If you’ve set up AWS IAM Identity Center (formerly AWS SSO) and users can’t log into the AWS Access Portal, you’re not alone. I’ve debugged dozens of IAM Identity Center implementations, and the issues range from simple user assignment problems to identity provider misconfiguration. In this post, I’ll walk through exactly what causes login failures and how to fix each one systematically.
The Problem
Users try to log into the AWS Access Portal at https://d-xxxxxxxxxx.awsapps.com/start/ and encounter one of these issues:
| Issue Type | Error Message |
|---|---|
| No Portal Access | Your request could not be completed. Please try again later. |
| Redirect Loop | Browser redirects infinitely between login page and IAM Identity Center |
| Missing Accounts | “No accounts available” even though they should have access |
| MFA Failure | “Your MFA device could not be verified” |
Each of these points to a specific configuration issue. Let me walk through how to diagnose and fix each one.
Why Does This Happen?
- User has no account assignments: The user exists in IAM Identity Center but has no permission sets assigned to any AWS account
- Identity provider sync failed: Your external identity provider (Okta, Azure AD, etc.) didn’t sync the user properly, or the user was removed from the IdP
- MFA not registered: The user hasn’t registered an authenticator app or security key in IAM Identity Center
- IAM Identity Center not enabled in the correct region: IAM Identity Center is a global service in AWS but must be enabled in a specific region (check the management account settings)
- User provisioning via SCIM not working: If using SCIM to sync users from your IdP, the SCIM configuration or provisioning rules are misconfigured
The Fix
Step 1: Verify IAM Identity Center is Enabled
First, confirm IAM Identity Center is actually enabled:
# Check IAM Identity Center instances in your region
aws sso-admin list-instances \
--region us-east-1 \
--output text
This returns the instance ARN and identity source (AWS managed or external IdP). If it returns nothing, IAM Identity Center isn’t enabled in this region. Enable it in the AWS console under Identity Center.
Step 2: Check User Account Assignments
In the AWS console, navigate to Identity Center → Users → select the user → AWS accounts tab. Look for any account assignments. If the tab is empty, the user has no permissions to any account.
Or use the CLI:
# Get your IAM Identity Center instance ARN
aws sso-admin list-instances \
--query 'Instances[0].InstanceArn' \
--output text
# List account assignments for a specific user
aws sso-admin list-account-assignments-for-principal \
--instance-arn arn:aws:sso:::instance/ssoins-xxxxxxxxxx \
--principal-id user-id \
--principal-type USER \
--output text
If this returns no results, the user has no permission sets assigned. Go to Identity Center → AWS accounts → select account → Users and groups → add the user and assign a permission set.
Step 3: Verify User Exists and is Active
Check if the user exists in IAM Identity Center:
# List all users
aws identitystore list-users \
--identity-store-id d-xxxxxxxxxx \
--output text
# Get a specific user
aws identitystore describe-user \
--identity-store-id d-xxxxxxxxxx \
--user-id user-id \
--query 'User' \
--output text
Look at the UserStatus field. It should be ACTIVE. If it’s INACTIVE, the user can’t log in. Reactivate the user in the console.
Step 4: Check MFA Configuration
If the user gets an MFA error, verify MFA is configured:
# Get MFA device assignment for user
aws identitystore list-group-memberships-for-member \
--identity-store-id d-xxxxxxxxxx \
--member-id user-id \
--output text
Users who need MFA must register an authenticator app (Authy, Google Authenticator) or security key. They can do this at account login time or in the IAM Identity Center user portal under “Security credentials”.
Step 5: Verify Identity Provider Sync (if using external IdP)
If you’re using an external identity provider (Okta, Azure AD, Ping Identity), check if user sync is working:
# Get identity source configuration
aws identitystore describe-identity-source \
--identity-store-id d-xxxxxxxxxx \
--output text
If the identity source is external, check:
- In the console: Identity Center → Settings → Identity source → check sync status
- SCIM provisioning: Ensure your IdP has a current SCIM API token configured in IAM Identity Center
- User attributes: In your IdP, ensure the user has the correct email and is assigned to the IAM Identity Center app/integration
Step 6: Check Permission Set Assignments
Ensure the permission set assigned to the user actually grants access. Get the permission set policy:
# List permission sets for an account
aws sso-admin list-permission-sets \
--instance-arn arn:aws:sso:::instance/ssoins-xxxxxxxxxx \
--account-id 123456789012 \
--output text
# Get the permission set details
aws sso-admin describe-permission-set \
--instance-arn arn:aws:sso:::instance/ssoins-xxxxxxxxxx \
--permission-set-arn arn:aws:sso:::permissionSet/ssoins-xxxxxxxxxx/ps-xxxxxxxxxx \
--output text
# Get the permission set policy
aws sso-admin get-permission-set-policy \
--instance-arn arn:aws:sso:::instance/ssoins-xxxxxxxxxx \
--permission-set-arn arn:aws:sso:::permissionSet/ssoins-xxxxxxxxxx/ps-xxxxxxxxxx \
--output text
The permission set policy should be a valid IAM policy with at least some Allow statements. If it’s empty or contains only Deny statements, the user has no effective permissions.
Diagnostic Checklist
Use this checklist to troubleshoot login failures:
- Is **IAM Identity Center enabled?** → Run
list-instancesand check a valid instance exists - Does the user exist in **IAM Identity Center?** → Run
describe-userand check status is ACTIVE - Does the user have account assignments? → Run
list-account-assignments-for-principaland verify at least one - Does the assigned permission set have an Allow policy? → Get the permission set policy and check for Allow statements
- Is the external IdP syncing correctly? → Check SCIM sync status in console and user exists in IdP
- Is MFA required and registered? → Check login rules and user MFA device registration
Is This Safe?
Yes. Listing users, permission sets, and account assignments is completely safe — these are read-only operations. Modifying assignments or enabling MFA should follow your organization’s access control processes.
Key Takeaway
IAM Identity Center login failures are usually caused by missing account assignments or inactive users. Always start by running describe-user to check the user exists and is active, then list-account-assignments-for-principal to verify they have at least one permission set assigned to an account. In my experience, 80% of login failures are simply because the user has no account assignments — they exist in IAM Identity Center but have no permissions configured.
Have questions or ran into a different IAM issue? Connect with me on LinkedIn or X.