If you have a functioning SAML-based SSO configured with Microsoft Azure Identity, we recommend that you keep your current setup. An upcoming feature will allow you to automatically migrate users and SSO configuration.
You can configure Single Sign-On (SSO) with Microsoft Azure Active Directory (Azure AD) to manage users and entitlements for your Adobe apps and services. The Adobe Admin Console uses Azure AD as the Identity Provider (IdP).
Azure AD Connector combines the processes of directory creation, domain claim, SSO-setup, and product planning into a simple workflow on the Adobe Admin Console. The Connector also contains a built-in mechanism to sync users and user groups between the two systems, eliminating the multi-step process required for manual configuration. Azure AD users synchronized with the Adobe Admin Console are unique and can be assigned to one or more product profiles. The Connector can manage the relationship between multiple Azure AD tenants and Adobe Admin Consoles.
Once the Connector setup is complete, all users and groups are synced from the Azure AD. Thereafter, syncing is performed periodically to keep users in the Adobe Admin Console up to date. System Administrators of the Admin Console can view the synced domains, users, and user groups in the Settings section of the Adobe Admin Console.
After the initial setup is complete, the sync cycle continues to manage the changes made in Azure Portal and Admin Console. You can trigger sync manually or let it run periodically. It is recommended that you manage users/user groups/domains in the Azure Portal only.
Users and their product entitlements are managed by adding or removing a user from the corresponding Azure AD user group. During the sync, a user is added or removed from the synced Adobe group and the associated entitlements are provisioned or revoked. A federated user synced with the Azure AD Connector exists as a directory user within the Adobe Admin Console, therefore removing a user via the corresponding Azure AD group deprovisions the user's entitlement and prevent their ability to log in, but won't permanently delete the account. Permanently deleting the user account from the directory user base within the Adobe Admin Console will permanently remove any assets or content associated with the user's account.
The key advantages of switching to the Azure AD integration with Adobe Admin Console are:
- No replication of steps like domain claim, group creation, etc. as the two systems connect directly
- Quick set up and initiation of the sync through a seamless workflow
- Microsoft Azure AD is the one place for all actions including user management and license provisioning
- Easy to onboard and offboard users directly from the associated groups in Azure AD
- Less manpower needed to administer the two systems
- No additional service or API setup needed to sync to the Adobe Admin Console, as direct approval to manage users and directories already defined in the Azure AD system
To derive benefit from the functionality to integrate Adobe Admin Console User management with that of Azure AD, you need the following:
- Microsoft Azure AD as the identity provider (IdP)
- One or more of the following products: Creative Cloud for enterprise, Document Cloud for enterprise, or Experience Cloud
- Domains associated with Azure AD are unclaimed in the Adobe Admin Console, or you can easily withdraw pending domain claims
If you have already configured SSO with Azure AD using the custom SAML Connector, ensure the following:
- Remove the users, domains, and directories associated with Azure AD
- Remove any User Sync Tool or the UMAPI integration to sync users
The table below shows the Azure AD Connector's current and upcoming features. Use this table to decide if a switch is suitable for your organization at the current time.
|Components||Features||Azure AD Connector (Current version)||Azure AD Connector (Future release)|
|Create directory||Sync validated domains||✓||✓|
|Sync user groups with Federated ID users
|Migrate directory||Migrate claimed domains with Adobe to Azure AD integration setup||✗||✓|
|Move manually configured SSO setup to the Azure AD integration setup||✗||✓|
Deleting users removes access to products, services, and storage. In preparation for Azure AD Connector sync, ask your Federated users to download and back up required files prior to their permanent deletion from the Admin Console. If your organization already has a large number of active Federated users within the directory, or utilizes a separate user management process, such as the User Sync Tool, it's recommended that you do not adopt the Connector currently.
The Azure AD Connector supports multi-Azure AD tenant and multi-Admin Console scenarios. Supported scenarios include:
The organization has multiple Adobe Admin Consoles in a primary or trustee relationship, allowing the trustee Admin Consoles to take advantage of the SSO configuration established on the primary Admin Console. The Azure AD Connector only manages users for the primary Admin Console in such a case.
The trustee Adobe Admin Console can leverage the SSO configuration. However, users must be synced to the primary Admin Console before they are added to the trusted Admin Console manually or via user management service (such as CSV manual upload, User Sync Tool, or User Management API).
If you meet the criteria mentioned in the prerequisites section, it's time to set up the integration and get your users up and running with their entitlements.
- Claim domains and set up Azure AD.
- Add Groups and Users, based on the desired classification in the Adobe Admin Console. It is advised to create groups based on their users' product requirements.
- Ensure the number of users in a group match the number of licenses available for corresponding product profiles in the Admin Console. However, this can be managed later as well.
You are redirected to Microsoft Account sign-in page. Enter admin credentials with the Microsoft Global Administrator role and click Sign in. Review the consent prompt then click Accept to authorize Adobe Azure AD Connector read-only access to your Azure AD tenant.
The Microsoft Global Admin login is only needed in the following cases:
- Azure AD Connector's initial setup
- A new Azure AD security user group or domain is being added in the Microsoft Azure AD
Once established, the Adobe Admin Console system administrator can edit the groups and domains synced from the Azure AD within the corresponding directory.
Select the Azure AD default domain (for example, AdobeTestDir.omnimicrosoft.com) and the other domains validated on Azure AD to sync to Adobe Admin Console and click Next.
Only the domains with the status ownership validated can be selected and synced. Domains with statuses Ownership not validated and Owned by other organization cannot be synced without validation in Azure Portal.
Search from the list of Groups and select the groups to be synced to the Adobe Admin Console. Then, click Save and Finish setup.
Validated domains and directories start to sync from Azure AD. Details like users synced are displayed in the Details section under Settings tab.
Regardless of the identity types, the Connector syncs all the supported identity type (except Federated identity) users that exist in the Adobe Admin Console and creates their corresponding Federated ID. Later, you can migrate these users to Federated ID using the manage existing user accounts document.
On every sync, all users and user groups are imported to the Adobe Admin Console. Create appropriate product profiles and associate them to user groups to fine-tune the assignment of products among users. For more information, see Manage products and profiles.
When users are assigned the designated products, they receive an email notification. Users can directly download and install Creative Cloud Desktop App. If they don't have admin permissions, follow the next step to create and deploy packages.
To provide access to the apps to your end users, create and deploy the app packages on their computers. Users will need to sign in using their SSO credentials to begin using the apps and services.
For more information, see Create Named User Licensing Packages.
Additional steps are required to convert all existing non-Federated ID users to Federated ID type, and to reconfigure SSO with Azure AD through the Connector if already established in the Admin Console.
The synced federated user must not be assigned any products when doing the edit identity switch. It should be done right after syncing but before any product assignment.
Users that have an existing non-Federated ID account in the Admin Console can be migrated to a Federated ID account once the Azure AD Connector has been established. Once converted, the Connector syncs these accounts successfully.
To ensure any cloud-stored assets are migrated to the user’s new identity type, follow the process below:
Set up Azure AD Connector and sync users including those who already have a non-Federated ID on the Adobe Admin Console. Any users with an existing non-Federated ID now have both a non-Federated ID and a Federated ID in the Adobe Admin Console.
Follow the steps in Edit Identity Type by CSV to change non-Federated ID users to Federated ID type. Ensure to match the following details:
- Match Username and Email fields with Username (UserPrincipalName) fields in Azure AD.
- Match FirstName and LastName with the corresponding fields in Azure AD.
Upon login with the new Federated ID, the user will be prompted with an option to automatically migrate cloud-stored assets to the new account.
If you have a running SSO setup with Azure AD and want to switch to the Azure AD Connector-based setup, you need to first hard delete all users and domains associated with the existing directory. Then, re-establish them by syncing with the Azure AD Connector setup.
In a future update, the Azure AD Connector will get a self-service migration feature, and will allow an established federated directory to be migrated (including all associated domains and directory users) to sync from Azure AD via the Connector (without deleting directory users, domains, and directories.)
Request your active Federated ID users to manually back up their cloud-stored assets.
Users who do not back up their assets will lose their data permanently.