Long awaited feature is here, now you can synchronize the same users, groups, and contacts from a single Active Directory to multiple Azure AD tenants.
This topology implements the following use cases:
- AADConnect can synchronize the same users, groups, and contacts from a single Active Directory to multiple Azure AD tenants. These tenants can be in different Azure environments, such as the Azure China environment or the Azure Government environment, but they could also be in the same Azure environment, such as two tenants that are both in Azure Commercial.
- The same Source Anchor can be used for a single object in separate tenants (but not for multiple objects in the same tenant)
- You will need to deploy an AADConnect server for every Azure AD tenant you want to synchronize to – one AADConnect server cannot synchronize to more than one Azure AD tenant.
- It is supported to have different sync scopes and different sync rules for different tenants.
- Only one Azure AD tenant sync can be configured to write back to Active Directory for the same object. This includes device and group writeback as well as Hybrid Exchange configurations – these features can only be configured in one tenant. The only exception here is Password Writeback – see below.
- It is supported to configure Password Hash Sync from Active Directory to multiple Azure AD tenants for the same user object. If Password Hash Sync is enabled for a tenant, then Password Writeback may be enabled as well, and this can be done on multiple tenants: if the password is changed on one tenant, then password writeback will update it in Active Directory, and Password Hash Sync will update the password in the other tenants.
- It is not supported to use the same custom domain name in more than one Azure AD tenant, with one exception: it is supported to use a custom domain name in the Azure Commercial environment and use that same domain name in the Azure GCCH environment. Note that the custom domain name MUST exist in Commercial before it can be verified in the GCCH environment.
- It is not supported to configure hybrid experiences such as Seamless SSO and Hybrid Azure AD Join on more than one tenant. Doing so would overwrite the configuration of the other tenant and would make it unusable.
- You can synchronize device objects to more than one tenant but only one tenant can be configured to trust a device.
- Each Azure AD Connect instance should be running on a domain-joined machine.
Table of Contents
ADFS in Multi-tenant scenarios
A single high available AD FS farm can federate multiple forests if they have 2-way trust between them. These multiple forests may or may not correspond to the same Azure Active Directory.
Step 1: Establish a two-way trust
For AD FS in contoso.com to be able to authenticate users in fabrikam.com, a two-way trust is needed between contoso.com and fabrikam.com. Follow the guideline in this article to create the two-way trust.
Step 2: Modify contoso.com federation settings
The default issuer set for a single domain federated to AD FS is “http://ADFSServiceFQDN/adfs/services/trust”, for example, http://fs.contoso.com/adfs/services/trust. Azure Active Directory requires unique issuer for each federated domain. Since the same AD FS is going to federate two domains, the issuer value needs to be modified so that it is unique for each domain AD FS federates with Azure Active Directory.
On the AD FS server, open Azure AD PowerShell (ensure that the MSOnline module is installed) and perform the following steps:
Connect to the Azure Active Directory that contains the domain contoso.com Connect-MsolService Update the federation settings for contoso.com Update-MsolFederatedDomain -DomainName contoso.com –SupportMultipleDomain
Issuer in the domain federation setting will be changed to “http://contoso.com/adfs/services/trust” and an issuance claim rule will be added for the Azure AD Relying Party Trust to issue the correct issuerId value based on the UPN suffix.
Step 3: Federate fabrikam.com with AD FS
In Azure AD PowerShell session perform the following steps: Connect to Azure Active Directory that contains the domain fabrikam.com
|
1 2 3 |
Connect-MsolService Convert-MsolDomainToFederated -DomainName fabrikam.com -Verbose -SupportMultipleDomain |
Recommendations
Microsoft recommends having a single tenant in Azure AD for an organization and to use Administrative Units.
As a Global Administrator or a Privileged Role Administrator, you can use the Azure portal to:
- Create administrative units
- Add users and groups members of administrative units
- Assign IT staff to administrative unit-scoped administrator roles.
Administrative units apply scope only to management permissions. They don’t prevent members or administrators from using their default user permissions to browse other users, groups, or resources outside the administrative unit. In the Microsoft 365 admin center, users outside a scoped admin’s administrative units are filtered out. But you can browse other users in the Azure portal, PowerShell, and other Microsoft services.
What is supported with Administrative Units?
Administrative unit management
| Permissions | Graph/PowerShell | Azure portal | Microsoft 365 admin center |
|---|---|---|---|
| Creating and deleting administrative units | Supported | Supported | Not supported |
| Adding and removing administrative unit members individually | Supported | Supported | Not supported |
| Adding and removing administrative unit members in bulk by using CSV files | Not supported | Supported | No plan to support |
| Assigning administrative unit-scoped administrators | Supported | Supported | Not supported |
| Adding and removing administrative unit members dynamically based on attributes | Not supported | Not supported | Not supported |
User management
| Permissions | Graph/PowerShell | Azure portal | Microsoft 365 admin center |
|---|---|---|---|
| Administrative unit-scoped management of user properties, passwords, and licenses | Supported | Supported | Supported |
| Administrative unit-scoped blocking and unblocking of user sign-ins | Supported | Supported | Supported |
| Administrative unit-scoped management of user multifactor authentication credentials | Supported | Supported | Not supported |
Group management
| Permissions | Graph/PowerShell | Azure portal | Microsoft 365 admin center |
|---|---|---|---|
| Administrative unit-scoped management of group properties and members | Supported | Supported | Not supported |
| Administrative unit-scoped management of group licensing | Supported | Supported | Not supported |
RSS - Posts