Domain Enforcement for restricted authentication

Applies to enterprise.

System administrators can restrict organization-owned domains to prevent users from creating and using personal Adobe ID accounts. This limits personal data usage, enhances security, and allows asset-sharing only between organization users.

Before you begin

You should ensure your organization meets the following prerequisites to use domain enforcement:

  • Your organization must have one or more Enterprise or Federated directories with claimed domains established in the Adobe Admin Console.
  • You must have system administrator permissions to view and manage domain enforcement in your Admin Console.

Benefits of restricting domains

 Block creation of new Adobe ID accounts with an organization-owned domain

 Facilitate uniform federated sign-in workflow for all users on an organization-owned domain

 Control the number of user accounts and profiles on an organization-owned domain

 Promote better collaboration between end users on Enterprise Storage

 Block purchase of software for personal use under an organization-owned domain

Domain enforcement settings

Domain enforcement is enabled by default on all newly created Enterprise and Federated directories. ​All domains within the domain enforcement policy-enabled directories will have restricted authentication. Users can't create new accounts using restricted domains linked to policy-enabled directories.

You can manage your users and directories in the following ways with domain enforcement:

  • Restrict the creation of Adobe ID accounts with organization-owned domains
  • Transition existing users with Adobe ID accounts in your organization to Enterprise ID or Federated ID accounts, requiring secure login for license and storage access
  • Generate a report indicating which users have Adobe ID accounts with enforced domains
  • Require existing Adobe ID accounts using organization-owned domains to change the email associated with the account to a personal address

Go to the Adobe Admin Console Settings to view your directories and their Domain enforcement statuses in the Adobe Admin Console. Then, select a directory with Domain enforcement status set to On to view the Domain enforcement settings section.

An image of Adobe Admin Console "Identity settings" section. Displays the Domain enforcement settings in a directory MB_DE_ENFORCED..

Turn off Domain enforcement

Caution:

Adobe strongly recommends that you keep domain enforcement ON for your directories. Turning domain enforcement on or off frequently may result in users facing disruptions while signing in.

You can turn off domain enforcement for any directory by following the steps:

  1. Select Identity settings > Directory.

  2. Deselect Domain enforcement toggle.

Visit the Admin Console Insights section and select Logs to view the changes related to domain enforcement policy at any time.

Domain enforcement best practices

You can best use the domain enforcement feature by setting up your domains and directories to align with your organization's needs:

  • Link domains to directories: To stop users associated with a particular domain from creating new accounts or using organization email for personal use, you must link the domains with domain enforcement-enabled directories.
  • Transfer domains to a different directory: If you want to allow personal use of their organization email for users associated with one or more domains, you must transfer these domains to one target directory. Then, turn off domain enforcement for this target directory.
  • Allow automatic account creation: If you want users to create a Federated ID only with their organization-owned email address, you must enable both domain enforcement and automatic account creation.

Enable sign-in requirements for existing users

Enforce secure authorization

Adobe recommends that you Edit users' identity type to transfer existing Adobe ID users to Enterprise ID or Federated ID before you enable the Require email change policy. This ensures all users in a directory have a consistent sign-in experience and prevents unintended change requests from organization users.

Select Admin Console Users, and then navigate to Edit identity type by CSV from the three-dot menu.

Require email change

This feature allows you to force existing Adobe ID accounts, in an enforced directory, to change their associated email addresses. When the email change feature is enabled, an Adobe ID user has 30 to change their email address after the first sign-in attempt. After 30 days, they must change their email address to access their account and data.

When enabled, a user affected by the policy views a message on their next sign-in: Update Your Email. To avoid confusion, inform your users about this change before enabling the Require email change setting.

Note:
  • If the required email change policy is enabled, any email address on the exception list is exempt and can remain as an Adobe ID using an enforced domain. If the email address is removed from the exception list at any time and require email change is enabled, the user will be subject to the policy.
  • Any data associated with the users remains unaffected, and they can still change their email to start using their apps and data at any time.
  • If you turned off the feature after using it initially, users who have not yet changed their email address will stop seeing Update Your Email message. However, a user who completed the email change can neither revert the change nor make a new Adobe ID with the old email address unless domain enforcement is removed from the affected directory.

Download personal Adobe ID users' report

This user report allows you to view a list of Adobe IDs using a claimed domain for the email address associated with their account. You can download the report for any directory every hour in each organization.

The report provides a list of email addresses for users who have accepted the latest Adobe Terms of Use with their personal accounts. To download the list of Adobe ID users, go to Adobe Admin Console, and then select Insights > Reports

Exception list

The exception list allows defined users to bypass domain enforcement policy and use a personal Adobe ID account with their managed email.

System admins can use the exception list to add service accounts, troubleshoot SSO issues, and strategically exclude users from the require email change setting.

Related resources

Get help faster and easier

New user?

ICYMI Promo

Updates and Releases!

In case you missed it follow this page to stay updated!

Updates and Releases!

In case you missed it follow this page to stay updated!

ICYMI Promo

Updates and Releases!

In case you missed it follow this page to stay updated!

Updates and Releases!

In case you missed it follow this page to stay updated!