them to your Entra ID users, you have to make the user information available to AWS through IAM Identity Center. IAM Identity Center is the recommended AWS service for managing user access to AWS resources. For more information, see [ What is IAM Identity Center?](https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html). This is a one-time setup.
If you don’t have an existing IAM Identity Center instance to integrate with your WorkSpaces, we recommend that you create one in the same Region as your WorkSpaces. If you have an existing AWS Identity Center instance in a different Region, you can set up cross-Region integration. For more information about cross-Region setup, see [Create a cross-Region IAM Identity Center integration (optional)](#create-cross-region-iam-identity-integration).
**Note**
Cross-region integration between WorkSpaces and IAM Identity Center is not supported in AWS GovCloud (US) Region.
1. Enable IAM Identity Center with your AWS Organizations, especially if you are using a multi-account environment. You can also create an account instance of IAM Identity Center. To learn more, see [ Enabling AWS IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/get-set-up-for-idc.html). Each WorkSpaces directory can be associated with one IAM Identity Center instance, organization or account.
If you are using an organization instance and trying to create a WorkSpaces directory in one of the member accounts, make sure you have the following IAM Identity Center permissions.
+ `"sso:DescribeInstance"`
+ `"sso:CreateApplication"`
+ `"sso:PutApplicationGrant"`
+ `"sso:PutApplicationAuthenticationMethod"`
+ `"sso:DeleteApplication"`
+ `"sso:DescribeApplication"`
+ `"sso:getApplicationGrant"`
For more information, see [ Overview of managing access permissions to your IAM Identity Center resources](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-overview.html). Also, ensure that no Service Control Policies (SCPs) are blocking these permissions. To learn more about SCPs, see [ Service control policies (SCPs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html).
1. Configure IAM Identity Center and Microsoft Entra ID to automatically synchronize selected or all users from your Entra ID tenant to your IAM Identity Center instance. For more information, see [ Configure SAML and SCIM with Microsoft Entra ID and IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/idp-microsoft-entra.html) and [ Tutorial: Configure AWS IAM Identity Center for automatic user provisioning](https://learn.microsoft.com/en-us/entra/identity/saas-apps/aws-single-sign-on-provisioning-tutorial).
1. Verify that the users you configured on Microsoft Entra ID are synchronized correctly to AWS IAM Identity Center instance. If you see an error message in Microsoft Entra ID, it indicates that the user in Entra ID is configured in a way that IAM Identity Center doesn’t support. The error message will identify this issue. For example, if the user object in Entra ID lacks a first name, a last name, and/or a display name, you’ll receive an error message similar to `"2 validation errors detected: Value at 'name.givenName' failed to satisfy constraint: Member must satisfy regular expression pattern: [\\p{L}\\p{M}\\p{S}\\p{N}\\p{P}\\t\\n\\r ]+; Value at 'name.givenName' failed to satisfy constraint: Member must have length greater than or equal to 1"`. For more information, see [ Specific users fail to synchronize into IAM Identity Center from an external SCIM provider](https://docs.aws.amazon.com/singlesignon/latest/userguide/troubleshooting.html#issue2).
**Note**
WorkSpaces uses Entra ID UserPrincipalName (UPN) attribute to identify individual users and the following are its limitations:
UPNs cannot exceed 63 characters in length.
If you change the UPN after assigning a WorkSpace to a user, the user won't be able to connect to their WorkSpace unless you change the UPN back to what it was before.
## Step 2: Register a Microsoft Entra ID application to grant permissions for Windows Autopilot
WorkSpaces Personal uses Microsoft Windows Autopilot user-driven mode to enroll WorkSpaces to Microsoft Intune and join them to Microsoft Entra ID.
To allow Amazon WorkSpaces to register WorkSpaces Personal into Autopilot, you must register a Microsoft Entra ID application that grants necessary Microsoft Graph API permissions. For more information about registering an Entra ID application, see [ Quickstart: Register an application with the Microsoft identity platform](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app?tabs=certificate).
We recommend providing the following API permissions in your Entra ID application.
+ To create a new personal WorkSpace that needs to be joined to Entra ID, following API permission is required.
+ `DeviceManagementServiceConfig.ReadWrite.All`
+ When you terminate a personal WorkSpace or rebuild it, the following permissions are used.
**Note**
If you don’t provide these permissions, WorkSpace will be terminated but it will not be removed from your Intune and Entra ID tenants and you will have to remove them separately.
+ `DeviceManagementServiceConfig.ReadWrite.All`
+ `Device.ReadWrite.All`
+ `DeviceManagementManagedDevices.ReadWrite.All`
+ These permissions require admin consent. For more information, see [ Grant tenant-wide admin consent to an application ](https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/grant-admin-consent?pivots=portal).
Next, you must add a client secret for the Entra ID application. For more information, see [ Add credentials](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app?tabs=certificate#add-credentials). Make sure you remember the client secret string as you will need it when creating the AWS Secrets Manager secret in Step 4.
## Step 3: Configure Windows Autopilot user-driven mode
Ensure you are familiar with the [ Step by step tutorial for Windows Autopilot user-driven Microsoft Entra join in Intune](https://learn.microsoft.com/en-us/autopilot/tutorial/user-driven/azure-ad-join-workflow).
**To configure your Microsoft Intune for Autopilot**
1. Sign into the Microsoft Intune admin center
1. Create a new Autopilot device group for personal WorkSpaces. For more information, see [Create device groups for Windows Autopilot](https://learn.microsoft.com/en-us/autopilot/enrollment-autopilot).
1. Choose **Groups**, **New group**
1. For **Group type**, choose **Security**.
1. For **Membership type**, choose **Dynamic Device**.
1. Choose **Edit dynamic query** to create a dynamic membership rule. The rule should be in the following format:
```
(device.devicePhysicalIds -any (_ -eq "[OrderID]:WorkSpacesDirectoryName"))
```
**Important**
`WorkSpacesDirectoryName` should match the directory name of the Entra ID WorkSpaces Personal directory you create in step 5. This is because the directory name string is used as group tag when WorkSpaces registers virtual desktops into Autopilot. Additionally, group tag maps to the `OrderID` attribute on Microsoft Entra devices.
1. Choose **Devices**, **Windows**, **Enrollment**. For **Enrollment Options**, choose **Automatic Enrollment**. For **MDM user scope** select **All**.
1. Create an Autopilot deployment profile. For more information, see [ Create an Autopilot deployment profile](https://learn.microsoft.com/en-us/autopilot/profiles#create-an-autopilot-deployment-profile).
1. For **Windows Autopilot**, choose **Deployment profiles**, **Create profile**.
1. In the **Windows Autopilot deployment profiles** screen, select the **Create Profile** drop down menu and then select **Windows PC**.
1. In the **Create profile** screen, on **On the Out-of-box experience (OOBE)** page. For **Deployment mode**, select **User-driven**. For **Join to Microsoft Entra ID**, select **Microsoft Entra joined**. You can customize the computer names for your Entra ID-joined personal WorkSpaces by selecting **Yes** for **Apply device name template**, to create a template to use when naming a device during enrollment.
1. On the **Assignments** page, for **Assign to**, choose **Selected groups**. Choose **Select groups to include**, and select the Autopilot device group you’ve just created in 2.
## Step 4: Create an AWS Secrets Manager secret
You must create a secret in AWS Secrets Manager to securely store the information, including the application ID and client secret, for the Entra ID application you created in [Step 2: Register a Microsoft Entra ID application to grant permissions for Windows Autopilot](#entra-step-2). This is a one-time setup.
**To create an AWS Secrets Manager secret**
1. Create a customer managed key on [AWS Key Management Service](https://aws.amazon.com/kms/). The key will later be used to encrypt the AWS Secrets Manager secret. Don't use the default key to encrypt your secret as the default key cannot be accessed by the WorkSpaces service. Follow the steps below to create the key.
1. Open the AWS KMS console at [https://console.aws.amazon.com/kms](https://console.aws.amazon.com/kms).
1. To change the AWS Region, use the Region selector in the upper-right corner of the page.
1. Choose **Create key**.
1. On the **Configure key** page, for **Key type** choose **Symmetric**. For **Key usage**, choose **Encrypt and decrypt**.
1. On the **Review** page, in the Key policy editor, ensure you allow the WorkSpaces service's principal `workspaces.amazonaws.com` access to the key by including following permissions in the key policy.
```
{
"Effect": "Allow",
"Principal": {
"Service": [
"workspaces.amazonaws.com"
]
},
"Action": [
"kms:Decrypt",
"kms:DescribeKey"
],
"Resource": "*"
}
```
1. Create the secret on AWS Secrets Manager, using the AWS KMS key created in previous step.
1. Open the Secrets Manager console at [https://console.aws.amazon.com/secretsmanager/](https://console.aws.amazon.com/secretsmanager/).
1. Choose **Store a new secret**.
1. On the **Choose secret type** page, for **Secret type**, select **Other type of secret**.
1. For **Key/value pairs**, in the key box, enter “application\$1id” into the key box, then copy the Entra ID application ID from [Step 2](https://docs.aws.amazon.com/workspaces/latest/adminguide/launch-workspaces-tutorials.html#entra-step-2) and paste it into the value box.
1. Choose **Add row**, in the key box, enter “application\$1password”, then copy the Entra ID application client secret from [Step 2](https://docs.aws.amazon.com/workspaces/latest/adminguide/launch-workspaces-tutorials.html#entra-step-2) and paste it into the value box.
1. Choose the AWS KMS key that you created in the previous step from the **Encryption key** drop-down list.
1. Choose **Next**.
1. On the **Configure secret** page, enter a **Secret name** and **Description**.
1. In the **Resource permissions** section, choose **Edit permissions**.
1. Make sure you allow the WorkSpaces service's principal `workspaces.amazonaws.com` access to the secret by including following resource policy in the resource permissions.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement" : [ {
"Effect" : "Allow",
"Principal" : {
"Service" : [ "workspaces.amazonaws.com"]
},
"Action" : "secretsmanager:GetSecretValue",
"Resource" : "*"
} ]
}
```
------
## Step 5: Create a dedicated Microsoft Entra ID WorkSpaces directory
Create a dedicated WorkSpaces directory that stores information for your Microsoft Entra ID-joined WorkSpaces and Entra ID users.
**To create an Entra ID WorkSpaces directory**
1. Open the WorkSpaces console at [https://console.aws.amazon.com/workspaces/v2/home](https://console.aws.amazon.com/workspaces/v2/home).
1. In the navigation pane, choose **Directories**.
1. On the **Create directory** page, for **WorkSpaces type** choose **Personal**. For **WorkSpace device management**, choose **Microsoft Entra ID**.
1. For **Microsoft Entra tenant ID**, enter your Microsoft Entra ID tenant ID that you want your directory's WorkSpaces to join to. You won't be able to change the tenant ID after the directory is created.
1. For **Entra ID Application ID and password**, select the AWS Secrets Manager secret that you created in [Step 4](https://docs.aws.amazon.com/workspaces/latest/adminguide/launch-workspaces-tutorials.html#entra-step-4) from the drop down list. You won't be able to change the secret associated with the directory after the directory is created. However, you can always update the content of the secret, including the Entra ID Application ID and its password through the AWS Secrets Manager console at [https://console.aws.amazon.com/secretsmanager/](https://console.aws.amazon.com/secretsmanager/).
1. If your IAM Identity Center instance is in the same AWS Region as your WorkSpaces directory, for **User identity source**, select the IAM Identity Center instance that you configured in [Step 1](https://docs.aws.amazon.com/workspaces/latest/adminguide/launch-workspaces-tutorials.html#entra-step-1) from the dropdown list. You won't be able to change the IAM Identity Center instance associated with the directory after the directory is created.
If your IAM Identity Center instance is in a different AWS Region than your WorkSpaces directory, choose **Enable Cross-Region** and then select the Region from the dropdown list.
**Note**
If you have an existing IAM Identity Center instance in a different Region, you must opt-in to set up a cross-Region integration. For more information about cross-Region setup, see [Create a cross-Region IAM Identity Center integration (optional)](#create-cross-region-iam-identity-integration).
1. For **Directory name**, enter a unique name for the directory (For example, `WorkSpacesDirectoryName`).
**Important**
The directory name should match the `OrderID` used to construct the dynamic query for the Autopilot device group that you created with Microsoft Intune in [Step 3](https://docs.aws.amazon.com/workspaces/latest/adminguide/launch-workspaces-tutorials.html#entra-step-3). The directory name string is used as the group tag when registering personal WorkSpaces into Windows Autopilot. The group tag maps to the `OrderID` attribute on Microsoft Entra devices.
1. (Optional) For **Description**, enter a description for the directory.
1. For **VPC**, select the VPC that you used to launch your WorkSpaces. For more information, see [Configure a VPC for WorkSpaces Personal](amazon-workspaces-vpc.md).
1. For **Subnets**, select two subnets of your VPC that are not from the same Availability Zone. These subnets will be used to launch your personal WorkSpaces. For more information, see [Availability Zones for WorkSpaces Personal](azs-workspaces.md).
**Important**
Make sure the WorkSpaces launched in the subnets have internet access, which is needed when users login to the Windows desktops. For more information, see [Provide internet access for WorkSpaces Personal](amazon-workspaces-internet-access.md).
1. For **Configuration**, select **Enable dedicated WorkSpace**. You must enable it to create a dedicated WorkSpaces Personal directory to launch Bring Your Own License (BYOL) Windows 10 or 11 personal WorkSpaces.
**Note**
If you don't see the **Enable dedicated WorkSpace** option under **Configuration**, your account hasn't been enabled for BYOL. To enable BYOL for your account, see [Bring Your Own Windows desktop licenses in WorkSpaces](byol-windows-images.md).
1. (Optional) For **Tags**, specify the key pair value that you want to use for personal WorkSpaces in the directory.
1. Review the directory summary and choose **Create directory**. It takes several minutes for your directory to be connected. The initial status of the directory is `Creating`. When directory creation is complete, the status is `Active`.
An IAM Identity Center application is also automatically created on your behalf once the directory is created. To find the application’s ARN go to the directory's summary page.
You can now use the directory to launch Windows 10 or 11 personal WorkSpaces that are enrolled to Microsoft Intune and joined to Microsoft Entra ID. For more information, see [Create a WorkSpace in WorkSpaces Personal](create-workspaces-personal.md).
After you've created a WorkSpaces Personal directory, you can create a personal WorkSpace. For more information, see [Create a WorkSpace in WorkSpaces Personal](create-workspaces-personal.md)
## Configure the IAM Identity Center application for a WorkSpaces directory (optional)
A corresponding IAM Identity Center application is automatically created once a directory is created. You can find the application’s ARN in the Summary section on the directory detail page. By default, all users in the Identity Center instance can access their assigned WorkSpaces without configuring the corresponding Identity Center application. However, you can manage user access to WorkSpaces in a directory by configuring the user assignment for the IAM Identity Center application.
**To configure the user assignment for the IAM Identity Center application**
1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. On the **AWS managed applications** tab, choose the application for the WorkSpaces directory. The application names are in the following format: `WorkSpaces.wsd-xxxxx`, where `wsd-xxxxx` is the WorkSpaces directory ID.
1. Choose **Actions**, **Edit details**.
1. Change the **User and group assignment method** from **Do not require assignments** to **Require assignments**.
1. Choose **Save changes**.
After you make this change, users in the Identity Center instance will lose access their assign WorkSpaces unless they are assigned to the application. To assign your users to the application, use the AWS CLI command `create-application-assignment` to assign users or groups to an application. For more information, see the [AWS CLI Command Reference](https://docs.aws.amazon.com//cli/latest/reference/sso-admin/create-application-assignment.html).
## Create a cross-Region IAM Identity Center integration (optional)
We recommend that your WorkSpaces and the associated IAM Identity Center instance are in the same AWS Region. However, if you already have an IAM Identity Center instance configured in a different Region from your WorkSpaces Region, you can create a cross-Region integration. When you create a cross-Region WorkSpaces and IAM Identity Center integration, you enable WorkSpaces to make cross-Region calls to access and store information from your IAM Identity Center instance, such as user and group attributes.
**Important**
Amazon WorkSpaces supports cross-Region IAM Identity Center and WorkSpaces integrations only for organization-level instances. WorkSpaces doesn't support cross-Region IAM Identity Center integrations for account-level instances. For more information about IAM Identity Center instance types and their use cases, see, [Understanding types of IAM Identity Center instances](https://docs.aws.amazon.com//amazonq/latest/qbusiness-ug/setting-up.html#idc-instance-types).
If you create a cross-Region integration between a WorkSpaces directory and an IAM Identity Center instance, you may experience higher latency when deploying WorkSpaces and during login because of cross-Region calls. The increase in latency is proportional to the distance between your WorkSpaces Region and the IAM Identity Center Region. We recommend that you perform latency tests for your specific use case.
You can enable cross-Region IAM Identity Center connections during [Step 5: Create a dedicated Microsoft Entra ID WorkSpaces directory](https://docs.aws.amazon.com/workspaces/latest/adminguide/launch-entra-id.html#entra-step-5). For **User identity source**, choose the IAM Identity Center instance that you configured in [Step 1: Enable IAM Identity Center and synchronize with Microsoft Entra ID](#entra-step-1) from the dropdown menu.
**Important**
You can't change the IAM Identity Center instance associated with the directory after you create it.
# Create a dedicated Custom directory with WorkSpaces Personal
Before you create Windows 10 and 11 BYOL personal WorkSpaces and assign them to your users, managed with AWS IAM Identity Center Identity Providers (IdPs), you must create a dedicated Custom WorkSpaces directory. Personal WorkSpaces are not joined to any Microsoft Active Directory but can be managed with a Mobile Device Management (MDM) solution of your choice, such as JumpCloud. For more information about JumpCloud, see [this article](https://jumpcloud.com/support/integrate-with-aws-workspaces). For tutorials that use the other options, see [Create a directory for WorkSpaces Personal](launch-workspaces-tutorials.md).
**Note**
Amazon WorkSpaces can't create or manage user accounts on personal WorkSpaces launched in a Custom directory. As an administrator, you will have to manage them.
Custom WorkSpaces directory is available in all AWS regions where Amazon WorkSpaces is offered except for Africa (Cape Town), Israel (Tel Aviv), and China (Ningxia).
Amazon WorkSpaces can't create or manage user accounts on WorkSpaces using Custom directories. To ensure the MDM agent software you use can create the user profile on the Windows WorkSpaces, contact the MDM solution providers. Creating the user profile allows your users to sign into the Windows desktop from Windows login screen.
**Contents**
+ [
## Requirements and limitations
](#custom-requirements-limitations)
+ [
## Step 1: Enable IAM Identity Center and connect with your Identity Provider
](#custom-step-1)
+ [
## Step 2: Create a dedicated Custom WorkSpaces directory
](#custom-step-2)
## Requirements and limitations
+ Custom WorkSpaces directories only support Windows 10 or 11 Bring Your Own License personal WorkSpaces.
+ Custom WorkSpaces directories only support DCV protocol.
+ Ensure you enable BYOL for your AWS account and you have your own AWS KMS server that your personal WorkSpaces can access for Windows 10 and 11 activation. For details, see [Bring Your Own Windows desktop licenses in WorkSpaces](byol-windows-images.md).
+ Ensure you pre-install the MDM agent software on the BYOL image that you imported to your AWS account.
## Step 1: Enable IAM Identity Center and connect with your Identity Provider
To assign WorkSpaces to your users managed with your Identity Providers, the user information must be made available to AWS through AWS IAM Identity Center. We recommend using IAM Identity Center to manage your user's access to AWS resources. For more information, see [What is IAM Identity Center?](https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html). This is a one-time setup.
**To make user information available to AWS**
1. Enable IAM Identity Center on AWS. You can enable IAM Identity Center with your AWS organizations, especially if you are using a multi-account environment. You can also create an account instance of IAM Identity Center. For more information, see [ Enabling AWS IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/get-set-up-for-idc.html). Each WorkSpaces directory can associate with one IAM Identity Center organization or account instance. Each IAM Identity Center instance can be associated with one or more WorkSpaces Personal directory.
If you are using an organization instance and trying to create a WorkSpaces directory in one of the member accounts, ensure you have the following IAM Identity Center permissions.
+ `"sso:DescribeInstance"`
+ `"sso:CreateApplication"`
+ `"sso:PutApplicationGrant"`
+ `"sso:PutApplicationAuthenticationMethod"`
+ `"sso:DeleteApplication"`
+ `"sso:DescribeApplication"`
+ `"sso:getApplicationGrant"`
For more information, see [ Overview of managing access permissions to your IAM Identity Center resources](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-overview.html). Ensure that no Service Control Policies (SCPs) are blocking these permissions. To learn more about SCPs, see [ Service control policies (SCPs)](https://docs.aws.amazon.com/userguide/orgs_manage_policies_scps.html).
1. Configure IAM Identity Center and your Identity Provider (IdP) to automatically synchronize users from your IdP to your IAM Identity Center instance. For more information, see [ Getting started tutorials](https://docs.aws.amazon.com/singlesignon/latest/userguide/tutorials.html) and choose the specific tutorial for the IdP that you want to use. For example, [ Using IAM Identity Center to connect with your JumpCloud Directory Platform](https://docs.aws.amazon.com/singlesignon/latest/userguide/jumpcloud-idp.html).
1. Verify that the users you configured on your IdP are synchronized correctly to AWS IAM Identity Center instance. The first synchronization can take up to an hour depending the configuration of your IdP.
## Step 2: Create a dedicated Custom WorkSpaces directory
Create a dedicated WorkSpaces Personal directory that stores information about your personal WorkSpaces and your users.
**To create a dedicated Custom WorkSpaces directory**
1. Open the WorkSpaces console at [https://console.aws.amazon.com/workspaces/v2/home](https://console.aws.amazon.com/workspaces/v2/home).
1. In the navigation pane, choose **Directories**.
1. Choose **Create directory**.
1. On the **Create directory** page, for **WorkSpaces** type, choose **Personal**. For **WorkSpace device management**, choose **Custom**.
1. For **User identity source**, select the IAM Identity Center instance that you configured in [Step 1](https://docs.aws.amazon.com/) from the dropdown list. You won't be able to change the IAM Identity Center instance associated with the directory once the directory is created.
**Note**
You have to specify an IAM Identity Center instance for the directory or you won't be able to launch personal WorkSpaces with the directory using the WorkSpaces console. WorkSpaces directories with no associated Identity Center are only compatible with WorkSpaces Core partner solutions.
1. For **Directory name**, enter a unique name for the directory.
1. For **VPC**, select the VPC that you used to launch your WorkSpaces. For more information, see [Configure a VPC for WorkSpaces Personal](amazon-workspaces-vpc.md).
1. For **Subnets**, select two subnets of your VPC that are not from the same Availability Zone. These subnets will be used to launch your personal WorkSpaces. For more information, see [Availability Zones for WorkSpaces Personal](azs-workspaces.md).
**Important**
Make sure the WorkSpaces launched in the subnets have internet access, which is needed when users login to the Windows desktops. For more information, see [Provide internet access for WorkSpaces Personal](amazon-workspaces-internet-access.md).
1. For **Configuration**, select **Enable dedicated WorkSpace**. You must enable it to create a dedicated WorkSpaces Personal directory to launch Bring Your Own License (BYOL) Windows 10 or 11 personal WorkSpaces.
1. (Optional) For **Tags**, specify the key pair value that you want to use for personal WorkSpaces in the directory.
1. Review the directory summary and choose **Create directory**. It takes several minutes for your directory to be connected. The initial status of the directory is `Creating`. When directory creation is complete, the status is `Active`.
An IAM Identity Center application is also automatically created on your behalf once the directory is created. To find the application’s ARN go to the directory's summary page.
You can now use the directory to launch Windows 10 or 11 personal WorkSpaces that are enrolled to Microsoft Intune and joined to Microsoft Entra ID. For more information, see [Create a WorkSpace in WorkSpaces Personal](create-workspaces-personal.md).
After you've created a WorkSpaces Personal directory, you can create a personal WorkSpace. For more information, see [Create a WorkSpace in WorkSpaces Personal](create-workspaces-personal.md)