Migrating from User Sync Tool to Azure Sync

Report · May 17, 2022

Hello,

I'm hoping to get some clarification. I've looked at the online docs, and apologies if I missed something, but I'm a bit unclear... we are planning on moving away from using the User Sync Tool and replacing it with Azure Sync.

I'm wondering if someone may be able to clarify 2 things for me:

#1. Once the sync with Azure is setup, how can the user who is a member of and AD group be assigned to a product profile?

For example, with the User Sync Tool we have an AD group that contains all users who require access to Adobe Photoshop (for example), the sync tool associates the AD group with the product profile in the Adobe console (as shown below).

(sample code from user-sync-config.yml)

groups:
    - directory_group: "AD_AdobePhotoshop"
      adobe_groups:
        - "Adobe Photoshop"

How will this work when using Azure Sync? If I want to make sure everyone in the AD group (AD_AdobePhotoshop) is added in the Product profile "Adobe Photoshop" when the sync occurs, do I need to do any additional steps?

#2. All of our accounts are already federated id. When moving from User Sync Tool to Azure Sync will it create duplicate user accounts for those that already exist?

Report · Jun 08, 2022

We went ahead and migrated from the User Sync Tool to Azure Sync a couple of weeks ago.

Thought I'd post our experience regarding the two questions mentioned above in case anyone was interested.

For #1 - what we found out was that once you configured Azure sync, the AD groups appeared in the Adobe admin console under Users > User Groups. So, from the example above, if we had an AD group called "AD_Photoshop" mapped to an Adobe group called "Adobe Photoshop", the "AD_Photoshop" group would appear in the Adobe admin console. Clicking on that AD group, would list all the users who are members of that group.

Now that we had the AD group synchronized, we simply added the AD group to the specific product profile. Under Products, we'd select our specific product (eg. Adobe Photoshop) > Select our product profile > Click on Users and add the AD group we had just synced.

Since the AD group was now tied to a product profile, we no longer needed the group "Adobe Photoshop" from the admin console, so we removed all the users tied to that group and deleted the group - since it was an exact duplicate of the AD group we had just synced using Azure.

We also tested to see what would happened if we renamed the AD group to match the Adobe group - it seems as though Azure sync overwrites the Adobe group and takes ownership of it. We did not test what would happen if we did the opposite (rename the Adobe group to match the AD group), but I'm guessing the behavior is the same. I guess we could've simplified the migration a bit by doing it this way, but since we weren't sure what would happen and the impact behind it, we didn't - plus we had a strict naming conventions that our AD team wanted us to follow 🙂 .

For #2 - No duplicate users were created for those that had already been synchronized by the User Sync Tool.

As for testing, we were able to test to some degree (depending on how often your User Sync Tool runs). We found that once you setup Azure Sync, the User Sync Tool no longer works, and both tools can't be running concurrently (I believe Adobe mentions this in their documentation), so you will need to disable the User Sync Tool after setting up Azure Sync. Something to keep in mind.

Hope this has been helpful.

In Response To Josh0x33 · May 16, 2024

Thank you for sharing your experiences. We also want to switch to Azure Sync and I had exactly the same questions. Your information will help me a lot.

In Response To Josh0x33 · May 20, 2024

Hi Josh,

Seems like you have it resolved, but I'll just throw in some expected behaviour explanation.

#1

groups:
    - directory_group: "AD_AdobePhotoshop"
      adobe_groups:
        - "Adobe Photoshop

The above means that AD_AdobePhotoshop will map to a User Group in the Admin Console named "Adobe Photoshop". When moving to Azure Sync, it will create a new User Group with the AD Group's name (uncustomisable) so the old 'renamed user group' can be removed.

#2

It doesn't seem like you ran into this... but if there was any discrepancy in the attributes being pulled over that could cause some errors as well. If the Username in Azure (UPN by default) is the same as what is being synced over from your legacy UST - then the ID will be the same. However, if there is any discrepancy in Username, a new Federated ID would be created in the Admin Console even if it links to the same user.

If you were not pulling UPN for the UST, you can customise the attributes before you run the Azure Sync to pull the same Attribute across.

See: https://docs.microsoft.com/en-us/azure/active-directory/app-provisioning/customize-application-attri...

In Response To Wingkin · Nov 20, 2024

Hi, thanks for all the discussions/answers here.
Would like to get a clarification in below scenario also

I have a group called "editors" in Active directory

Existing UST process has created the group in admin console with same name ie "editors"

1. What will happen in this case when i switch from UST ot azure sync, as Azure sync will try to create the the same user group (editors) in admin console.

2. if we have to create new groups for every group created by UST (we have around 100+), how do we manage assigning product profiles to all of them. Do we have to do that manually.

Thanks in advance

In Response To Sreenath31923951mvwv · Nov 21, 2024

Hi there,

I am checking the details and will get back to you with an answer soon. In the meantime, you may refer to the following help document and see if it helps: https://adobe.ly/4fDKpAI.

Thanks,
^BS

In Response To Sreenath31923951mvwv · Nov 21, 2024

Hi @Sreenath31923951mvwv ,

Thank you for reaching out. Please find the responses to your queries below:

#1 If a group with the same name (like "editors") already exists in the Admin Console, Azure Sync won’t create a duplicate. Instead, it’ll connect that group to its version in AAD. Please note that if there are differences in group membership, Azure Sync will update the group in the Admin Console to reflect the membership from AAD.

#2 If new groups end up being created for some reason, you’ll need to manually reassign the product profiles to those groups. Unfortunately, there isn’t an automated way to handle this, but the Admin Console has a bulk assignment feature that can make this process a bit quicker. Please refer to this document here for this.

Let me know if you need more help or details!

Regards,
^AN

Migrating from User Sync Tool to Azure Sync

1 Correct answer

1 Pinned Reply

li.media.uploader-dialog.title