Exclude specific users from domain enforcement

Before you begin

Before using the domain enforcement exception list feature, ensure:

• You have system admin access to the Adobe Admin Console.
• Your Admin Console directory has domain enforcement enabled.

Use of exception list

The exception list empowers administrators to balance security and flexibility for users using a claimed domain for their Adobe account.

As a system admin, you may use the exception list in the following scenarios:

• Add a service or technical account for an automated workflow that cannot use federated authentication.
  
• Sign in to the Admin Console or Adobe app using an Adobe ID account in case of SSO-related issues. 
• Exclude a select group of existing users when using the require email change setting.

Important things to consider

Make sure to consider the following points before using the feature in your domain-enforced directory:

• Adding an email address to the exception list allows for creating a new user account as an Adobe ID or continuing to use an existing Adobe ID account with the enforced domain.
  
• You cannot add an email address already linked to an Enterprise ID or a Federated ID to the exception list. Remove the email address from the Directory Users list and add it to the exception list as an Adobe ID.
  
• Similarly, you must remove an email address from the exception list to use the address to create an Enterprise ID or Federated ID individually or edit identity type via CSV.
• If the require email change policy is enabled, any email address found on the exception list can remain as an Adobe ID using an enforced domain. However, if the email address is removed from the exception list when the policy is enabled, the user will be subject to it.
  
• Adding a new user email address to the exception list does not add the user account to your Admin Console. Once added to the exception list, you must add the new user's email address to your Admin Console to create the Adobe ID account.
• Similarly, removing an email address from the exception list does not remove the user account from your Admin Console. You must remove the user from your Admin Console separately.
• In the Users list, an icon appears next to an Adobe ID to indicate if it's under enforcement policy.
• Audit logs capture the events when an email address is added or removed from the exception list.
• There are specific workflows that may require an Adobe ID account to be created on behalf of a user by Adobe that leverages an enforced domain, including adding a new administrator during creation of a new Adobe contract or access to various Adobe Enterprise commerce applications, such as the Licensing Web Portal. Such events are also captured in Audit logs.

Manage exception list

You can view and edit the exception list in Domain enforcement settings:

The email address is added to the list and is now excluded from domain enforcement restrictions. Close the exception list.

You can also add Adobe ID users to Admin Console that do not have a domain-enforced directory in the following cases:

• Your directory is in a trust relationship with a domain-enforced directory.
• Your Admin Console is a child of an owning organization with domain enforcement in the Global Admin Console hierarchy.

An admin in the owning organization must first add the email address to the exception list and create the Adobe ID account. Then, the child or the trustee Admin Console has the option to add that same user as an Adobe ID account.

You can also remove a user from the exception list at any time by navigating View exception list > select target email addresses on the Exception list screen > select Remove selected users.