Trying to figure out how to set up MFA for a native Quicksight user that just signed up with an email address from an invitation.
I found a comment at:
–AWS Big Data Blog - An updated Amazon QuickSight sign-in experience by Sahitya Pandiri | on 28 SEP 2021
that states: “If your account is Multi-Factor Authentication enabled, you will be prompted to enter the MFA code as below”, but I don’t see this option when signing into a native Quicksight account, or how to require MFA for a new account.
Does anyone know how to enable this for native Quicksight users, particularly for users that have already signed into Quicksight?
Thank you for your replies. Yes I have seen those in my research. The difficulty is that these are all non-IAM accounts. The only solution I can figure is to create new IAM accounts for all of these users (hundreds) and manually configuring each to match the same permissions and dashboard access in Quicksight, or port all the settings over to a new user using API calls, but this looks to be a lengthy complicated process.
hi @TimB - is your aws account integrated with MFA? if yes, then you can explore a solution to use the same for QuickSight as well and user do not need to login AWS account but still can login QuickSight with that MFA, Active directory is a possible solution.
Thank you for the reply! I’m not sure I’m following you completely. Yes, I as an AWS admin do have MFA set up, but most of the quicksight users (hundreds!) were set up originally without IAM and do not have MFA. Unfortunately, AD is not possible as these users are all different clients. The only solution I see is to re-create all of the users in IAM and require MFA for sign-on, but they all have different permissions for dashboards, etc. that need to configured as well. Can you elaborate on ‘if yes, then you can explore a solution to use the same for QuickSight as well and user do not need to login AWS account but still can login QuickSight with that MFA?’ Maybe there is something I am missing. Thanks again!
Create different groups in AD for QuickSight as well. For example we created AD groups like marketing, sales etc.
Assign users w.r.t each department.
organize the QuickSight datasets, analysis, dashboards w.r.t departments like folders.
Programmatically assign the users in respective folders so that each user can see required contents.
When user will login directly from quicksight url, it will ask for the MFA token at last ( after user name, password).
Also from security prospective, you can also add ip restriction feature which only quicksight access from originations ips as well. It is a nice feature and we implemented that as well.