This document covers common questions encountered while configuring Azure Sync with a federated directory. Additional information regarding the legacy Azure Connector is also available for reference.

Azure Sync | Important considerations and common questions

You can find answers to some of the frequently asked questions and important considerations below:

If you have a functioning Azure AD Connector in place, we recommend that you keep your current setup. A self-service migration feature will allow you to migrate to the new version of the Azure Sync.

We strongly recommend you to keep your Azure AD Connector setup until the self-serve migration is available. Migrating to the new Azure Sync now might disrupt services and result in loss of assets for your users.

If you have questions related to the Azure AD Connector, follow the FAQs here.

Yes. Azure Sync decouples email from username. This allows users to use a differing email and username value to validate sign-in and access Adobe products/services, collaborate, share files, etc.​

Yes. You can sync nested groups from Azure AD through the Azure Sync integration.

However, nested groups are not automatically synced when the parent node of the group is added to sync scope. Nested groups should also be added to scope to be included in the automated sync.

Yes. Any update in Azure AD reflects in the Adobe Admin Console directory. This includes attributes like, FirstName, LastName, Email, etc.

Yes. To use Azure Sync with such a directory, you must have your users managed within an Azure AD instance.

Sync cycles are controlled by Azure, it runs once every 40 minutes. The amount of time to add and/or update users in the Adobe Admin Console depends on the number of users within the sync scope.


The Account Status column appears in both the Users and Directory Users list to inform administrators of the current status of a specific user.

For federated users synced with Azure Active Directory, users are managed in a read-only mode via Azure Sync, and the status depends on their status within the organization’s directory. Only Active status will appear on the Users list for synced users. A user that is removed from sync scope in AD will no longer appear on the Users list but will still be present on the Directory Users list as Disabled status.

  • Active = User account available for SSO login and license access. If sync is configured, an ‘Active’ user is in-scope for the automated sync.

  • Disabled = User account not available for SSO login or license access. If sync is configured, a ‘Disabled’ user is removed from sync scope in the organization’s directory, causing the user to no longer have login access to their account or provisioned licenses, but their cloud-stored assets are still available. A ‘Disabled’ user will only appear in the Directory Users list, and a user’s Adobe account can only be permanently deleted from the Directory User list.

If your organization is using the User Sync Tool or a UMAPI integration, you must first pause the alternate form of sync, then follow the steps to set up Azure Sync to automate user management from the Azure Portal.

The User Sync Tool or UMAPI integration can be removed completely once the Azure Sync is configured and running.

There is a set of common error messages displayed to be aware of when managing Azure Sync from Azure AD. Understanding the cause of the various error messages will aid in troubleshooting when errors occur.

Learn more about monitoring your deployment within Azure AD.

Yes. You can choose to disable or even remove Azure Sync from a federated directory. This removes the automated sync but leaves the directory, domains, and users of the directory intact.

When removing sync, User Provisioning should also be turned off for the former sync in Azure AD to prevent quarantine of the directory by Azure AD.

By default, when users are no longer managed through Azure Sync, they only get disabled to avoid accidental data loss.

To remove the users permanently, you must enable editing of synced users from the Sync tab and remove the users manually in the Admin Console.

(Legacy) Azure AD Connector | Common questions

If you have set up your Admin Console directory using the (Legacy) Azure AD Connector, you may find the resolutions to your query here. Look for your question related to the old Connector features, integration scenarios, and sync issues.

You can only create Federated ID user accounts through the Azure AD Connector. Learn more about the identity type options here.

The Azure AD Connector can only provide user management for the primary Admin Console in a primary-trustee Admin Console relationship. Any trustee Admin Consoles can take advantage of single sign-on with the federated directory, but must use a separate form of user management (such as CSV manual upload, User Sync Tool, or User Management API.)

You can only run UST for the domains that are not managed by the Azure AD. There will be a conflict if you run UST on an Azure AD-managed domain.

Yes, it does, and no additional configuration is needed.

Yes, SHA-256 certificate is supported with the Azure AD Connector in place.

FirstName, LastName, Username, Email, and Country Code.

The sync runs every 15 minutes, making updates to the Admin Console based on the changes identified in the aligned Azure AD security groups. The Connector landing page has a Trigger Sync feature available in the Admin Console, that allows a System Admin to force a sync at any time between the 15-minute intervals. However, you may experience a slight delay when you force Trigger Sync if you use on-premise Active Directory.

Follow these instructions to edit identity type to Federated IDs.

The Azure AD Connector requires that the domains and directories to be synced from Azure AD are not already established in the Admin Console with federation. If directory users do exist, you must permanently remove associated directory users, domains, and directories before the Connector implementation.

To know more, see set up SSO with Azure AD Connector.

Yes, as long as the SAML directory links to separate claimed domains.

Yes. If the user's email is updated in Microsoft Azure or Microsoft Office 365, then Admin Console email and username fields update accordingly.

If the user is a part of the group sync and the Federated ID username matches an Azure AD-synced username, then the Connector takes over and manages the profile. If the user is not a part of the group sync, the user is able to authenticate as long as the profile matches the Azure AD profile.