I was onboarding a new customer to our managed organization last month, and after weeks of planning, the account invitation failed instantly. No error details in the Organizations console—just a red X. The customer’s account owner was frustrated, and we had no clear path forward. After checking a few common culprits, we found the issue within minutes. In this post, I’ll walk through exactly what causes this and how to fix it.
The Problem
When you attempt to invite a standalone AWS account to join your Organization, the invitation fails immediately, or the account accepts the invite but the join operation fails. You see errors like:
Error: Unable to invite account to organization
Code: InvalidInput
Message: The account you are trying to invite is already a member of an organization.
Or the invite appears successful but hangs in ACCEPTED status without completing the join.
| Error Type | Cause |
|---|---|
| Already a member | Target account belongs to another organization |
| Email mismatch | Root email doesn’t match invitation recipient |
| Account limit exceeded | Organization has reached max account quota |
| Handshake expired | Invitation older than 15 days |
| No email access | Root user can’t receive the invite acceptance |
Why Does This Happen?
-
Target account is already a member of another organization: AWS accounts can only belong to one organization at a time. If the target account was previously part of another organization, it must be removed as a member first (and must wait a short period before joining a new one).
-
Target account’s root email doesn’t match the invite: The invitation is sent to an email address, but if the account’s actual root user email is different, the account owner can’t accept the handshake. This happens when email addresses change or distribution lists are used.
-
Organization account limit reached: The default limit is 10 accounts per organization. If you’ve already created 9 accounts and try to invite a 10th, you’ll hit the quota. The error message often doesn’t explicitly state this.
-
Target account doesn’t have access to the root user email: If the email is a shared mailbox that nobody monitors, or the address is no longer active, the account owner won’t receive the invite acceptance prompt.
-
Invite handshake expired: AWS Organizations invitations are valid for 15 days. If the target account owner doesn’t accept within that window, the invitation is automatically rejected and cannot be reused—you must send a new invite.
The Fix
Step 1: Check if the target account is already a member of another organization
Run this command from the target account (not the inviting organization):
aws organizations describe-organization \
--region us-east-1 \
--output json
If this returns organization details, the account is already a member. If it returns OrganizationNotFound, the account is standalone.
Step 2: Verify your organization’s account limit
aws service-quotas get-service-quota \
--service-code organizations \
--quota-code L-29A0C5DF \
--output table
Check the Value field. If you’re at or near the limit, request an increase via the Service Quotas console before inviting more accounts.
Step 3: Check the status of existing handshakes
aws organizations list-handshakes-for-organization \
--filter ActionType=INVITE \
--output table
This shows all pending invitations. Look for the target account in the list. If the status is ACCEPTED, try accepting it again from the target account.
Step 4: Resend the invite with the correct email
Confirm the target account’s root email address directly with the account owner. Then, cancel the old invite and send a new one:
aws organizations decline-handshake \
--handshake-id h-xxxxxxxxxxxxxxx
aws organizations invite-account-to-organization \
--target-id 123456789012 \
--notes "Join our organization"
How to Run This
- From the target account, run
describe-organizationto confirm it’s not already in an organization. - Check your organization’s account quota with
get-service-quota. - List all pending invitations with
list-handshakes-for-organization. - If an invitation is stale (older than 15 days), decline it and send a fresh one.
- Verify the root email address with the target account owner before resending.
- After resending, instruct the account owner to log into the AWS console with their root credentials and accept the invitation from the Organizations console.
Is This Safe?
Yes, completely safe. These commands are read-only except for declining and resending invites. Declined invites can be re-sent at any time, so there’s no risk of permanently blocking an account from joining.
Key Takeaway
Most invitation failures are caused by the target account already being a member of another organization, or by account quota limits. Always verify the target is standalone with describe-organization and check your quota with get-service-quota before inviting. If the account is already a member elsewhere, it must be removed from that organization first before it can join yours.
Have questions or ran into a different AWS Organizations issue? Connect with me on LinkedIn or X.