When you create a user in an AWS Cognito user pool using the AdminCreateUser API action, the email address you provide is not automatically flagged as verified. None of the lambdas that are called by other user creation or sign-up methods get called either. Why is this?
Without a verified email address, users cannot change their passwords again after changing from the temporary passwords that are assigned when the account is created. This isn't really too much of a problem, and the answer is even mentioned in the AWS documentation - either set the email_verified attribute to True in the call to AdminCreateUser, or use AdminUpdateUserAttributes to do the same thing.
However, when you follow the instructions and set the email_verified attribute of a user to True, you may see that the email_verified attribute of another user has been set to False, and the user is no longer verified, This happens even though you didn't tell Cognito to do anything. Why does it do this?
This effect happens if you do something like the following:
Say you're working on a system with three accounts: Victoria, Edward and George. None of them have verified email addresses, so you decide to set them.
First you set Victoria's account email_verified attribute to True. You display the contents of the user pool and see that everything looks as it should, with Victoria's email_verified attribute definitely set to True.
Next you set Edward's account email_verified attribute to True. You refresh the display of the contents of the user pool and see that Edward's email_verified attribute is set to True, but strangely Victoria's is now False.
For some reason, it looks like your call to AdminUpdateUserAttributes or admin-update-user-attributes changed a value on the wrong user; trying to set the email_verified attribute to True on one user has set the email_verified attribute to False on another user.
Just to make sure, you set George's account email_verified attribute to True. Refreshing the display of the contents of the user pool you see that George's email_verified attribute is set to True, but Victoria's AND Edward's email_verified attributes are now False. Once again it looks like AdminUpdateUserAttributes or admin-update-user-attributes changed the wrong user's attribute to the wrong value.
The reason I've found for this happening is that the user pool containing your users is configured to allow multiple users to be registered with the same email address. This can be useful for development and testing, but can cause problems. If multiple user accounts all share the same email, then you'll get the problem described here - only one account with any given email address can have its email_verified attribute set to True, and trying to set more than one will set all of the others to False.
To avoid these problems, ensure that each user in your Cognito user pool has a unique email address.