QuickSight with IAM Identity Center: Unable to share Spaces or content with groups or users

Q&A
, , ,
1

I have configured Amazon QuickSuite with AWS IAM Identity Center integration for automatic user provisioning via SCIM from Azure AD. While authentication and role assignment work correctly, we cannot share Spaces or content with users, making the platform unusable for our multi-user deployment.

What Works:
:white_check_mark: Users authenticate successfully via IAM Identity Center
:white_check_mark: Groups sync from Azure AD to IAM Identity Center via SCIM (13 groups synced)
:white_check_mark: Group memberships sync correctly in IAM Identity Center
:white_check_mark: Groups can be assigned to QuickSight roles (Admin, Reader)

What Doesn’t Work:
:cross_mark: Cannot share Spaces with groups - groups are visible in share dialog but users in those groups cannot see the Spaces
:cross_mark: Cannot share content (dashboards, analyses, chat agents) with groups - same issue
:cross_mark: Cannot share Spaces or content with individual users - users don’t appear in search when attempting to share
:cross_mark: No option to make Spaces visible to all users

Troubleshooting Performed:

  • Verified user exists in IAM Identity Center identity store
  • Verified user is member of group in IAM Identity Center
  • Verified group is assigned to QuickSight application
  • Verified group is assigned to QuickSight Reader role

User has logged in/out multiple times (no caching issue)

Waited 6+ hours for any propagation delays

We migrated from direct SAML to IAM Identity Center specifically to enable automatic user provisioning via SCIM. However, this migration has made Spaces completely unusable. We cannot implement our required access control model where different teams have access to different Spaces. Manual configuration of users using SAML while technically woudl work, is a nightmare of a situation, as every user has to be managed invidually.

Without Space-level access control, we cannot:

Restrict sensitive content to specific teams
Organize content by department/function
Control who can view AI chat agents and knowledge bases

Questions:

Is group-based Space and content sharing supported with IAM Identity Center integration in a cross-account setup?

If yes, what configuration are we missing?
If no, what is the recommended approach for multi-user QuickSight deployments with IAM Identity Center?

Is this a known limitation or bug?

Should we revert to direct SAML integration to regain Space sharing functionality (losing automatic user provisioning)?

2

Hi all, I’ve solved my problem. I can confirm that IAM Identty Center does actually work, the groups map across as expected. The issue was I had not released that in order for my users to get the Quite Suite features, they needed to be in the ‘Reader-Pro’ Role. Being in the Reader role only did’tn give them enough permisisons. All the information is in the docs, its just not immediatley obvious, and requires quite a few cross-reading reference. Its opened a bunch more questions about pricing as well though!