The document covers common questions encountered while configuring Adobe Admin Console SSO with Microsoft Azure as an identity provider using the Azure AD Connector.

Connector features and supported scenarios

The section for some frequently asked questions related to the Connector's features, integration scenarios, and conditions.

You can only create Federated ID user accounts through the Azure AD Connector. Learn more about the identity type options here.

The Azure AD Connector can only provide user management for the primary Admin Console in a primary-trustee Admin Console relationship. Any trustee Admin Consoles can take advantage of single sign-on with the federated directory, but must use a separate form of user management (such as CSV manual upload, User Sync Tool, or User Management API.)

You can only run UST for the domains that are not managed by the Azure AD. There will be a conflict if you run UST on an Azure AD-managed domain.

Yes, it does, and no additional configuration is needed.

Yes, SHA-256 certificate is supported with the Azure AD Connector in place.

Syncing operation

The list answers some questions related to the Connector's syncing feature.

FirstName, LastName, Username, Email, and Country Code.

The sync runs every 15 minutes, making updates to the Admin Console based on the changes identified in the aligned Azure AD security groups. The Connector landing page has a Trigger Sync feature available in the Admin Console, that allows a System Admin to force a sync at any time between the 15-minute intervals. However, you may experience a slight delay when you force Trigger Sync if you use on-premise Active Directory.

If such a user group exists in the Admin Console, the Connector skips to sync this group and an error message is displayed. The Admin is required to rename either the Azure AD or the Admin Console group to allow the Connector sync to complete.

No, currently event logs are unavailable in the Admin Console to assist with troubleshooting the Connector sync.

Microsoft Azure Active Directory synced groups become available for provisioning to easily manage users and entitlements for your Adobe apps and services. Active Directory synced groups also become part of your Organization’s address book. Then, these synced users are available as private sharing recipients when other users share assets organization-owned assets. Currently, group sharing is only available in Adobe Xd.

Existing Azure users migration

The section covers some questions asked by users who want to use the Connector and are already using Azure as their IdP.

The Azure AD Connector requires that the domains and directories to be synced from Azure AD are not already established in the Admin Console with federation. If directory users do exist, you need to permanently remove associated directory users, domains, and directories before the Connector implementation.

To know more, see set up SSO with Azure AD Connector.

Yes, as long as the SAML directory links to separate claimed domains.

Yes. If the user's email is updated in Microsoft Azure or Microsoft Office 365, then Admin Console email and username fields update accordingly.

If the user is a part of the group sync and the Federated ID username matches an Azure AD-synced username, then the Connector takes over and manages the profile. If the user is not a part of the group sync, the user is able to authenticate as long as the profile matches the Azure AD profile.

This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License  Twitter™ and Facebook posts are not covered under the terms of Creative Commons.

Legal Notices   |   Online Privacy Policy