Fix Adobe Creative Cloud Conditional Access SSO Issues

ByKjetil Furas Updated on

Recently, I helped a customer troubleshoot a frustrating issue with Adobe Creative Cloud. The app was deployed, the user was licensed, and SSO was enabled — yet when launching the app, an embedded browser window popped up asking the user to sign in.

This wasn’t expected behavior, especially on a compliant and Entra ID-joined device.

What I Noticed

The customer enforces Conditional Access policies in Entra ID that require applications to be accessed only from compliant or Entra ID-joined devices. This works well for most apps, especially those that authenticate through modern browsers like Edge or Chrome.

But Adobe Creative Cloud wasn’t cooperating.

The login prompt inside the Adobe app looked like a browser popup, but it wasn’t passing device identity to Entra ID. That meant Entra ID couldn’t evaluate the identity of the device, and the login was blocked.

What Was Causing It

Turns out, the embedded browser used by Adobe Creative Cloud is a lightweight, standalone webview that impersonates Edge/Chrome for compatibility, but it doesn’t actually support Chrome extensions or device identity pass-through.

This meant Entra ID couldn’t verify the login.

The Fix That Worked

Fortunately, Adobe offers workarounds; one of the workarounds is that you can force Adobe Creative Cloud to use the default system browser for login instead of the embedded one.

This is done by setting a registry key. I used Patch My PC’s post-script feature to deploy it across all managed devices:

$regPath = "HKLM:\SOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockDown"

if (-not (Test-Path -LiteralPath $regPath)) {
    New-Item -Path $regPath -Force -ErrorAction SilentlyContinue
}

New-ItemProperty -Path $regPath `
    -Name "iAcroLoginType" `
    -Value 5 `
    -PropertyType DWord `
    -Force `
    -ErrorAction SilentlyContinue

Once this key is set, Adobe Creative Cloud opens the sign-in process in your default browser.

Why the Browser Change Solves It

When authentication happens in a full browser, device identity gets passed through properly:

  • Edge: Works out of the box if the user is signed in with their corporate account
  • Chrome: Works if either:
    • The Microsoft Single Sign On extension is installed
    • CloudAPAuthEnabled is configured (Chrome 111+)

Now Entra ID can evaluate the device, and Conditional Access works as expected.

Final Thoughts

A simple registry tweak was all it took to get Adobe working with Conditional Access — without compromising policy enforcement.

Found this helpful? Check out more tech tutorials or follow my GitHub, where I share homelab setups, automation tools, and real-world projects from my day-to-day work as an IT consultant.

Kjetil Furas

Kjetil, an IT expert from Norway, combines over a decade of tech experience with AI expertise. He writes clear, insightful content to guide readers through complex technological topics.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *