I'm hoping to get some clarification. I've looked at the online docs, and apologies if I missed something, but I'm a bit unclear... we are planning on moving away from using the User Sync Tool and replacing it with Azure Sync.
I'm wondering if someone may be able to clarify 2 things for me:
#1. Once the sync with Azure is setup, how can the user who is a member of and AD group be assigned to a product profile?
For example, with the User Sync Tool we have an AD group that contains all users who require access to Adobe Photoshop (for example), the sync tool associates the AD group with the product profile in the Adobe console (as shown below).
(sample code from user-sync-config.yml)
groups: - directory_group: "AD_AdobePhotoshop" adobe_groups: - "Adobe Photoshop"
How will this work when using Azure Sync? If I want to make sure everyone in the AD group (AD_AdobePhotoshop) is added in the Product profile "Adobe Photoshop" when the sync occurs, do I need to do any additional steps?
#2. All of our accounts are already federated id. When moving from User Sync Tool to Azure Sync will it create duplicate user accounts for those that already exist?
Copy link to clipboard
We went ahead and migrated from the User Sync Tool to Azure Sync a couple of weeks ago.
Thought I'd post our experience regarding the two questions mentioned above in case anyone was interested.
For #1 - what we found out was that once you configured Azure sync, the AD groups appeared in the Adobe admin console under Users > User Groups. So, from the example above, if we had an AD group called "AD_Photoshop" mapped to an Adobe group called "Adobe Photoshop", the "AD_Photoshop" group would appear in the Adobe admin console. Clicking on that AD group, would list all the users who are members of that group.
Now that we had the AD group synchronized, we simply added the AD group to the specific product profile. Under Products, we'd select our specific product (eg. Adobe Photoshop) > Select our product profile > Click on Users and add the AD group we had just synced.
Since the AD group was now tied to a product profile, we no longer needed the group "Adobe Photoshop" from the admin console, so we removed all the users tied to that group and deleted the group - since it was an exact duplicate of the AD group we had just synced using Azure.
We also tested to see what would happened if we renamed the AD group to match the Adobe group - it seems as though Azure sync overwrites the Adobe group and takes ownership of it. We did not test what would happen if we did the opposite (rename the Adobe group to match the AD group), but I'm guessing the behavior is the same. I guess we could've simplified the migration a bit by doing it this way, but since we weren't sure what would happen and the impact behind it, we didn't - plus we had a strict naming conventions that our AD team wanted us to follow 🙂 .
For #2 - No duplicate users were created for those that had already been synchronized by the User Sync Tool.
As for testing, we were able to test to some degree (depending on how often your User Sync Tool runs). We found that once you setup Azure Sync, the User Sync Tool no longer works, and both tools can't be running concurrently (I believe Adobe mentions this in their documentation), so you will need to disable the User Sync Tool after setting up Azure Sync. Something to keep in mind.
Hope this has been helpful.