Skip to main content
A
Anonymous
January 18, 2021
Answered

SCIM with Azure

  • January 18, 2021
  • 1 reply
  • 1940 views

I would like to get some confirmation...I, perhaps missed it from some of the online documentation and for that I apologize.

 

I am planning the implementation of SCIM with AzureAD.  When setting up SCIM provisioning, I am using groups (not just one, but 5 to govern SSO access).

1.  If an account is being deleted (deprovision) from one of those groups, and that account does not belong to any other groups, will the cred in Adobe portal removed automatically (is this configurable?)?

2.  In terms of assigning license to individual user, this task remains manual under the current SCIM design (ie. our corporate Adobe Admin)?   For example, if a new user added to one of the groups, the user will get created in Adobe admin portal, and then our admin will assign license to that user through the portal?  

This topic has been closed for replies.
Correct answer LMeyer

Hello Vince, responses to your questions below:

 

  1. When a user is removed from an in-scope security AD group in Azure, upon the next sync that user will be removed from the synced user group in the Adobe Admin Console. If they do not belong to any other user groups or have any other licenses provisioned, their account will be removed from the Users list in the Users tab. Note that this process does not permanently delete the user’s federated account, which can still be found under Users> Directory Users. If the user was removed from the AD group mistakenly, they can simply be added back to the in-scope group and upon next sync, their account will be added back to the Users list as well as the synced user group. If the user account was meant to be removed from the AD group and their Adobe account is no longer required, a System Administrator can choose to permanently delete the user’s account in the Directory Users list. Read more about disabling users and groups with the Azure Sync under Disable users and groups.
  2. As a System or User Group Admin, you can assign a product profile to any user group within the Adobe Admin Console. When assigning a product profile to a user group, all users within that group will receive automatic access to the license of the assigned profile. As an example, you have a group in AD that contains all users who require access to Acrobat Pr. Once that group and the contained users are synced to the Adobe Admin Console, the System or User Group Admin of that group can assigned the default Acrobat Pro product profile to that group, and every user within the group will be provisioned a license for Acrobat Pro frorm the assigned profile. Going forward, any users added to the synced group from AD will also receive automatic access to the Acrobat Pro license. Read more about assigning product profiles to user groups under Assign Product Profiles to User Groups.

1 reply

LMeyer
Adobe Employee
LMeyerCorrect answer
Adobe Employee
January 28, 2021

Hello Vince, responses to your questions below:

 

  1. When a user is removed from an in-scope security AD group in Azure, upon the next sync that user will be removed from the synced user group in the Adobe Admin Console. If they do not belong to any other user groups or have any other licenses provisioned, their account will be removed from the Users list in the Users tab. Note that this process does not permanently delete the user’s federated account, which can still be found under Users> Directory Users. If the user was removed from the AD group mistakenly, they can simply be added back to the in-scope group and upon next sync, their account will be added back to the Users list as well as the synced user group. If the user account was meant to be removed from the AD group and their Adobe account is no longer required, a System Administrator can choose to permanently delete the user’s account in the Directory Users list. Read more about disabling users and groups with the Azure Sync under Disable users and groups.
  2. As a System or User Group Admin, you can assign a product profile to any user group within the Adobe Admin Console. When assigning a product profile to a user group, all users within that group will receive automatic access to the license of the assigned profile. As an example, you have a group in AD that contains all users who require access to Acrobat Pr. Once that group and the contained users are synced to the Adobe Admin Console, the System or User Group Admin of that group can assigned the default Acrobat Pro product profile to that group, and every user within the group will be provisioned a license for Acrobat Pro frorm the assigned profile. Going forward, any users added to the synced group from AD will also receive automatic access to the Acrobat Pro license. Read more about assigning product profiles to user groups under Assign Product Profiles to User Groups.
    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices