This topic describes how to manage console logon settings for a RAM user. You can configure settings such as console access, logon passwords, and multi-factor authentication (MFA) to meet security and compliance requirements in different scenarios.
Overview
The console logon settings for a RAM user determine how the user accesses the Alibaba Cloud console and the level of security applied. These settings affect only the console logon behavior of the RAM user and do not affect programmatic access using an AccessKey.
The following table summarizes the available logon settings and their functions.
Parameter | Description |
Console Access | Controls whether a RAM user can log on to the Alibaba Cloud console. |
Set Logon Password | Sets or resets the console logon password for a RAM user. |
Password Reset | Forces the user to change their password upon the next logon. |
Enable MFA | Requires the user to complete multi-factor authentication during logon. |
If SSO is enabled for a RAM user, the logon settings described above, such as console access and MFA requirements, do not apply.
Enable console logon
By default, console logon is disabled when you create a RAM user. To allow a RAM user to log on to the Alibaba Cloud console with a password, you must first enable console logon and set a password. You can perform this configuration in the Alibaba Cloud console or by using OpenAPI.
Console
Log on to the RAM console as a RAM administrator.
In the left-side navigation pane, choose .
In the user list, click the name of the target RAM user.
On the Authentication tab, in the Login Profile section, click Enable Console Logon.
In the Enable Console Logon dialog box, configure the following parameters:
Console Access: Select Enabled to enable console logon for the RAM user.
Set Logon Password: Select Automatically Regenerate Default Password or Reset Custom Password.
Password Reset: Specify whether the user is required to reset their password at the next logon. When you set an initial password, we recommend that you select Required at Next Logon to prevent password sharing between the administrator and the user.
Enable MFA: Specify whether the RAM user is required to enable MFA. If you select Required, the user must bind an MFA device upon logon. We recommend requiring MFA, which is the default setting.
Click OK.
OpenAPI
Required permission: You must have the ram:CreateLoginProfile permission.
Call the CreateLoginProfile operation to enable console logon for a RAM user and set an initial password.
View console logon settings of a RAM user
As a RAM administrator, you can view the current logon configuration status for a RAM user at any time. This includes whether console access is enabled, the password status, and MFA settings.
Console
Log on to the RAM console as a RAM administrator.
In the left-side navigation pane, choose .
In the user list, click the name of the target RAM user.
On the Authentication tab, in the Login Profile section, view the status of the following logon settings:
Console Access: Indicates whether console access is enabled. The possible states are:
Unset: Console access has not been enabled.
Inactive: Console access has been disabled by an administrator.
Active: Console access has been enabled by an administrator.
Last Logined Time: Records the last time the user successfully logged on to the console. This information can be used to audit inactive accounts.
MFA Required: Indicates whether the user is required to complete multi-factor authentication when logging on to the console.
NoteWhether a user is prompted for MFA at logon depends on several factors. The following conditions are checked in order of precedence. If any condition is met, the user must use MFA at logon:
The global MFA policy in RAM is set to Force MFA for All Users (default). For more information, see Configure multi-factor authentication.
The logon settings for the individual RAM user require MFA.
The user has already bound an MFA device, such as a security key or a virtual MFA device.
If none of the preceding conditions are met, Alibaba Cloud still prompts the user to bind an MFA device at each logon, but the user can choose to skip this step.
Password: Indicates whether the user is required to reset their password upon the next logon.
Password: Displays the current status of the user's password. For more information, see What are initial passwords and their expiration periods?
Initial Password Available: The user's initial password has not expired and can be used to log on to the console.
Initial Password Expired: The user's initial password has expired and cannot be used for console logon.
Not Initial Password: The password is not an initial password and is subject only to the regular password expiration policy, not the initial password expiration period.
Console Sign-in: After enabling console access, you can copy the dedicated logon link for this RAM user.
OpenAPI
Required permission: You must have the ram:GetLoginProfile permission.
Call the GetLoginProfile operation to view the console logon settings for a RAM user.
Modify console logon settings for a RAM user
After you enable console logon, a RAM administrator can modify logon settings as needed, such as disabling console logon or resetting the logon password.
Console
Log on to the RAM console as a RAM administrator.
In the left-side navigation pane, choose .
In the user list, click the name of the target RAM user.
On the Authentication tab, in the Login Profile section, click Modify Logon Settings.
In the Modify Logon Settings dialog box that appears, modify the console logon parameters.
Console Access: Select Disabled to disable console logon for the RAM user.
ImportantAfter disabling console access, the RAM user and any assumed RAM roles are immediately logged out.
Disabling console logon also prevents the user from logging on with a passkey.
For information about the other settings, see Enable console logon.
Click OK.
OpenAPI
Required permission: You must have the ram:UpdateLoginProfile permission.
Call the UpdateLoginProfile operation to modify the console logon settings for a user.
Clear console logon settings for a RAM user
This irreversible action permanently deletes all console logon information for the RAM user, including the password.
Once removed, console logon settings cannot be restored. Proceed with caution.
After removing the console logon settings for a RAM user, the user and any assumed RAM roles are immediately logged out.
Console
Log on to the RAM console as a RAM administrator.
In the left-side navigation pane, choose .
In the user list, click the name of the target RAM user.
On the Authentication tab, in the Login Profile section, click Remove Logon Settings.
In the Remove Logon Settings confirmation dialog box, click OK.
OpenAPI
Required permission: You must have the ram:DeleteLoginProfile permission.
Call the DeleteLoginProfile operation to remove the console logon settings for a user.
Removing the console logon settings does not remove the user's passkeys, MFA device bindings, or AccessKeys.
Security best practices
Enforce MFA: Enforce MFA for all users who log on to the console. This is one of the most effective ways to protect account security.
Require initial password reset: When you set an initial password, always enable the Require password reset option. This practice prevents administrators and users from sharing passwords.
Separate console and API access: For accounts that require only programmatic access, such as for CI/CD pipelines or applications, disable console logon to reduce the attack surface.
Periodically audit and clean up: Regularly check the Last logon time and disable or remove inactive user accounts.
FAQ
What is the difference between disabling console access and removing logon settings?
Disabling console access is reversible and preserves the password and other logon settings. Removing logon settings is irreversible and deletes all logon information.
Does disabling console logon affect AccessKey access?
No. Console logon and programmatic access are independent of each other. To prevent a user from using an AccessKey, you must disable the AccessKey.
How does changing a password or disabling logon affect a current session?
This action immediately terminates the user's current console session and any sessions for assumed RAM roles. The user must log on again. This may interrupt any ongoing operations.
What should a user do if they forget their password? Can they reset their own console logon password?
RAM users cannot reset their own console logon passwords. A RAM administrator must reset the password. For more information, see Reset a password for a RAM user.
How to retrieve the last logon time?
You can view the last logon time in the Console Logon Management section on the Authentication tab of the User Details page in the console.
You can call the GetLoginProfile operation via OpenAPI to obtain the LastLoginTime.
Console: On the user details page, navigate to the Authentication tab. View the Last logon time in the Login Profile section.
OpenAPI: Call the GetLoginProfile operation. The response includes the
LastLoginTimefield.
What are initial passwords and their expiration periods?
New RAM users that remain unused for long periods create security risks, such as password theft that can lead to resource threats, unexpected fees, or malicious attacks. To mitigate these risks, RAM introduced the "initial password" mechanism, effective January 26, 2026. Console logon passwords that meet specific criteria are flagged as "initial passwords" and have a default validity period of 14 days. If a user does not successfully log on within this period, the password automatically expires and must be reset by a RAM administrator. For more information, see the official announcement.
A password is considered an initial password if it meets any of the following criteria:
First-time creation: The first console logon password set for a RAM user, including both automatically generated and custom passwords.
Re-enablement: The password set for a RAM user after their console logon settings have been removed and then re-enabled.
Reset before first logon: If an initial password is reset by an administrator before the user has successfully logged on with it, the new password is still considered an "initial password", and its validity period is recalculated from the time of the reset.
The initial password expiration period and the regular password expiration period defined in the account's password policy are both in effect. The system enforces whichever period is shorter. A RAM administrator can modify the default initial password expiration period in the global RAM password policy. However, to avoid management complexity, we recommend that the initial password expiration period not exceed the regular password expiration period.
How to check initial password status?
On the user details page, on the Authentication tab, view the Password status in the Login Profile section. If the status is Initial password expired, the user cannot log on with the current password, and a RAM administrator must reset it.