Your Admin account

Last update: January 7, 2025

CREATED FOR:

Beginner
Intermediate
Admin
Leader
User

The primary Admin account was initially set up during the installation, and might contain initial placeholder information or sample data information. The designated owner of this account can personalize the user name and password and update the first name, last name, and email address at any time. This account, a super user with all permissions by default, typically creates the Admin user accounts needed for the business.

See Create a user for information on adding or editing users.
See Permissions and User Roles for information about Admin and user roles.

NOTE

Adobe Commerce merchants who have an Adobe ID and want a streamlined login to Adobe Commerce and Adobe Business products can integrate Commerce Admin authentication with the Adobe IMS authentication workflow. After this integration is enabled for your Commerce store, each Admin user must use their Adobe credentials — not their Commerce account credentials — to log in. See Integrating Adobe Commerce with Adobe IMS overview.

The Commerce Admin is protected by multiple layers of security measures to prevent unauthorized access to your store, order, and customer data. The first time you sign in to the Admin, you are required to enter your username and password and to set up two-factor authentication (2FA).

Depending on the configuration of your store, there may be a CAPTCHA challenge to resolve, such as entering a series of keyboard characters, solving a puzzle, or clicking a series of images with a common theme. These tests are designed to identify you as a human, rather than an automated bot.

For additional security, you can determine which parts of the Admin each user has permission to access, and also limit the number of login attempts. By default, after six attempts the account is locked, and the user must wait a few minutes before trying again. Locked accounts can also be reset from the Admin.

NOTE

The first time you sign in to the Admin, you are prompted to Allow admin usage data collection. See Usage data collection for more information.

Admin sign in

Step 1: Set up two-factor authentication

Before you can sign in to the Admin of your store, you must have a two-factor authentication solution set up and ready to use. To learn more about the authentication process used by each solution, see Using Two-Factor Authentication. By default, Commerce supports Google Authenticator.

Ask your Commerce system administrator which 2FA solutions are supported for the store. Then, complete the setup of your preferred 2FA solution according to the provider’s instructions.

Enter the Admin URL that was specified during the Commerce installation.

The default Admin URL looks something like https://www.yourdomain.com/your-custom-admin-domain.

NOTE
Although this documentation uses admin as the base URL in most examples, it is recommended that you choose a unique and hard-to-guess custom URL for the Admin of your store.

You can add a bookmark for the page or save a shortcut on your desktop for easy access.
Enter your Admin Username and Password.
(Optional) If a CAPTCHA is enabled for your store, follow the onscreen instructions to resolve the challenge.

To learn more, see CAPTCHA and reCAPTCHA.
Click Sign in.

If it is the first time you have signed in to the Admin from the account, you should receive an email with a link to configuration instructions.

Step 3: Complete the 2FA configuration

The following example shows how to pair your Admin account with Google Authenticator.

When the QR code appears, use one of the following methods to capture the code and pair Google Authenticator with your Admin account.
- Capture QR Code using a smart phone
  
  On your smart phone, launch Google Authenticator. Tap the plus sign (+) in the upper-right corner of the app. Then at the bottom of the screen, tap Scan Barcode and take a picture of the QR code.
- Capture QR Code from browser
  
  If Google Authenticator is installed as an extension in your browser, click the Authenticator icon in the toolbar and capture the page.
- Manually enter QR code
  
  Copy the string of text below the QR code. Launch Google Authenticator with either your smart phone or browser, and click the plus sign (+). Then, choose Manual Entry. Under Account, enter the email address that is associated with your Admin account and paste the QR code string into the Key field.
To sign in to the Admin with two-factor authentication, enter the six-digit code generated by Google Authenticator into the Authenticator code field, and then click Confirm.

Reset your password

Reuse of the last four passwords assigned to the account is not allowed.

Enter the Email Address that is associated with the Admin account.
Click Retrieve Password.

If an account is associated with the email address, an email is sent to reset your password.

NOTE
An Admin password must be seven or more characters long and include both letters and numbers. See Configuring Admin Security for information about password options.

Sign out of the Admin

In the upper-right corner, click the Account ( ) icon.
Click Sign Out.

The Sign In page displays a message that you are logged out. Sign out of the Admin whenever you leave your computer unattended.

Edit account information

Click the Account ( ) icon.
Click Account Setting.
Make necessary changes to your account information.

If you change your login credentials, ensure you store them in a secure location.
Enter your current account password.
Click Save Account.

Allow multiple Admin logins

The Admin provides access to manage the orders, customers, products, shipping, and payments functionalities. The default configuration is set to disallow multiple logins for an Admin user account as a security best practice. However, you can change this setting to allow Admin users to be logged in from multiple devices to accommodate your business workflows.

On the Admin sidebar, go to Stores > Settings > Configuration.
In the left navigation panel, expand Advanced and choose Admin.
Expand the Security section.
For Admin Account Sharing, select Yes.
Click Save Config.

On the Admin sidebar, go to Stores > Settings > Configuration.
In the left navigation panel, expand Advanced and choose Admin.
Expand the Security section.
Set the Login is Case Sensitive field to Yes.
Click Save Config.

Maintan secure access to the Admin

To ensure the security of your admin, conduct regular audits of users and roles with admin access.

Additionally, consider updating the Admin Base URL configuration to change the default /admin endpoint to a custom path. Configuring a custom path provides the following security benefits:

Enhanced Security: The default “admin” path is widely known and often targeted by malicious actors attempting brute force attacks. By changing it to a unique, custom value, you significantly reduce the risk of unauthorized access attempts.

Reduced Vulnerability: Automated bots frequently scan for common paths like “admin” to exploit vulnerabilities. A custom path makes it harder for these bots to locate your admin login page, thereby reducing the likelihood of attacks.

Improved Privacy: A custom admin path adds an extra layer of obscurity, making it more difficult for potential attackers to identify and target your admin login page.

Compliance with Best Practices: Following security best practices, such as customizing your admin path, demonstrates a proactive approach to protecting your e-commerce site and customer data.

NOTE

If a breach is suspected, make sure to remove all unknown Admin users and reset all Admin passwords and review the Security action plan for further steps.

recommendation-more-help

Your Admin account

Admin sign-in

Step 1: Set up two-factor authentication

Step 2: Sign in to the Admin

Step 3: Complete the 2FA configuration

Reset your password

Sign out of the Admin

Edit account information

Allow multiple Admin logins

Set Admin user login names as case sensitive

Maintan secure access to the Admin