Exclude specific users from domain enforcement

Last updated on Nov 11, 2025

Applies to enterprise.

System admins can use an exception list to allow specified users to bypass the domain enforcement policy and create a personal account with their managed email.

Only for domain enforcement

The exception list feature is only available for Admin Console directories with domain enforcement enabled.

Before you begin

Before using the domain enforcement exception list feature, ensure:

Use of exception list

The exception list empowers administrators to balance security and flexibility for users using a claimed domain for their Adobe account.

As a system admin, you may use the exception list in the following scenarios:

  • Add a service or technical account for an automated workflow that cannot use federated authentication.
  • Sign in to the Admin Console or Adobe app using an Adobe ID account in case of SSO-related issues. 
  • Exclude a select group of existing users when using the require email change setting.

Important things to consider

Make sure to consider the following points before using the feature in your domain-enforced directory:

  • Adding an email address to the exception list allows for creating a new user account as an Adobe ID or continuing to use an existing Adobe ID account with the enforced domain.
  • You cannot add an email address already linked to an Enterprise ID or a Federated ID to the exception list. Remove the email address from the Directory Users list and add it to the exception list as an Adobe ID.
  • Similarly, you must remove an email address from the exception list to use the address to create an Enterprise ID or Federated ID individually or edit identity type via CSV.
  • If the require email change policy is enabled, any email address found on the exception list can remain as an Adobe ID using an enforced domain. However, if the email address is removed from the exception list when the policy is enabled, the user will be subject to it.
  • Adding a new user email address to the exception list does not add the user account to your Admin Console. Once added to the exception list, you must add the new user's email address to your Admin Console to create the Adobe ID account.
  • Similarly, removing an email address from the exception list does not remove the user account from your Admin Console. You must remove the user from your Admin Console separately.
  • In the Users list, an icon appears next to an Adobe ID to indicate if it's under enforcement policy.
  • Audit logs capture the events when an email address is added or removed from the exception list.
  • There are specific workflows that may require an Adobe ID account to be created on behalf of a user by Adobe that leverages an enforced domain, including adding a new administrator during creation of a new Adobe contract or access to various Adobe Enterprise commerce applications, such as the Licensing Web Portal. Such events are also captured in Audit logs.

Manage exception list

You can view and edit the exception list in Domain enforcement settings:

Go to the Adobe Admin Console and navigate to the Settings section.

Select the directory with domain enforcement enabled.

Navigate to Identity settings > Domain enforcement section.

Image displays Admin console domain enforcement options. Users can enable domain enforcement, require existing users to change sign-in emails, and exclude specific users from enforcement.

Under Exclude specific users from the domain enforcement section, select View exception list.

Enter the email address of a new or existing user. Then, select Add. The email address has been added to the list and is now exempt from domain enforcement restrictions. Close the exception list.

Tip

Adding a new email address directly to the exception list does not add the user account to the Admin Console. Once added to the exception list, you must add the new user's email address to your Admin Console to create the Adobe ID account.

Add Adobe ID accounts with an enforced domain to a trusted or child Admin Console

System admins can add Adobe ID users with an enforced domain to the Admin Console if there is a trust relationship with a domain-enforced directory or if the target Admin Console is a child of the Admin Console that owns the enforced directory within a Global Admin Console hierarchy.

To add an Adobe ID with an enforced domain to a trusted or child Admin Console, the admin of the owned directory must first complete these steps:

Add the user's email address to the exception list of the enforced parent directory.

Then, create an Adobe ID account for the user's email address in the Admin Console, which contains the enforced directory.

Once the user account is added to the Admin Console containing the enforced directory, the child or the trustee Admin Console can add that same user as an Adobe ID account.

Remove users from the exception list

You can also remove a user from the exception list at any time by navigating View exception list > select target email addresses on the Exception list screen > select Remove selected users.

Removing an email address from the exception list

Removing an email address from the exception list does not remove the user account from your Admin Console. You must remove the user from the Users list of your Admin Console.