Áp dụng đối với doanh nghiệp.
This document covers common questions encountered while configuring authentication between Microsoft Azure Active Directory (Azure AD) and Azure Sync with a federated directory. Additional information regarding the deprecated Azure Sync is also available for reference.
You can find answers to some of the frequently asked questions and important considerations below:
You can only create Federated ID user accounts through Azure Sync. Learn more about the identity type options here.
No. The Adobe Admin Console does not offer provisioning logs.
However, you can look for provisioning logs in the Azure Active Directory for diagnostic information. Refer to Provisioning logs in Azure Active Directory to learn more.
Adobe has upgraded the Azure Sync experience to provide enhanced security and other privacy controls to partner organizations. The updated Azure Sync does not require any permissions into your organization’s Azure Directory to sync users to the Adobe Admin Console.
The Azure Sync can only provide user management for the primary Admin Console in a primary-trustee Admin Console relationship. Any trustee Admin Consoles can take advantage of single sign-on with the federated directory but must use a separate form of user management (such as CSV manual upload, User Sync Tool, or User Management API.)
The SCIM protocol allows you and your Identity Provider to control the data flow. If Azure Sync doesn't sync data over to Adobe, check Provisioning logs for the Adobe Identity Management application inside your Azure AD Portal.
Ensure that the values passed to the user attributes by sync match the values in the user profiles in the Admin Console. Check the provisioning logs in Azure to find the attributes passed from Azure.
Your organization must have a Premium (P1 or P2) or Microsoft 365 (E3 or A3) subscription with Azure AD to use group-based assignment capabilities. It allows you to choose specific groups and users to be synced to the Adobe Admin Console.
Organizations without these subscription levels can only sync all the users and groups to the Adobe Admin Console at once. The system will sync all users and groups automatically and generate an Adobe Federated ID for the synced users. Read more about Azure AD subscription plans and options for updating.
Yes. You can sync nested groups from Azure AD through the Azure Sync integration.
However, nested groups are not automatically synced when the parent node of the group is added to sync scope. You must add nested groups to scope to be included in the automated sync.
Yes. Any update in Azure AD reflects in the Adobe Admin Console directory. This includes attributes like, FirstName, LastName, Email, etc.
Yes. To use Azure Sync with such a directory, you must have your users managed within an Azure AD instance.
Azure AD controls the sync cycles. The initial cycle takes longer to sync all users and groups defined in Scope. Then, subsequent cycles occur approximately every 40 minutes as long as the Azure AD provisioning service is running.
You cannot speed up the automated sync cycle from the Adobe Admin Console.
The Account Status column appears in both the Users and Directory Users list to inform administrators of the status of a specific user.
For federated users synced with Azure Active Directory, users are managed in a read-only mode via Azure Sync, and the status depends on their status within the organization’s directory:
Active = User account available for SSO login and license access. If sync is configured, an ‘Active’ user is in-scope for the automated sync.
Disabled = User account not available for SSO login or license access. If sync is configured, a ‘Disabled’ user is removed from sync scope in the organization’s Azure Active Directory, causing the user to no longer have login access to their account, but their cloud-stored assets are still available.
You cannot run Azure Sync alongside any other form of user management tool.
If your organization is using the User Sync Tool or a UMAPI integration, you must first pause the alternate form of sync, then follow the steps to set up Azure Sync to automate user management from the Azure Portal.
The User Sync Tool or UMAPI integration can be removed completely once the Azure Sync is configured and running.
Follow these instructions to edit identity type to Federated IDs.
There is a set of common error messages displayed to be aware of when managing Azure Sync by Microsoft Azure. Understanding the cause of the various error messages will aid in troubleshooting when errors occur.
Learn more about monitoring your deployment within Azure AD. Follow troubleshooting sync for more methods.
Yes. You can choose to disable or even remove Azure Sync from a federated directory. This removes the automated sync but leaves the directory, domains, and users of the directory intact.
When removing sync, User Provisioning should also be turned off for the former sync in Azure AD to prevent quarantine of the directory by Azure AD.
By default, when users are no longer managed through Azure Sync, they only get disabled to avoid accidental data loss.
To permanently remove users, you must enable editing of synced users from the Sync tab and remove them from the directory users list.
Check the impacted users' email address. The error occurs if user's email address is:
