Adobe-supported identity types

Adobe uses an underlying identity management system to authenticate and authorize users. If you're using named licensing or are planning to provide access to services, using identities is a requirement. Adobe supports three identity or account types; they use an email address as the user name.


Adobe ID is created, owned, and managed by the end user. Adobe performs the authentication and the end user manages the identity. Users retain complete control over files and data associated with their ID. Users can purchase additional products and services from Adobe. Admins invite users to join the organization, and can remove them. However, users cannot be locked out from their Adobe ID accounts. And the accounts can't be deleted or taken over by the admin.

The following are a few requirements and scenarios, where Adobe IDs are recommended:

  • If you want to enable users to create, own, and manage their identities.
  • If you want to allow users to purchase or sign up for other Adobe products and services.
  • If users are expected to use other Adobe services such as Digital Publishing Suite, which does not currently support Enterprise or Federated IDs.
  • If users already have Adobe IDs, and associated data such as files, fonts, or settings. 
  • In educational setups, where students can retain their Adobe ID after they graduate.
  • If you have contractors and freelancers who don't use your corporate email address.


Enterprise ID is created, owned, and managed by an organization. Adobe hosts the Enterprise ID and performs authentication, but the organization maintains the Enterprise ID. End-users cannot sign up and create an Enterprise ID, nor can they sign up for additional products and services from Adobe using an Enterprise ID.

Admins create an Enterprise ID and issue it to a user. Admins can revoke access to products and services by taking over the account, or deleting the Enterprise ID to permanently block access to associated data.

The following are a few requirements and scenarios where Enterprise IDs are recommended:

  • If you need to maintain strict control over apps and services available to a user.
  • If you need emergency access to files and data associated with an ID.
  • If you need the ability to completely block or delete a user account.


Federated ID is created and owned by an organization, and linked to the enterprise directory via federation. The organization manages credentials and processes Single Sign-On via a SAML2 identity provider.

The following are a few requirements and scenarios where Federated IDs are recommended:

  • If you want to provision users based on your organization's enterprise directory.
  • If you want to manage authentication of users.
  • If you need to maintain strict control over apps and services available to a user.
  • If you want to allow users to use the same email address to sign up for an Adobe ID.

You can use Adobe IDs, Enterprise IDs, and Federated IDs in the same enterprise deployment. For example, use Adobe IDs for users who may use other Adobe product and services, such as or Digital Publishing Suite. Use Enterprise or Federated IDs for users where you want to strictly manage their accounts.

Impact on Creative Cloud end users

Before you create Enterprise IDs or Federated IDs, consider the impact on existing users. It is possible that users have an Adobe ID with email addresses from your domain to access products and services from Adobe.

Any data, such as design libraries, files, fonts, app settings, Adobe Color themes, Behance portfolios are not transferred to the Enterprise ID or Federated ID account. These will remain available with the Adobe ID account, now accessible under the updated email address.

If you decide to create Enterprise or Federated IDs for existing Creative Cloud members (Adobe IDs), users may need to manually migrate data from their Adobe ID accounts.

  • Sync Settings: Users can sign in to an app with their Adobe ID, sync settings, sign out, and then sign in with the Enterprise or Federated ID. The latest settings on the desktop can then be synced to Creative Cloud.
  • Creative Cloud Assets: Users need to download files from the existing Adobe ID account, and then upload them to the Enterprise or Federated ID account. If end-users use the Creative Cloud desktop app to sync files, all files are already present on their computers. For more information, see Transfer assets.
    Note: Comments and versions associated with the files are not retained.
  • Typekit: When an enterprise has claimed its own domain to create Enterprise or Federated IDs, existing Typekit accounts which are linked to addresses in that domain might be affected. Typekit accounts can be restored by contacting Contact or your Adobe sales representative for more information.
  • Behance: Users can access their Behance profile using the new email address. However, they’ll need to update the email address in their Behance email preferences. There is no direct way to migrate the data from Behance.  As a work-around, users could do the following for Behance:
    1. Create a new account using their Enterprise or Federated ID
    2. Sign in to their existing account
    3. Co-own the projects in the existing account with their new account.
    4. Optionally, then log into their new account and remove the co-owner of their old account. This would migrate the content but not the comments and followers associated with the old account.
  • PhoneGap Build: Users can migrate associated data when they switch to Enterprise IDs.
  • Adobe Color: To migrate data from an Adobe ID to an Enterprise or Federated ID, users can send a request to
  • Lightroom: Data is synced again from the desktop to Creative Cloud using the Enterprise or Federated ID.
  • Story Plus: Users can access data using the updated email address. There is no migration path to associate existing data with the Enterprise or Federated ID.

If existing Creative Cloud users, were using services that are not included with Creative Cloud for enterprise, their memberships revert to free versions. If users discontinue the Creative Cloud membership associated with their Adobe ID, access is limited. For example, DPS users will be able to access their Folios, but won't be able to publish them. Similarly, Web hosting will expire after 30 days.

Claim a domain

User identities are verified against an authorization source. Adobe IDs use an authorization source managed by Adobe. To use Enterprise ID or Federated ID, set up your own authorization source by claiming a domain. For example, if your email address is, is your domain. A claimed domain permits the creation of Enterprise IDs or Federated IDs with email addresses on the claimed domain. A claimed domain can be used either with Enterprise IDs or Federated IDs, but not both. You can however claim multiple domains.

An organization must demonstrate their control over a domain to claim it. An organization can also claim multiple domains. However, a domain can be claimed only once. Known public and generic domains, such as or cannot be claimed at all.

To use Enterprise or Federated IDs, start by claiming a domain. If your organization controls multiple domains, you can claim all of them. You need to verify that you control the domain by adding a token to the DNS.

To initiate the domain claim procedure, do the following:

  1. Sign in to the Admin Console.

  2. Navigate to Identity > Claimed domains.

  3. Click Claim domain.

  4. Enter a domain.

  5. Choose an identity type and click Submit.

    Claim Domain

    If the domain, has already been claimed by another organization, you will be prompted with the following message:


    To request access to this domain, discontinue with the remaining steps in this procedure and follow the procedures detailed in Request access to a claimed domain.

    If the domain has not been claimed by another organization, a DNS token is generated and displayed next to the domain. In this case, continue with the next step in this procedure.

  6. Click Yes to request access to this domain.

    For more details, see Request access to a claimed domain

  7. Add the token to the DNS.
    To verify that you own the domain, you must add a TXT record with the generated DNS token. The exact instructions depend on your domain host, but follow the generic guidelines provided in Verify ownership of a domain.

    You need to add information to your DNS servers to complete this step. Let your network administrators know in advance so that this step can be completed within the specified time. You'll receive an email from Adobe once the domain has been successfully claimed, and is ready for activation


    The generated DNS token will expire within 365 days so you must complete this procedure within that period.

  8. Once the DNS token is active, click Attempt Validation.

    Attempt Validation
  9. If you're claiming a domain to setup Federated IDs, see Configure Single Sign-On for detailed instructions.

  10. Activate the domain to complete the process.


Activating the domain cannot be undone. You can withdraw the request before activation, but not after you've activated it.

Switch user identity

As a System Administrator, you can change the identity type for the users in your organization from Adobe ID type users to Enterprise ID or Federated ID type users. Alternatively, you can switch Enterprise ID or Federated ID type users to Adobe ID. For details on user identity types, see the Adobe-supported identity types section, in this document.

If you switch the identity type for users from Adobe ID to Enterprise or Federated ID, these users will continue to have access to their personally-owned Adobe ID. However, they will access the organization’s Adobe apps, services, and solutions through the new identity type assigned to them.


You cannot switch Enterprise ID type users to Federated ID or Federated ID type users to Enterprise ID.

The following procedure enables you to switch user identity for users in bulk. However, you can also edit user details such as email addresses or users names for individual users in the Admin Console or by using the User Sync tool or the User Management API.

  1. In the Users tab, click  and in the drop-down list, choose Bulk edit identity type.

    The Bulk edit identity type dialog is displayed.


    You can download all users or you can filter your download by domain or product.

  2. To download the user data, click Download Users.

    A .csv file downloaded to your computer contains the following data:

    • Identity type - Adobe ID, Enterprise ID or Federated ID
    • User name
    • Domain
    • New identity type - Adobe ID, Enterprise ID or Federated ID
    • New email
    • New username
    • New country code
  3. Open the .csv file in Excel and make changes to the identity types, as required.


    Ensure that you specify the correct country code for the users. This code must match the country in which their assets are located.

    Also, this code cannot later be changed.


    If you are switching an Adobe ID user type to an Enterprise ID or Federated ID type, you will need to ensure that the Adobe ID email matches the email ID for user in the Enterprise.

    Adobe ID email Enterprise ID or Federated ID email User identity switch Success Fail
  4. Click  and in the drop-down list, choose Bulk edit identity type.

    The Bulk edit identity type dialog is displayed again.

  5. To upload the updated .csv file, click Upload and select the file in the Browse dialog.

If you switch the identity of Adobe ID users in an organization on the Admin Console to Enterprise ID or Federated ID users, the Adobe ID users will be removed from the organization.

After the bulk operation is complete, you will receive an email. You can also view a detailed report of the operation, on the Users > Bulk operations results tab.

Also, the users whose identity has changed, will receive a notification. Those users will need to use the new identity when working with the Adobe products they have been provisioned.

This process will also migrate the permissions and provisioned products for all migrated users.

Important: If your users were previously using Adobe IDs and had assets linked to their Adobe ID account, these users will need to migrate these assets as described in Migrate assets using Adobe Creative Cloud.

User emails

After the bulk operation is complete, your users will receive the following emails indicating that they will need to use their new credentials:

Federated IDs


Enterprise IDs


Password requirements

Adobe Admin Console supports several password protection levels and policies to ensure safety and security. You can specify to use a password protection level to apply to all users across your organization. Adobe supports three levels of security. Password policies apply to Adobe ID and Enterprise ID account types.

All accounts include a lockout mechanism. If the system detects a quick succession of multiple failed login attempts, the user account is temporarily unavailable to prevent brute force attacks.

To specify a password policy, do the following:

  1. In the Admin Console, choose Identity > Password Requirements.

  2. Click a password level to select it, and then click Save.

    Click a password level to select it, Click Save

Manage encryption

For more information, see Manage encryption.

Event logs

Event logs give you more information about errors that may happen while setting up your Federated ID. You can view details on any active domain configured as Federated ID by viewing the event logs in the Admin Console.

For details, see View Federated ID event logs.

This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License  Twitter™ and Facebook posts are not covered under the terms of Creative Commons.

Legal Notices   |   Online Privacy Policy