All Products
Search

This Product

    :Manage console logon settings

    Document Center

    :Manage console logon settings

    Last Updated:Apr 01, 2026

    You can manage console logon settings for a Resource Access Management (RAM) user to control their access to the Alibaba Cloud Management Console. This includes enabling or disabling console access, managing passwords, and requiring multi-factor authentication (MFA) to meet your security and compliance requirements.

    Overview

    Console logon settings for a RAM user determine their ability to access the Alibaba Cloud Management Console and the security measures applied during logon. These settings affect only console logon and do not affect programmatic access that uses AccessKey pairs.

    Parameter

    Description

    Console Access

    Controls whether a RAM user can log on to the Alibaba Cloud Management Console.

    Set Logon Password

    Sets or resets the console logon password for a RAM user.

    Password Reset

    Requires a user to change their password upon their next logon.

    Enable MFA

    Requires a user to use MFA to log on.

    Note

    These settings do not apply to RAM users who log on through single sign-on (SSO) from an external identity provider (IdP).

    Enable console logon

    By default, RAM users cannot log on to the console. Before a RAM user can log on with a password, you must first enable console access and set an initial password.

    Console

    1. Log on to the RAM console as a RAM administrator.

    2. In the left-side navigation pane, choose Identities > Users.

    3. On the Users page, click the target RAM user.

    4. Choose the Authentication tab. In the Login Profile section, click Enable Console Logon.

    5. In the Enable Console Logon dialog box, configure the following parameters:

      • Console Access: Select Enabled.

      • Set Logon Password: Select Automatically Regenerate Default Password or Reset Custom Password.

      • Password Reset: Specify whether the user must change their password at the next logon. When setting an initial password, we recommend that you select this option.

      • Enable MFA: Specify whether to require MFA. If you select Required, the user must bind an MFA device at their next logon. We strongly recommend requiring MFA.

    6. Click OK.

    API

    To enable console logon and set an initial password for a RAM user, call the CreateLoginProfile operation. This requires the ram:CreateLoginProfile permission.

    View console logon settings

    Administrators can view a RAM user's logon configuration, including console access status and MFA settings.

    Console

    1. Log on to the RAM console as a RAM administrator.

    2. In the left-side navigation pane, choose Identities > Users.

    3. On the Users page, click the target RAM user.

    4. Choose the Authentication tab. In the Login Profile section, you can view the following settings:

      • Console Access: Shows the current access status (such as Unset, Inactive, or Active).

      • Last Logined Time: The last time the RAM user successfully logged on. Use this to audit idle accounts.

      • MFA Required: Indicates whether MFA is required for logon.

        Note

        Multiple factors determine whether a RAM user must use MFA, evaluated in the following order of precedence:

        1. The global MFA policy is set to Force all users. For more information, see Manage security settings.

        2. The logon settings for the individual RAM user require MFA.

        3. The user has already bound an MFA device.

        If none of these conditions are met, the user is prompted to bind an MFA device at each logon, but binding is optional.

      • Password: Indicates whether the RAM user must change their password at their next logon.

      • Password: Displays the RAM user's current password status. For more information, see the "What are initial passwords" section in this topic.

        • Initial Password Available: The password is an initial password and has not expired.

        • Initial Password Expired: The initial password has expired. The user cannot log on.

        • Not Initial Password: The password is a standard password, subject only to the regular password expiration period.

      • Console Sign-in: A dedicated logon URL for the RAM user.

    API

    To view the console logon settings for a RAM user, call the GetLoginProfile operation. This requires the ram:GetLoginProfile permission.

    Modify console logon settings

    An administrator can modify a RAM user's logon settings, such as resetting a password or disabling console access.

    Console

    1. Log on to the RAM console as a RAM administrator.

    2. In the left-side navigation pane, choose Identities > Users.

    3. On the Users page, click the target RAM user.

    4. Choose the Authentication tab. In the Login Profile section, click Modify Logon Settings.

    5. In the Modify Logon Settings dialog box, change the parameters as needed. For example, you can set Console Access to Disabled.

      Important

      • If you disable console logon, the RAM user and any active sessions for RAM roles assumed by that user are immediately terminated.

      • Disabling console logon also prevents the user from logging on by using a passkey.

    6. Click OK.

    API

    To modify the console logon settings for a RAM user, call the UpdateLoginProfile operation. This requires the ram:UpdateLoginProfile permission.

    Clear console logon settings

    Clearing a RAM user's logon settings permanently deletes all console logon information, including their password. This action prevents the user from logging on to the console.

    Warning

    This action is irreversible. It immediately terminates the RAM user's current console session and any active role sessions. Proceed with caution.

    Console

    1. Log on to the RAM console as a RAM administrator.

    2. In the left-side navigation pane, choose Identities > Users.

    3. On the Users page, click the target RAM user.

    4. Choose the Authentication tab. In the Login Profile section, click Remove Logon Settings.

    5. In the confirmation dialog box, click OK.

    API

    To clear the console logon settings for a RAM user, call the DeleteLoginProfile operation. This requires the ram:DeleteLoginProfile permission.

    Note

    Clearing the logon settings does not affect the RAM user's AccessKey pairs, passkeys, or MFA device bindings.

    Security best practices

    • Enforce MFA: Always require MFA for RAM users who need to access the console. It is one of the most effective ways to protect your account.

    • Require initial password reset: When you set an initial password for a new RAM user, always select the Required at Next Logon option.

    • Separate human and machine identities: For programmatic access (such as CI/CD pipelines or applications), create dedicated RAM users and do not enable console logon for them.

    • Audit idle accounts: Regularly review the Last Console Logon time for RAM users and disable console access for accounts that are no longer active.

    FAQ

    What is the difference between disabling and clearing logon settings?

    Disabling logon is a temporary, reversible action that preserves the RAM user's password. Clearing logon settings is a permanent, irreversible action that deletes all console logon information for the user.

    Does disabling console logon affect AccessKey pairs?

    No. Console access and programmatic access are independent. To prevent a RAM user from making API calls, you must disable or delete their AccessKey pairs.

    What happens to a RAM user's active session if I change their password or disable console logon?

    The action immediately terminates the user's current console session and any active RAM role sessions assumed by that user. This may interrupt ongoing operations.

    Can a RAM user reset their own forgotten password?

    No, RAM users cannot reset their own console passwords. A RAM administrator must reset the password for them. For instructions, see Change the password for a RAM user.

    How can a RAM administrator find a user's last logon time?

    You can find the last logon time in two ways:

    • Console: On the user's details page, choose the Authentication tab and find the Last Console Logon time in the Login Profile section.

    • API: Call the GetLoginProfile operation. The response contains the LastLoginTime field.

    What are initial passwords?

    To mitigate security risks from inactive accounts, RAM uses an "initial password" mechanism. Passwords set by an administrator are considered initial passwords and have a default validity period of 14 days. If the user does not log on and change their password within this period, it automatically expires and must be reset by an administrator.

    A password is considered an initial password if it is:

    • Set when console logon is first enabled for a user.

    • Reset by an administrator before the user has successfully logged on with a previous initial password.

    You can change the initial password validity period in your account's global password policy.

    How can I check the status of a RAM user's initial password?

    On the user's details page, choose the Authentication tab and find the Password Status in the Login Profile section. If the status is Initial Password Expired, the user cannot log on with their current password, and an administrator must reset it.