• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers

Adobe Admin Console should not be reliant on enabled accounts

New Here ,
Apr 23, 2024 Apr 23, 2024

Copy link to clipboard


Current Adobe Admin Console (AAC) Entra ID provisioning consistently recreates Federated Accounts due to its reliance on user objects' enablement statuses for provisioning identities. Our current offboarding process requires that we disable user account in our source IDP to prevent unauthorized access when an employee leaves or is terminated. This deactivates the user in AAC and if we need to rename (due to shared mailbox access delegation requirements) or setup a new account for the same user in another dept - the provisioning workflow creates a duplicate account in AAC. This causes frustration for our admins and provides access to the previous account's Adobe Sign data when licensed for Adobe Sign. 


Recommendation is to ignore user's activity status (enabled/disabled) when scoping a user for provisioning through the Entra ID application. At least let the organization choose whether they'd like to keep disabled users in scope or not. This would allow post-offboarding configuration changes to the exisiting account and allow those changes to replicate into downstream services (ex. Adobe Sign). This would simplify our deployment of these services and would reduce the negative effects on our offboarding process.

Idea No status






Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
no replies

Have something to add?

Join the conversation