Product Documentation

Identity and access management

Identity and Access Management page in Citrix Cloud console

Identity and Access Management defines the identity providers and accounts used for administrators of and subscribers to Citrix Cloud and its offerings.

Identity providers

By default, Citrix Cloud uses the Citrix Identity provider to manage the identity information for all users in your Citrix Cloud account. You can change this to use Azure Active Directory, on-premises Active Directory, or Active Directory with a token.

For instructions for using Azure Active Directory, see Connect Azure Active Directory to Citrix Cloud.

To connect your on-premises Active Directory to Citrix Cloud, you install the Citrix Cloud Connector on a machine joined to your domain. For more information about Cloud Connector requirements and installation instructions, see Cloud Connector Installation.

To connect your Active Directory to Citrix Cloud

  1. From the Authentication tab, click the ellipsis menu and select Connect.
  2. Click Install Connector to download the Cloud Connector software.
  3. Launch the Cloud Connector installer and perform the following actions:
    1. Sign in to Citrix Cloud when prompted.
    2. If you’re an administrator for multiple customer accounts, select the account you want to associate with the Cloud Connector.
    3. If your customer account has multiple resource locations, select the resource location you want to associate with the Cloud Connector.
    4. Click Install. After installation, the installer performs a connectivity check to ensure your Active Directory is connected to Citrix Cloud. This check can take a few minutes.
    5. Click Close.
  4. From the Connect to Active Directory page, click Detect. After verification, Citrix Cloud displays a message that your Active Directory is connected.
  5. Click Return to Authentication. The Active Directory entry is marked Enabled on the Authentication tab.


Administrators use their identity to access Citrix Cloud, perform management activities, and install the Citrix Cloud Connector.

A Citrix identity mechanism provides authentication for administrators using an email address and password. Administrators can also use their My Citrix credentials to sign in to Citrix Cloud.

Add new administrators

During the account onboarding process, an initial administrator is created. The administrator can then invite other administrators to join Citrix Cloud. These new administrators can use their existing Citrix account credentials or set up a new account if needed. You can also fine-tune the access permissions of the administrators you invite. This allows you to define access that’s aligned with the administrator’s role in your organization.

To invite other administrators and fine-tune their access to Citrix Cloud, see Add administrators to a Citrix Cloud account.

Reset your password

If you forget or want to reset your password, click Forgot your username or password? on the Citrix Cloud sign in page. After you enter your email address or username to find your account, Citrix sends you an email with a link to reset your password.

Tip: Add to your email whitelist to ensure the email doesn’t land in your spam or trash folders.

Remove administrators

You can remove administrators from your Citrix Cloud account on the Administrator tab. When you remove an administrator, they can no longer sign in to Citrix Cloud.

If an administrator is logged in when you remove the account, the administrator will stay active for a maximum of one minute. Afterward, access to Citrix Cloud is denied.


  • If there’s only one administrator in the account, you can’t remove that administrator. Citrix Cloud requires at least one administrator for each customer account.
  • Citrix Cloud Connectors are not linked to administrator accounts. So, Cloud Connectors will continue operating even if you remove the administrator who installed it.


A subscriber’s identity defines the services to which they have access in Citrix Cloud. This identity comes from Active Directory domain accounts provided from the domains within the resource location. Assigning a subscriber to a Library offering authorizes the subscriber to access that offering.

Administrators can control which domains are used to provide these identities on the Domains tab. If you plan to use domains from multiple forests, install at least two Cloud Connectors in each forest. Citrix recommends at least two Cloud Connectors to maintain a high availability environment.


  • Disabling domains prevents new identities only from being selected. It does not prevent subscribers from using identities that are already allocated.
  • Each Cloud Connector can enumerate and use all the domains from the single forest in which it is installed.

Manage subscriber usage

You can add subscribers to offerings using individual accounts or Active Directory groups. Using Active Directory groups does not require management through Citrix Cloud after you assign the group to an offering.

When an administrator removes an individual subscriber or group of subscribers from an offering, those subscribers can no longer access the service. For more information about removing subscribers from specific services, refer to the service’s documentation on the Citrix Product Documentation web site.

Primary resource locations

A primary resource location is a resource location that you designate as “most preferred” for communications between your domain and Citrix Cloud. The resource location you select as “primary” should have Cloud Connectors that have the best performance and connectivity to your domain. This enables your users to log on quickly to Citrix Cloud.

For more information, see Select a primary resource location.

Identity and access management