diff --git a/apis/ssoadmin/v1beta1/zz_accountassignment_types.go b/apis/ssoadmin/v1beta1/zz_accountassignment_types.go
index 2b99231066..6145112eec 100755
--- a/apis/ssoadmin/v1beta1/zz_accountassignment_types.go
+++ b/apis/ssoadmin/v1beta1/zz_accountassignment_types.go
@@ -31,7 +31,7 @@ type AccountAssignmentObservation struct {
 	// The Amazon Resource Name (ARN) of the Permission Set that the admin wants to grant the principal access to.
 	PermissionSetArn *string `json:"permissionSetArn,omitempty" tf:"permission_set_arn,omitempty"`
 
-	// An identifier for an object in SSO, such as a user or group. PrincipalIds are GUIDs (For example, f81d4fae-7dec-11d0-a765-00a0c91e6bf6).
+	// An identifier for an object in SSO, such as a user or group. PrincipalIds are GUIDs (For example, f81d4fae-7dec-11d0-a765-00a0c91e6bf6). This can be set to the crossplane external-name of either a Group or User in the identitystore api group, but the Ref and Selector fields will only work with a Group.
 	PrincipalID *string `json:"principalId,omitempty" tf:"principal_id,omitempty"`
 
 	// The entity type for which the assignment will be created. Valid values: USER, GROUP.
@@ -64,21 +64,20 @@ type AccountAssignmentParameters struct {
 	// +kubebuilder:validation:Optional
 	PermissionSetArnSelector *v1.Selector `json:"permissionSetArnSelector,omitempty" tf:"-"`
 
-	// Reference to a Group in identitystore to populate principalId.
+	// An identifier for an object in SSO, such as a user or group. PrincipalIds are GUIDs (For example, f81d4fae-7dec-11d0-a765-00a0c91e6bf6). This can be set to the crossplane external-name of either a Group or User in the identitystore api group, but the Ref and Selector fields will only work with a Group.
+	// +crossplane:generate:reference:type=github.com/upbound/provider-aws/apis/identitystore/v1beta1.Group
+	// +crossplane:generate:reference:refFieldName=PrincipalIdFromGroupRef
+	// +crossplane:generate:reference:selectorFieldName=PrincipalIdFromGroupSelector
 	// +kubebuilder:validation:Optional
-	PrincipalGroupRef *v1.Reference `json:"principalGroupRef,omitempty" tf:"-"`
+	PrincipalID *string `json:"principalId,omitempty" tf:"principal_id,omitempty"`
 
-	// Selector for a Group in identitystore to populate principalId.
+	// Reference to a Group in identitystore to populate principalId.
 	// +kubebuilder:validation:Optional
-	PrincipalGroupSelector *v1.Selector `json:"principalGroupSelector,omitempty" tf:"-"`
+	PrincipalIDFromGroupRef *v1.Reference `json:"principalIdFromGroupRef,omitempty" tf:"-"`
 
-	// An identifier for an object in SSO, such as a user or group. PrincipalIds are GUIDs (For example, f81d4fae-7dec-11d0-a765-00a0c91e6bf6).
-	// +crossplane:generate:reference:type=github.com/upbound/provider-aws/apis/identitystore/v1beta1.Group
-	// +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("group_id",true)
-	// +crossplane:generate:reference:refFieldName=PrincipalGroupRef
-	// +crossplane:generate:reference:selectorFieldName=PrincipalGroupSelector
+	// Selector for a Group in identitystore to populate principalId.
 	// +kubebuilder:validation:Optional
-	PrincipalID *string `json:"principalId,omitempty" tf:"principal_id,omitempty"`
+	PrincipalIDFromGroupSelector *v1.Selector `json:"principalIdFromGroupSelector,omitempty" tf:"-"`
 
 	// The entity type for which the assignment will be created. Valid values: USER, GROUP.
 	// +kubebuilder:validation:Required
diff --git a/apis/ssoadmin/v1beta1/zz_generated.deepcopy.go b/apis/ssoadmin/v1beta1/zz_generated.deepcopy.go
index b5fb8cd655..3eb03d5f3c 100644
--- a/apis/ssoadmin/v1beta1/zz_generated.deepcopy.go
+++ b/apis/ssoadmin/v1beta1/zz_generated.deepcopy.go
@@ -160,21 +160,21 @@ func (in *AccountAssignmentParameters) DeepCopyInto(out *AccountAssignmentParame
 		*out = new(v1.Selector)
 		(*in).DeepCopyInto(*out)
 	}
-	if in.PrincipalGroupRef != nil {
-		in, out := &in.PrincipalGroupRef, &out.PrincipalGroupRef
+	if in.PrincipalID != nil {
+		in, out := &in.PrincipalID, &out.PrincipalID
+		*out = new(string)
+		**out = **in
+	}
+	if in.PrincipalIDFromGroupRef != nil {
+		in, out := &in.PrincipalIDFromGroupRef, &out.PrincipalIDFromGroupRef
 		*out = new(v1.Reference)
 		(*in).DeepCopyInto(*out)
 	}
-	if in.PrincipalGroupSelector != nil {
-		in, out := &in.PrincipalGroupSelector, &out.PrincipalGroupSelector
+	if in.PrincipalIDFromGroupSelector != nil {
+		in, out := &in.PrincipalIDFromGroupSelector, &out.PrincipalIDFromGroupSelector
 		*out = new(v1.Selector)
 		(*in).DeepCopyInto(*out)
 	}
-	if in.PrincipalID != nil {
-		in, out := &in.PrincipalID, &out.PrincipalID
-		*out = new(string)
-		**out = **in
-	}
 	if in.PrincipalType != nil {
 		in, out := &in.PrincipalType, &out.PrincipalType
 		*out = new(string)
diff --git a/apis/ssoadmin/v1beta1/zz_generated.resolvers.go b/apis/ssoadmin/v1beta1/zz_generated.resolvers.go
index 1634fcbfdc..caa1b64f42 100644
--- a/apis/ssoadmin/v1beta1/zz_generated.resolvers.go
+++ b/apis/ssoadmin/v1beta1/zz_generated.resolvers.go
@@ -41,9 +41,9 @@ func (mg *AccountAssignment) ResolveReferences(ctx context.Context, c client.Rea
 
 	rsp, err = r.Resolve(ctx, reference.ResolutionRequest{
 		CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.PrincipalID),
-		Extract:      resource.ExtractParamPath("group_id", true),
-		Reference:    mg.Spec.ForProvider.PrincipalGroupRef,
-		Selector:     mg.Spec.ForProvider.PrincipalGroupSelector,
+		Extract:      reference.ExternalName(),
+		Reference:    mg.Spec.ForProvider.PrincipalIdFromGroupRef,
+		Selector:     mg.Spec.ForProvider.PrincipalIdFromGroupSelector,
 		To: reference.To{
 			List:    &v1beta1.GroupList{},
 			Managed: &v1beta1.Group{},
@@ -53,7 +53,7 @@ func (mg *AccountAssignment) ResolveReferences(ctx context.Context, c client.Rea
 		return errors.Wrap(err, "mg.Spec.ForProvider.PrincipalID")
 	}
 	mg.Spec.ForProvider.PrincipalID = reference.ToPtrValue(rsp.ResolvedValue)
-	mg.Spec.ForProvider.PrincipalGroupRef = rsp.ResolvedReference
+	mg.Spec.ForProvider.PrincipalIdFromGroupRef = rsp.ResolvedReference
 
 	return nil
 }
diff --git a/examples-generated/ssoadmin/accountassignment.yaml b/examples-generated/ssoadmin/accountassignment.yaml
index 538ff383ff..3136eb7343 100644
--- a/examples-generated/ssoadmin/accountassignment.yaml
+++ b/examples-generated/ssoadmin/accountassignment.yaml
@@ -12,7 +12,7 @@ spec:
     permissionSetArnSelector:
       matchLabels:
         testing.upbound.io/example-name: aws_ssoadmin_permission_set
-    principalGroupSelector:
+    principalIdFromGroupSelector:
       matchLabels:
         testing.upbound.io/example-name: aws_identitystore_group
     principalType: GROUP
diff --git a/package/crds/ssoadmin.aws.upbound.io_accountassignments.yaml b/package/crds/ssoadmin.aws.upbound.io_accountassignments.yaml
index c60b4228c0..7e97f4ae1d 100644
--- a/package/crds/ssoadmin.aws.upbound.io_accountassignments.yaml
+++ b/package/crds/ssoadmin.aws.upbound.io_accountassignments.yaml
@@ -149,7 +149,14 @@ spec:
                             type: string
                         type: object
                     type: object
-                  principalGroupRef:
+                  principalId:
+                    description: An identifier for an object in SSO, such as a user
+                      or group. PrincipalIds are GUIDs (For example, f81d4fae-7dec-11d0-a765-00a0c91e6bf6).
+                      This can be set to the crossplane external-name of either a
+                      Group or User in the identitystore api group, but the Ref and
+                      Selector fields will only work with a Group.
+                    type: string
+                  principalIdFromGroupRef:
                     description: Reference to a Group in identitystore to populate
                       principalId.
                     properties:
@@ -184,7 +191,7 @@ spec:
                     required:
                     - name
                     type: object
-                  principalGroupSelector:
+                  principalIdFromGroupSelector:
                     description: Selector for a Group in identitystore to populate
                       principalId.
                     properties:
@@ -224,10 +231,6 @@ spec:
                             type: string
                         type: object
                     type: object
-                  principalId:
-                    description: An identifier for an object in SSO, such as a user
-                      or group. PrincipalIds are GUIDs (For example, f81d4fae-7dec-11d0-a765-00a0c91e6bf6).
-                    type: string
                   principalType:
                     description: 'The entity type for which the assignment will be
                       created. Valid values: USER, GROUP.'
@@ -442,6 +445,9 @@ spec:
                   principalId:
                     description: An identifier for an object in SSO, such as a user
                       or group. PrincipalIds are GUIDs (For example, f81d4fae-7dec-11d0-a765-00a0c91e6bf6).
+                      This can be set to the crossplane external-name of either a
+                      Group or User in the identitystore api group, but the Ref and
+                      Selector fields will only work with a Group.
                     type: string
                   principalType:
                     description: 'The entity type for which the assignment will be