Adobe User Management Guide

• Model type: role-based
• Description: Adobe Admin Console uses a hierarchical role-based model. Administrative roles (System Admin, Product Admin, Product Profile Admin, User Group Admin, Deployment Admin, Support Admin, Storage Admin) control console access. End-user product access is controlled via product profiles, which define which apps and services are available and can include per-product permission items (e.g., Observer, Editor, Approver roles in Adobe Target). Permissions on roles are additive. All users in a product profile default to the Member role with all permissions enabled; admins must explicitly restrict permissions.
• Custom roles: No
• Custom roles plan: Not documented
• Granularity: Admin roles are fixed and predefined; no custom admin roles can be created. Product-level permissions within product profiles can be toggled per permission item (section-level granularity), and product roles (e.g., Observer, Editor, Approver) can be assigned per product. Role assignments are captured in the Audit log.

1. Sign in to the Adobe Admin Console at adminconsole.adobe.com.
2. Navigate to Users > Users tab.
3. Click 'Add Users'.
4. Enter the user's email address and optionally their first and last name.
5. For enterprise accounts: select a product and a product profile to assign. For teams accounts: select the product.
6. Optionally, add the user to a user group via the User Groups section.
7. Click Save. The user is added and a welcome email is sent.

Required fields: Email address

Watch out for:

• The UI allows adding up to 10 users at a time manually; repeat the process for more.
• If the user's email domain is claimed by the organization, they are added as Enterprise ID or Federated ID depending on org configuration. If not claimed, they are added as Adobe ID.
• Admins can only update details for users belonging to a domain the organization owns, not domains it merely trusts.
• If a user has a pre-existing personal Adobe account with the same email, Adobe creates separate personal and business profiles, which can confuse end users about where their files are stored.
• For Creative Cloud for Teams, all users added to the Admin Console receive complimentary access to select Adobe products and services.
• Invitation emails may expire or not be received; there is no native 'resend invite' button in the UI-admins must remove and re-add the user.

• Can delete users: Yes
• Delete/deactivate behavior: Adobe distinguishes between removing a user from the Users list (which removes their product access and license assignment but retains them in the Directory Users list and allows restoration) and permanently deleting a user from the Directory Users list (which removes the user and all their Creative Cloud assets with no recovery option). For Azure Sync or Google Sync-managed users, removal from the sync scope in the IdP disables the user; permanent removal requires enabling editing in the Admin Console, which is not recommended as subsequent syncs may overwrite manual changes.

1. Sign in to the Adobe Admin Console.
2. Navigate to Users > Users.
3. Select the checkbox next to the relevant user(s).
4. Click 'Remove Users'.
5. If the user has Adobe storage for business assets, choose one of: 'Transfer content now' (sends folder content to a designated user via email), 'Transfer content later' (content remains in Inactive Users tab until permanently deleted), or 'Permanently delete content' (irreversible).
6. Confirm the removal. The user is removed from the Users list and loses product access; their license seat is freed.

Watch out for:

• Permanently deleting a user from Directory Users removes all their Creative Cloud assets with no recovery option.
• Files the user marked for deletion in their Creative Cloud storage folders cannot be reclaimed under any circumstances.
• For Lightroom files, the user must download and transfer files before being removed, as Lightroom assets are not included in the standard asset reclamation archive.
• For Azure Sync or Google Sync users, enabling manual editing in Admin Console to force-remove a user is not recommended; changes may be overwritten on the next IdP sync.
• Removing a user who is a contract owner requires first assigning another user as contract owner.
• Licenses are freed upon user removal, but reducing the total purchased license count requires contacting Adobe support or waiting for the renewal window (self-service license reduction is only available in the renewal window for Teams direct-purchase plans).

• Where to check usage: Admin Console > Insights > License assignment reports (for ETLA named-user licenses for Creative Cloud and Document Cloud products). Also: Admin Console > Overview tab shows purchased vs. assigned license counts per product. Admin Console > Storage tab shows per-user storage consumption.
• How to identify unused seats: License assignment reports (Admin Console > Insights) show aggregated assigned vs. purchased counts for ETLA seat-based products, but do not show whether assigned users have actually launched or used the application. The Admin Console does not provide per-user last-login time or application usage frequency/duration data. Admins must cross-reference assigned users against IdP audit logs (if SSO is configured) or use third-party SAM tools to identify truly unused seats.
• Billing notes: License assignment data only supports named-user licenses for Creative Cloud and Document Cloud products purchased under the Enterprise Term License Agreement (ETLA). Usage-based products (Adobe Acrobat Sign, Adobe Stock) are not included in assignment reports; overages are billed separately under ETLA terms. For Teams direct-purchase plans, self-service license count reduction is only available during the renewal window (approximately one month before renewal); reductions outside this window require contacting Adobe support. VIP (Value Incentive Plan) pricing is available for volume purchases.

Without automated provisioning, every app in the Adobe portfolio requires hands-on Admin Console work for each joiner, mover, and leaver event. Adding users is capped at 10 at a time through the UI, and there is no native 'resend invite' button - expired invitations require removing and re-adding the user entirely.

License reclamation is structurally difficult: the Admin Console does not expose per-user last-login time and does not track application usage frequency or duration, so identifying inactive seats requires cross-referencing IdP audit logs or deploying a third-party SAM tool.

Reducing purchased license counts outside the renewal window requires contacting Adobe support directly - self-service reduction is unavailable mid-term on Teams direct-purchase plans.

Practitioners consistently flag three pain points in Adobe's enterprise community forums. First, the absence of last-login visibility in the Admin Console makes inactive-user identification operationally dependent on external tooling.

Second, the hard restriction to Azure AD and Google Workspace for automated sync leaves organizations running Okta or other IdPs without a supported provisioning path.

Third, the requirement to reach Enterprise plan pricing before SCIM is available is widely described as an 'SSO tax' - organizations on Teams plans have no path to automated provisioning regardless of user count.

Adobe's own support responses confirm that custom admin roles and per-user usage tracking are not on the current feature set.

Common complaints:

• No Okta SCIM support despite being a major enterprise IdP; only Azure AD/Entra and Google Workspace are supported for automated provisioning.
• Limited to only two identity providers (Azure AD and Google Workspace) for automated sync/SCIM provisioning.
• Manual license management still required even with sync enabled; license count reductions require contacting Adobe support outside the renewal window.
• SSO and SCIM provisioning require Enterprise plan, effectively an 'SSO tax' for organizations needing automated provisioning.
• Admin Console does not expose per-user last-login time, making it impossible to identify inactive users without IdP audit logs or third-party tools.
• Admin Console does not track individual application usage frequency or duration for licensed users, preventing data-driven license reclamation.
• No custom administrative roles with granular permissions; fixed role set cannot be tailored to least-privilege requirements.
• User Group Admins can assign the same role to other members, undermining least-privilege access control.
• Users with pre-existing personal Adobe IDs using the same email as their business account experience confusion between personal and business profiles, with files sometimes landing in the wrong profile.
• Invitation emails to new users can be missed or expire, and there is no native 'resend invite' button in the Admin Console UI.
• UMAPI cannot be used to add or remove users if Azure/Entra or Google automated sync is active, creating a conflict between API-based and sync-based management.
• Reducing purchased license count outside the renewal window requires contacting Adobe support rather than self-service.

Representative quotes (verbatim):

Unfortunately, you cannot see a user's last login time via the Admin Console at this time.

• Adobe community moderator response, Adobe Enterprise & Teams Community (https://community.adobe.com/t5/enterprise-teams-discussions/users-in-admin-console-last-login-in-time-and-filtering/td-p/13109567)

At this time, the Adobe Admin Console does not support the creation of custom administrative roles with granular permissions.

• Adobe support response, Adobe Enterprise & Teams Community, 2025 (https://community.adobe.com/questions-624/feature-request-allow-granular-permissions-management-for-adobe-enterprise-roles-682728)

Currently, the Adobe Admin Console does not offer a feature to track individual usage of Creative Cloud apps, including details about the frequency or duration of software usage by licensed users.

• Adobe support response, Adobe Enterprise & Teams Community, November 2024 (https://community.adobe.com/t5/enterprise-teams-discussions/admin-console-report-to-show-if-named-user-licenses-are-actually-utilized/td-p/14939831)

Adobe manual provisioning is workable for small, stable orgs with a single IdP already on Azure AD or Google Workspace at Enterprise tier.

It becomes a material operational burden at scale: license sprawl is hard to detect without external tooling, offboarding carries irreversible asset-deletion risk if the wrong removal path is chosen, and the two-IdP SCIM restriction creates a hard blocker for mixed-IdP environments.

Organizations running Okta or any IdP outside the supported two will need to evaluate the User Sync Tool (open-source, schedule-based) or UMAPI automation as their only paths to reducing manual overhead.

Bottom line

Adobe's Admin Console gives Enterprise-tier organizations a functional but constrained provisioning surface. The lack of usage analytics, the two-IdP SCIM ceiling, and the absence of custom admin roles mean that manual processes accumulate faster than they should - particularly around license reclamation and offboarding.

Teams-plan organizations have no automated provisioning path at all. For any org managing Adobe at scale, the operational cost of staying manual compounds directly with headcount: every app assignment, every offboard, and every license audit requires human intervention that the platform itself does not reduce.