Fix Adobe Creative Cloud Conditional Access SSO Issues

ByKjetil Furas Updated on

Recently, I helped a customer troubleshoot a frustrating issue with Adobe Creative Cloud. The app was deployed, the user was licensed, and SSO was enabled — yet when launching the app, an embedded browser window popped up asking the user to sign in.

This wasn’t expected behavior, especially on a compliant and Entra ID-joined device.

What I Noticed

The customer enforces Conditional Access policies in Entra ID that require applications to be accessed only from compliant or Entra ID-joined devices. This works well for most apps, especially those that authenticate through modern browsers like Edge or Chrome.

But Adobe Creative Cloud wasn’t cooperating.

The login prompt inside the Adobe app looked like a browser popup, but it wasn’t passing device identity to Entra ID. That meant Entra ID couldn’t evaluate the identity of the device, and the login was blocked.

What Was Causing It

Turns out, the embedded browser used by Adobe Creative Cloud is a lightweight, standalone webview that impersonates Edge/Chrome for compatibility, but it doesn’t actually support Chrome extensions or device identity pass-through.

This meant Entra ID couldn’t verify the login.

The Fix That Worked

Fortunately, Adobe offers workarounds; one of the workarounds is that you can force Adobe Creative Cloud to use the default system browser for login instead of the embedded one.

This is done by setting a registry key. I used Patch My PC’s post-script feature to deploy it across all managed devices:

$regPath = "HKLM:\SOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockDown"

if (-not (Test-Path -LiteralPath $regPath)) {
    New-Item -Path $regPath -Force -ErrorAction SilentlyContinue
}

New-ItemProperty -Path $regPath `
    -Name "iAcroLoginType" `
    -Value 5 `
    -PropertyType DWord `
    -Force `
    -ErrorAction SilentlyContinue

Once this key is set, Adobe Creative Cloud opens the sign-in process in your default browser.

Why the Browser Change Solves It

When authentication happens in a full browser, device identity gets passed through properly:

  • Edge: Works out of the box if the user is signed in with their corporate account
  • Chrome: Works if either:
    • The Microsoft Single Sign On extension is installed
    • CloudAPAuthEnabled is configured (Chrome 111+)

Now Entra ID can evaluate the device, and Conditional Access works as expected.

Final Thoughts

A simple registry tweak was all it took to get Adobe working with Conditional Access — without compromising policy enforcement.

Found this helpful? Check out more tech tutorials or follow my GitHub, where I share homelab setups, automation tools, and real-world projects from my day-to-day work as an IT consultant.

Kjetil Furas

Kjetil, an IT expert from Norway, combines over a decade of tech experience with AI expertise. He writes clear, insightful content to guide readers through complex technological topics.

Similar Posts

2 Comments

  1. Hi Kjetil,
    thank you for this article. I’m currently facing an issue with signing in to the Adobe Creative Cloud Desktop App (version 6.6.0.611) on Windows 11 (build 22631) in combination with a Federated ID and Conditional Access setup. When trying to log in via the menu “Help > Sign in using your browser”, nothing happens—the default browser (Microsoft Edge) does not open. All other options under the Help menu work fine, but this particular login entry is completely unresponsive. I have this problem since the 2nd may.

    The only way the login works is by manually deleting all Adobe-related Windows Credentials from the Credential Manager. After that, the browser opens once for login, but this behavior is not reliably reproducible.

    What I’ve already tried (unsuccessfully):

    Full uninstallation of Creative Cloud including Adobe Cleaner Tool

    Deleted all leftover registry entries and temp data

    Enabled devtools in the app — IMS or Jump URLs do not appear in the Network tab

    Registry settings verified:

    Added iAcroLoginType as DWORD with value 5 at
    Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockDown

    Also tried iNGLCEFWorkflowEnabled (value 0) at the same path — no effect

    Created EnableIEBrowserWF.CONFIG under
    C:\ProgramData\Adobe\OperatingConfigs — no change

    Tested and switched default browsers (Edge, Chrome, Firefox) multiple times

    I also receive a Conditional Access-related error stating that “switching from here to there is not allowed” because the device does not comply with the required access policy. It prompts me to install a Chrome extension, which is already installed.

    In the app’s event log, I see this error:

    imsBridge :: updateAccessToken – Error fetching IMS token: IMS Error : Jump url handling required

    The Creative Cloud Desktop App installation has not changed (no update), and the login process has worked flawlessly for years with this exact setup.

    Have you encountered a similar issue or found a workaround?
    Could it be related to the CCXProcess component or a blocked protocol?

    Any help would be appreciated!

    Best regards,
    Nico

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *