Adobe Admin console > Settings > Create Directory
Enter a name for the directory—this is an internal name and is not shared publicly—and select Federated Directory.
In this configuration, Federated users are added, updated, and removed using a sync, and the directory can be synced from Microsoft Entra or Google Workspace.
These videos cover K-12 for Adobe Express. Syncing users and assigning licenses to groups is the same process for Higher Education just with different product names.
This guide will cover syncing users from Microsoft Azure (Entra) and Google Workspace for Education.
Alternative syncing options are available, enabling users to sync from an on-premise directory using the User Sync Tool or directly via Adobe’s User Management API https://developer.adobe.com/UMAPI/
Once the directory screen is completed, claim domains using a Microsoft Global Admin Account or a Google Super Admin; this will list all available Domain/s in your identity provider console. If your organization is not using Azure/Entra or Google, you can validate domain ownership by creating a DNS text record with your domain registrar.
If you are blocked during the domain claim process with Google due to an API add the following Client ID 880547366666-6dhr4mqsutv0a98arjksgflfh02kgp98.apps.googleusercontent.com with the following steps.
It can take up to 20 minutes for the Google API to update the permissions.
Select the Sync Tab
From here you select Add sync
Select sync from Microsoft or Google
This will then open a configuration window for your selected sync provider.
If setting up a new directory, the Adobe Identity Management App is installed during the directory authentication stage.
To access the app visit
Azure > Enterprise Applications > Adobe Identity Management
Select Provisioning > Get Started
Copy the values from the Adobe Admin Console sync configuration screen and paste them into the provisioning configuration screen in Azure.
Test the connection
You can select the users and groups to which you need to assign license.
Tip > To test provisioning after selecting the users or groups, choose Provision on demand and identify a user to test the sync.
After the sync, you can visit the Adobe Admin Console > Users > User Group to see the synced groups and users.
After testing the sync, please enable it in Azure and confirm the setup on the Adobe Admin Console sync config screen.
If syncing a large group of >100,000 users, sync a user on demand and then complete the license assignment stage 5.
Once the license has been assigned to the group, enable the full sync to avoid being unable to assign the licence as the group is too large.
If setting up a new directory, the Adobe (SAML) app is installed during the directory authentication stage.
To access the app, visit
Google Admin Console > Apps > Web and Mobile > Adobe web (SAML)
Enable the App for everyone or specific OU's
Select Configure Auto-Provisioning
Copy the values from the Adobe Admin Console sync configuration screen and paste them into the provisioning configuration screen in Google.
On the attribute mapping screen, enable the organizational Unit field to sync.
urn:ietf:params:scim:schemas:extension:Adobe:2.0:User.organizationalUnit to map to Organization unit path
After completing the wizard > Enable Sync
Users can take up to 10 minutes to appear in the Adobe Admin Console.
Adding the Organizational Unit Path mapping during the sync configuration will enable the assignment of licenses by group; otherwise, the users are just added to the org with no group membership.
Google Sync currently only supports OU’s and not Groups.
Google’s OU groups are hierarchical OUs, and they will contain all users in the sync scope. Your organizational Unit Structure in Google determines this. For Example,
If an existing Google Sync is configured, edit the auto-provision attribute mapping for the Organizational Unit to automatically trigger a full sync and sync the OU’s to the Adobe Admin Console.
For the products you plan to assign to users, select the product and the product profile. Every product will have a default configuration.
Adobe Admin Console > Products > Select a Product > Product Profile
The product profile provides the following controls
If assigning licenese to multiple users you may choose to turn off email notifications to soft deploy the license to users.
Adobe Admin Console > Users > User Groups
Select a user group
Select Assigned Product Profiles
Here, you can select or change product profiles assigned to the group.
When a user is synced and added to this group, they will receive the product profiles assigned to the group. If a user is removed from the sync group, for example, they have left the organization, their product assignment from this group will be removed, and the license will be re-assigned to another user.
You can create multiple product profiles for each product with different settings. If you have more than one product profile for a product, you can select the specific profile when assigning it to the group.
For Adobe Express, share a specific URL with your users. This URL will trigger an SSO login to your primary IDP configured in the directory that owns the domain.
The URL format is
https://new.express.adobe.com/a/domain.org
Replace domain.org with a registered of the domains in the directory.
In the Google Admin Console > Apps & Extensions https://admin.google.com/ac/chrome/apps/user add the following as a URL:
https://new.express.adobe.com/chrome-tab/a/domain.org
Replace domain.org with a domain claimed in your Admin Console federated directory.
To pin to the taskbar, select Force install + Pin to ChromeOS taskbar.