If you have a functioning SAML-based SSO configured with Microsoft Azure Identity, we recommend that you keep your current setup. An upcoming feature will allow you to automatically migrate users and SSO configuration.
You can configure Single Sign-On (SSO) with Microsoft Azure Active Directory (Azure AD) to manage users and entitlements for your Adobe apps and services. The Adobe Admin Console uses Azure AD as the Identity Provider (IdP).
Azure AD Connector combines the processes of directory creation, domain claim, SSO-setup, and product planning into a simple workflow on the Adobe Admin Console. The Connector also contains a built-in mechanism to sync users and user groups between the two systems, eliminating the multi-step process required for manual configuration. Azure AD users synchronized with the Adobe Admin Console are unique and can be assigned to one or more product profiles. The Connector can manage the relationship between multiple Azure AD tenants and Adobe Admin Consoles.
Once the Connector setup is complete, an initial sync imports all users and groups from Azure AD. Thereafter, syncing is performed periodically to keep users in the Adobe Admin Console up-to-date. System Administrators of the Admin Console receive a notification email including a summary of added or removed users and groups when a change is made with the Azure AD sync.
After the initial setup is complete, the sync cycle continues to manage the changes made in Azure Portal and Admin Console. You can trigger sync manually or let it run periodically. It is recommended that you manage users/user groups/domains in the Azure Portal only.
Users and their product entitlements are managed by adding or removing a user from the corresponding Azure AD user group. During the sync, a user is added or removed from the synced Adobe group and the associated entitlements are provisioned or revoked. A federated user synced with the Azure AD Connector exists as a directory user within the Adobe Admin Console, therefore removing a user via the corresponding Azure AD group deprovisions the user's entitlement and prevent their ability to log in, but won't permanently delete the account. Permanently deleting the user account from the directory user base within the Adobe Admin Console will permanently remove any assets or content associated with the user's account.
The key advantages of switching to the Azure AD integration with Adobe Admin Console are:
- No replication of steps like domain claim, group creation, etc as the two systems connect directly
- Quick set up and initiation of the Initial sync through a seamless workflow
- Microsoft Azure AD is the one place for all actions including user management and license provisioning
- Easy to onboard and offboard users directly from the associated groups in Azure AD
- Less manpower needed to administer the two systems
- No additional service or API setup needed to sync to the Adobe Admin Console, as direct approval to manage users and directories already defined in the Azure AD system
To derive benefit from the functionality to integrate Adobe Admin Console User management with that of Azure AD, you need the following:
- Microsoft Azure AD as the identity provider (IdP)
- One or more of the following products: Creative Cloud for enterprise, Document Cloud for enterprise, or Experience Cloud
- Domains associated with Azure AD are unclaimed in the Adobe Admin Console, or you can easily withdraw pending domain claims
If you have already configured SSO with Azure AD using the custom SAML Connector, ensure the following:
- Remove the users, domains, and directories associated with Azure AD
- Remove any User Sync Tool or the UMAPI integration to sync users
The table below shows the Azure AD Connector's current and upcoming features. Use this table to decide if a switch is suitable for your organization at the current time.
|Components||Features||Azure AD Connector (Current version)||Azure AD Connector (Future release)|
|Create directory||Sync validated domains||✓||✓|
|Sync user groups with Federated ID users
|Migrate directory||Migrate claimed domains with Adobe to Azure AD integration setup||✗||✓|
|Move manually configured SSO setup to the Azure AD integration setup||✗||✓|
Deleting users removes access to products, services, and storage. In preparation for Azure AD Connector sync, ask your Federated users to download and back up required files prior to their permanent deletion from the Admin Console. If your organization already has a large number of active Federated users within the directory, or utilizes a separate user management process, such as the User Sync Tool, it's recommended that you do not adopt the Connector currently.
The Azure AD Connector supports multi-Azure AD tenant and multi-Admin Console scenarios. Supported scenarios include:
The organization has multiple Adobe Admin Consoles in a primary or trustee relationship, allowing the trustee Admin Consoles to take advantage of the SSO configuration established on the primary Console. The Azure AD Connector only manages users for the primary Admin Console in such case. The trustee Admin Console can leverage the SSO configuration, but it uses a separate form of user management service (such as CSV manual upload, User Sync Tool, or User Management API).
If you meet the criteria mentioned in the prerequisites section, it's time to set up the integration and get your users up and running with their entitlements.
- Claim domains and set up Azure AD.
- Add Groups and Users, based on the desired classification in the Adobe Admin Console. It is advised to create groups based on their users' product requirements.
- Ensure the number of users in a group match the number of licenses available for corresponding product profiles in the Admin Console. However, this can be managed later as well.
Only the domains with the status ownership validated can be selected and synced. Domains with statuses Ownership not validated and Owned by other organization cannot be synced without validation in Azure Portal.
Search from the list of Groups and select the groups to be synced to the Adobe Admin Console. Then, click Save and Finish setup.
Validated domains and directories start to sync from Azure AD. Details like users synced are displayed in the Details section under Settings tab.
The Connector syncs users that exist in the Adobe Admin Console with an Adobe ID and creates their corresponding Federated ID. To migrate Adobe ID users to Federated IDs, see manage existing user accounts.
Once the initial sync is completed, all users and user groups are imported to the Adobe Admin Console. Create appropriate product profiles and associate them to user groups to fine-tune the assignment of products among users. For more information, see Manage products and profiles.
When users are assigned the designated products, they receive an email notification. Users can directly download and install Creative Cloud Desktop App. If they don't have admin permissions, follow the next step to create and deploy packages.
To provide access to the apps to your end users, create and deploy the app packages on their computers. Users will need to sign in using their SSO credentials to begin using the apps and services.
For more information, see Create Named User Licensing Packages.
Additional steps are required to edit a user's existing Adobe ID to Federated ID type, and to reconfigure SSO with Azure AD through the Connector if already established in the Admin Console.
Users that have an existing Adobe ID in the Admin Console can be migrated to a Federated ID account once the Azure AD Connector has been established. Once converted, the Connector syncs these accounts successfully.
To ensure any cloud-stored assets are migrated to the user’s new identity type, follow the process below:
Set up Azure AD Connector and sync users including those who already have an Adobe ID on the Adobe Admin Console. Any users with an existing Adobe ID now have an Adobe and Federated ID in the Adobe Admin Console.
Follow the steps in Edit Identity Type by CSV to change Adobe ID users to Federated ID type. Ensure to match the following details:
- Match Username and Email fields with Username (UserPrincipalName) fields in Azure AD.
- Match FirstName and LastName with the corresponding fields in Azure AD.
Upon login with the new Federated ID, the user will be prompted with an option to automatically migrate cloud-stored assets to the new account.
If you have a running SSO setup with Azure AD and want to switch to the Azure AD Connector-based setup, you need to first hard delete all users and domains associated with the existing directory. Then, re-establish them by syncing with the Azure AD Connector setup.
In a future update, the Azure AD Connector will get a self-service migration feature, and will allow an established federated directory to be migrated (including all associated domains and directory users) to sync from Azure AD via the Connector (without deleting directory users, domains, and directories.)
Request your active Federated ID users to manually back up their cloud-stored assets.
Users who do not back up their assets will lose their data permanently.