Applies to enterprise.
Can I manage domain enforcement at the domain-level or directory-level?
        Domain enforcement policies are set at the directory level. This means the policy is enabled for all enforced domains. If an enforced directory has a domain that should no have domain enforcement restrictions, then the system admin can either move domains to another DE-disabled directory or create a new directory, that isn't under DE policy.
Does the domain enforcement policy reverse for affected users if disabled? Do the users stop seeing the restrictions on sign-in?
        For a DE-disabled directory, new Adobe IDs can be created with domains of that directory formerly enforced. 
If the change email policy was enabled before turning off domain enforcement, users who were previously affected by the policy but have not yet changed their email address will no longer be required. However, a user who completed the email change process can't revert the change.
The change email policy is disabled by default If Domain enforcement is turned back on for a given directory.
Why is domain enforcement enabled automatically for any newly-created Enterprise ID or Federated ID directory in my Admin Console?
        Any new Enterprise ID or Federated ID directory will have domain enforcement enabled by default to eliminate the personal account creation with an organization-owned domain. System admins can disable the policy for any directory at any time after the initial enablement. 
What happens when a user tries to share data with an organization email address that doesn't exist and cannot be created by the user due to Domain enforcement?
        Suppose both auto-account creation and domain enforcement are enabled for a directory. In that case, a user can send an invite to an email address on an enforced domain, and the recipient can create a Federated ID account with the domain and accept the invite.
If auto-account creation is disabled, or the directory is an Enterprise ID directory type under domain enforcement, the user CANNOT send the invitation to the email address on an enforced domain as the user’s account cannot be created with that address.
Can the admin create an Adobe ID account on a domain that is part of a domain-enforced directory?
        Yes. A system admin can create a new Adobe ID account to a restricted domain for unique scenarios by adding the email address to the exception list.
If a system admin enables the force email change policy, are Adobe ID users of the domain-enforced directory required to change the email address associated with the account? 
        Yes. Any user with an Adobe ID account on an enforced domain (whether a member of the owning organization, a trustee organization or created individually) must change the email address associated with the account if Domain enforcement is enabled. 
Adobe strongly recommends the system admins edit the identity type of existing Adobe ID accounts to Enterprise ID or Federated ID for enforced domains before enforcing the email change policy. This prevents any sign-in disruption for organization users. If the admin does not edit the identity type before the end user changes their email address, the user account can't be converted to Enterprise ID or Federated ID, and a new account must be created to sign-in with Enterprise ID or Federated ID.
When a user changes their email address due to the force email change policy, does their profile display the new email address in the Admin Console?
        Yes. User's account profile displays the revised email address in the Admin Console after updating.
What's the meaning of “Unknown” status for a domain-enforced directory?
        The status column in the Identity settings > Directory table displays the On or Off status for domain enforcement based on the policy set by the system admin.
The Unknown status may appear if the policy is still being updated, any settings are changed, or if there is an error with the policy setting. Reach out to Adobe Enterprise Customer Support if the status does not change to the On or Off state automatically.
As an admin, how can I check which users have Adobe ID personal accounts on the organization-owned domain?
You can check the user report to view the list of Adobe IDs using a claimed domain for the email address associated with their account. You can download the report for any directory every hour in each organization.
To download the list of Adobe ID users, go to Adobe Admin Console > Insights > Reports.
The report provides a list of email addresses for users who have accepted the latest Adobe Terms of Use with their personal accounts.