The Azure AD Connector integrates Microsoft Azure AD with the Adobe Admin Console to simplify the SSO setup process for Azure IdP users. It automates the user management and license provisioning workflows to establish the setup within minutes.

Бележка:

If you have a functioning SAML-based SSO configured with Microsoft Azure Identity, we recommend that you keep your current setup. An upcoming feature will allow you to automatically migrate users and SSO configuration.

Overview

You can configure Single Sign-On (SSO) with Microsoft Azure Active Directory (Azure AD) to manage users and entitlements for your Adobe apps and services. The Adobe Admin Console uses Azure AD as the Identity Provider (IdP). 

Azure AD Connector combines the processes of directory creation, domain claim, SSO-setup, and product planning into a simple workflow on the Adobe Admin Console. The Connector also contains a built-in mechanism to sync users and user groups between the two systems, eliminating the multi-step process required for manual configuration. Azure AD users synchronized with the Adobe Admin Console are unique and can be assigned to one or more product profiles. The Connector can manage the relationship between multiple Azure AD tenants and Adobe Admin Consoles.

Once the Connector setup is complete, an initial sync imports all users and groups from Azure AD. Thereafter, syncing is performed periodically to keep users in the Adobe Admin Console up-to-date. System Administrators of the Admin Console receive a notification email including a summary of added or removed users and groups when a change is made with the Azure AD sync.

Бележка:

After the initial setup is complete, the sync cycle continues to manage the changes made in Azure Portal and Admin Console. You can trigger sync manually or let it run periodically. It is recommended that you manage users/user groups/domains in the Azure Portal only.

Users and their product entitlements are managed by adding or removing a user from the corresponding Azure AD user group. During the sync, a user is added or removed from the synced Adobe group and the associated entitlements are provisioned or revoked. A federated user synced with the Azure AD Connector exists as a directory user within the Adobe Admin Console, therefore removing a user via the corresponding Azure AD group deprovisions the user's entitlement and prevent their ability to log in, but won't permanently delete the account. Permanently deleting the user account from the directory user base within the Adobe Admin Console will permanently remove any assets or content associated with the user's account.

Benefits of Azure AD integration

The key advantages of switching to the Azure AD integration with Adobe Admin Console are:

  • No replication of steps like domain claim, group creation, etc as the two systems connect directly
  • Quick set up and initiation of the Initial sync through a seamless workflow
  • Microsoft Azure AD is the one place for all actions including user management and license provisioning
  • Easy to onboard and offboard users directly from the associated groups in Azure AD
  • Less manpower needed to administer the two systems
  • No additional service or API setup needed to sync to the Adobe Admin Console, as direct approval to manage users and directories already defined in the Azure AD system

Prerequisites

To derive benefit from the functionality to integrate Adobe Admin Console User management with that of Azure AD, you need the following:

  • Microsoft Azure AD as the identity provider (IdP)
  • One or more of the following products: Creative Cloud for enterprise, Document Cloud for enterprise, or Experience Cloud 
  • Domains associated with Azure AD are unclaimed in the Adobe Admin Console, or you can easily withdraw pending domain claims

If you have already configured SSO with Azure AD using the custom SAML Connector, ensure the following:

  • Remove the users, domains, and directories associated with Azure AD
  • Remove any User Sync Tool or the UMAPI integration to sync users

The table below shows the Azure AD Connector's current and upcoming features. Use this table to decide if a switch is suitable for your organization at the current time.

Components Features Azure AD Connector (Current version) Azure AD Connector (Future release)
Create directory Sync validated domains
Sync user groups with Federated ID users
Migrate directory Migrate claimed domains with Adobe to Azure AD integration setup
Move manually configured SSO setup to the Azure AD integration setup

Внимание:

Deleting users removes access to products, services, and storage. In preparation for Azure AD Connector sync, ask your Federated users to download and back up required files prior to their permanent deletion from the Admin Console. If your organization already has a large number of active Federated users within the directory, or utilizes a separate user management process, such as the User Sync Tool, it's recommended that you do not adopt the Connector currently.

Supported integration scenarios

The Azure AD Connector supports multi-Azure AD tenant and multi-Admin Console scenarios. Supported scenarios include:

One-to-one

The organization has a one-to-one relationship between a single Azure tenant and a single Adobe Admin Console with sync established via the Azure AD Connector to manage users and provision licenses.

One-to-many (trusted)

The organization has multiple Adobe Admin Consoles in a primary or trustee relationship, allowing the trustee Admin Consoles to take advantage of the SSO configuration established on the primary Console. The Azure AD Connector only manages users for the primary Admin Console in such case. The trustee Admin Console can leverage the SSO configuration, but it uses a separate form of user management service (such as CSV manual upload, User Sync Tool, or User Management API).

Many-to-one

The organization has multiple Azure AD tenants that feed a single Adobe Admin Console for user management and license provisioning. The Azure AD Connector can establish a multi-tenant sync to a single Admin Console to enable single sign-on and user management for all connected tenants.

One-to-many

The organization has a single Azure AD tenant feeding multiple Adobe Admin Consoles. The Azure AD Connector can be leveraged to sync users from a single directory source to different Adobe Admin Consoles for the same organization.

Set up Azure AD Connector

If you meet the criteria mentioned in the prerequisites section, it's time to set up the integration and get your users up and running with their entitlements.

Set up your users and groups using the Azure portal.
  • Claim domains and set up Azure AD.
  • Add Groups and Users,  based on the desired classification in the Adobe Admin Console. It is advised to create groups based on their users' product requirements.
  • Ensure the number of users in a group match the number of licenses available for corresponding product profiles in the Admin Console. However, this can be managed later as well.

Once the Azure portal is set up and ready, do the following:

  1. Sign in to Adobe Admin Console and click Settings. On the Identity page, click Create Directory

  2. On the Create a Directory screen, do the following and click Start.

    • Enter a name for the directory
    • Select the Federated ID card
    Federated Id
  3. Select Microsoft Azure and then click Next, then click Log in to Azure on the next screen.

    Microsoft Azure
  4. You are redirected to Microsoft Account sign-in page. Enter admin credentials with Global Administrator role and click Sign in. Review the consent prompt then click Accept to authorize Adobe Azure AD Connector read-only access to your Azure AD tenant.

    Azure sign-in permission
  5. Return to Adobe Admin Console, review your Azure AD information and click Confirm.

    Confirm directory
  6. Select the domains validated on Azure AD to sync to Adobe Admin Console and click Next.

    Claim domains

    Бележка:

    Only the domains with the status ownership validated can be selected and synced. Domains with statuses Ownership not validated and Owned by other organization cannot be synced without validation in Azure Portal.

  7. Search from the list of Groups and select the groups to be synced to the Adobe Admin Console. Then, click Save and Finish setup.

    Sync groups

    Validated domains and directories start to sync from Azure AD. Details like users synced are displayed in the Details section under Settings tab.

    Sync screen

    Once the sync is complete, you receive a notification email to assign products to the user groups.

    Бележка:

    The Connector syncs users that exist in the Adobe Admin Console with an Adobe ID and creates their corresponding Federated ID. To migrate Adobe ID users to Federated IDs, see manage existing user accounts.

Once the initial sync is completed, all users and user groups are imported to the Adobe Admin Console. Create appropriate product profiles and associate them to user groups to fine-tune the assignment of products among users. For more information, see Manage products and profiles.

Бележка:

When users are assigned the designated products, they receive an email notification. Users can directly download and install Creative Cloud Desktop App. If they don't have admin permissions, follow the next step to create and deploy packages.

To provide access to the apps to your end users, create and deploy the app packages on their computers. Users will need to sign in using their SSO credentials to begin using the apps and services.

 For more information, see Create Named User Licensing Packages.

Manage existing user accounts

Additional steps are required to edit a user's existing Adobe ID to Federated ID type, and to reconfigure SSO with Azure AD through the Connector if already established in the Admin Console.

Users that have an existing Adobe ID in the Admin Console can be migrated to a Federated ID account once the Azure AD Connector has been established. Once converted, the Connector syncs these accounts successfully.

To ensure any cloud-stored assets are migrated to the user’s new identity type, follow the process below:

  1. Set up Azure AD Connector and sync users including those who already have an Adobe ID on the Adobe Admin Console. Any users with an existing Adobe ID now have an Adobe and Federated ID in the Adobe Admin Console.

  2. Follow the steps in Edit Identity Type by CSV to change Adobe ID users to Federated ID type. Ensure to match the following details:

    • Match Username and Email fields with Username (UserPrincipalName) fields in Azure AD.
    • Match FirstName and LastName with the corresponding fields in Azure AD.

Upon login with the new Federated ID,  the user will be prompted with an option to automatically migrate cloud-stored assets to the new account.

If you have a running SSO setup with Azure AD and want to switch to the Azure AD Connector-based setup, you need to first hard delete all users and domains associated with the existing directory. Then, re-establish them by syncing with the Azure AD Connector setup.

Бележка:

In a future update, the Azure AD Connector will get a self-service migration feature, and will allow an established federated directory to be migrated (including all associated domains and directory users) to sync from Azure AD via the Connector (without deleting directory users, domains, and directories.)

  1. Request your active Federated ID users to manually back up their cloud-stored assets.

    Внимание:

    Users who do not back up their assets will lose their data permanently.

  2. Go to the Users section and open Directory Users from the left pane. Choose the federated directory to be removed. Delete all Federated ID users from the directory.

  3. Navigate to Settings > Identity > Domains and select the domains associated with the existing directory. Then, select Remove Domain. Then, follow similar steps to delete the associated directories.

  4. Once the federated directory, associated domains, and respective federated ID users are deleted, start the Azure AD Connector implementation.

Този материал е лицензиран под лиценз Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported  Публикациите в Twitter™ и Facebook не попадат под клаузите на Creative Commons.

Правни бележки   |   Правила за онлайн поверителност