User Sync to Azure Sync, Users not being removed from Products

This is great, and exactly what I expected. I knew it wasn't doing anything because it didn't put the user in the product. I just wasn't sure if I nuked the product assignment if the sync would put people back. 

I guess the questions are:

-How long will it take for the sync to put them back? Are users going to potentially get notified that they've lost access to the product?

-Do I need to enable editing or disable sync during that time, or will it let me remove the users from the product since it didn't put them there?
-Previously when I've just tried to grab a CSV from the product page of assigned users, it's been incomplete (it didn't match the number on the actual product). Has that been fixed, or do I need to grab a full user CSV and just grab the users from it that are assigned to that specific product to do the removal?

Hi @rstaselbeta,

Thanks for sharing the details. 

Azure SCIM provisioning runs an initial sync followed by incremental syncs approximately every 40–60 minutes. Users removed from a Product Profile who are still in the synced Azure group will be added back in the next cycle; users outside the group will remain unassigned. Adobe does not specify “access lost” notifications for this, and users generally do not receive alerts when being removed or re-added to a Product Profile, though they may notice brief access interruptions if they attempt to use the product during that period.

Do editing or sync need to be toggled to remove users from the Product Profile?

No. You can bulk-unassign users from a Product Profile even while Azure Sync is active. The “Allow editing synced data” option applies to directory-level edits only and is not required for Product Profile membership cleanup. This can be done directly in the Admin Console using the UI or CSV.

CSV export from the Product page was incomplete — which CSV should be used?

Use the Product Profile’s bulk operation feature. From the specific Product Profile, download the current user list via CSV, then upload a CSV to unassign those users in bulk. After the upload, verify results in the profile’s Bulk Operations section. If any discrepancies are found, cross-check with an organization-wide user CSV to ensure formatting and identifiers align with Admin Console requirements. Refer to the “Remove users and user groups from a product profile” section in this document: https://adobe.ly/45MsqEG

However, if you need assistance with the process, I recommend raising a support case so our team can guide you through it directly and help resolve this issue.

Thanks Anshul, this is great. I have a support case open for this as well. 

The only outstanding piece is the last one. I'd previously been trying to get a handle on over/under assignment and had downloaded the CSV from the product profile, and the downloaded CSV was incomplete (it didn't include all the users assigned to the product profile). I opened a ticket about this and was told this was a known issue... has this been resovled? 

I just checked now, I have 16769 users in the product profile, but the downloaded csv only has 14100 users in it. So seems like this hasn't been fixed... So do I need to download a full user csv (71k users or so) and then use that to remove all the users from the product profile?

Hi @rstaselbeta,

Can you share the case number with me in a personal message so I can check and assist you properly. As you mentioned, the downloaded CSV was incomplete (it didn't include all the users assigned to the product profile). This should not happen; however, if it is happening, the best workaround is to use the org‑wide Current users CSV, filter it to the target Product Profile, and then run Unassign users by CSV from the Product Profile with that filtered list.

Please check this doc to see how to send a personal message: https://adobe.ly/4n0vnIR

DM sent. Will do the full user export, sort by product, and do that way. 

I might see why the CSV is incomplete... it MIGHT be showing me only the users that exist in addition to the Azure Sync. I have a user that I can tell is being granted that product profile in the User Record, but if I search for them under the Product Profile, they're missing. Would that make sense that the User list for the Product Profile, and the CSV, would only be users NOT assigned via the Azure Group? 

Hi @rstaselbeta,

Thank you for sharing the ticket number. I’m reviewing the details now and will provide an update shortly.

Hi @Anshul_Nautiyal never got a response. we've completed the cleanup and now just have the single azure group in the product profile which grants access. 

THank you. 

Hi @rstaselbeta,

Apologies for the delayed response, and I’m glad to hear you were able to resolve the issue.

Regarding your question: the CSV appears incomplete because there are 16,769 users in the product profile, but the exported file only shows 14,100 users. This happens when users are added through a user group rather than directly to the product profile. In such cases, they won’t appear in the product profile export since they’re technically members of the group, not the profile itself.

To get a complete list, you’ll need to download the full user CSV from the Admin Console and then filter it to identify which users belong to that product profile.

Great, that matches what I thought it might be. We've done the cleanup at this point and things look good. 

Now trying to figure out if we got bad info at some point (or misinterpreted info) and now have like 10k disabled users from the directory... 

Hi @rstaselbeta,

Disabled users in the Adobe Admin Console typically result from Azure Sync/SCIM deprovisioning actions — such as when users are removed from in-scope groups or soft-deleted in Entra ID — and they remain in the console unless explicitly deleted. This is expected behavior and not an error.

Under Azure Sync, removing a user from all synced groups, soft-deleting the user in Entra ID, or taking the user out of the provisioning scope will mark the user as Disabled in the Admin Console, preventing login and license use. Azure continues to manage the user record but does not automatically delete the account or its associated assets.

Check the Disable users and groups section in this document: https://adobe.ly/45LnlOf

If you need to permanently delete disabled users (which will also delete any associated cloud data), see this document: https://adobe.ly/4lY1EPQ;

Hope this answers your query. 

Regards,

It sounds like once a user is marked as disabled in the directory, they can no longer be re-sync'd from Azure. That's the issue. We had a user Azure was failing to create, and support says this is because the user was disabled in our directory sync. 

So, what I'm trying to figure out is, why is this a permanent error. Users can be deleted out of entra (they leave the university) then come back and re-claim their previous ID. But then Azure will just fail to recreate/reactivate them. This seems like an issue...

Hi @rstaselbeta,

Once a user is removed from Azure, they are marked as Disabled in the Adobe Admin Console rather than being deleted immediately. This is intentional — it preserves the user’s Adobe cloud data and prevents accidental overwrites if the same account is re-created in Azure. If the user later returns and reclaims their Entra ID (Azure AD account), Adobe will block automatic re-provisioning until the Disabled record is explicitly deleted from the Adobe Admin Console. Deleting this record permanently removes any associated cloud data. After deletion, Azure Sync can create the user again as a fresh account. Admins can review or back up user data before deletion by visiting Admin Console → Storage → Individual User Folders → Inactive Users tab. Once the user is removed from the directory and their record deleted, re-adding them via sync will work as expected.

Hope this help. Let us know if you need further assistance.

Regards,

Hi @Anshul_Nautiyal that's unacceptable behavior though. I understand not wanting to accidentally give a new user someone else's data, but we cannot keep all aged out users in our Azure user list. So users age out. But if they return, they get to reclaim their username... that should reactivate them in adobe. Or we need some way to reactivate them manually saying "this is okay".... we shouldn't have to delete their data to allow that to happen. 

Further, I can't export the list of inactive users from storage, so I can't cross reference that with deactivated users, etc. I also can't sort that list for 0kb users.

We currently have about 10,000 deactivated users... this is untenable. Honestly really shows ya'll don't work with Higher Education on some of these design choices. =/

Hi @rstaselbeta,