Connecting a sub forest to an tenant M365

Ruben Bento 1 Reputation point
2022-01-17T09:51:13.49+00:00

Hello,

I would like to connect a sub forest to a M365.

Here is the schematic:
165657-1.png

Is this possible?

Thanks in advance

Microsoft 365 Publishing
Microsoft 365 Publishing
Microsoft 365: Formerly Office 365, is a line of subscription services offered by Microsoft which adds to and includes the Microsoft Office product line. Publishing: The process of preparing, producing, and releasing content for distribution or sale.
597 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,580 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Shashi Shailaj 7,581 Reputation points Microsoft Employee
    2022-01-18T16:32:48.923+00:00

    @Ruben Bento ,
    Yes this is possible but not a supported scenario for production currently. As per your diagram , you are trying to sync the users in two separate domains to two different azure AD tenants. The important things to notice here is that in order to have this working you need to keep in mind a few things :-

    • We need two different AD connect Servers and uncheck the directories which we do not want to sync as AD connect tries to sync in a forest specific way.
    • Every tenant would have its own unique custom domain as one custom domain can be verified in one single azure AD tenant and not both .
    • So lets say if domain1.com is verified in AADTenant1 then it can not be verified in AAD Tenant2 .
    • The users in both the domain cannot use same publicly routable UPN suffix within their userprincipalname .

    So as long as you are using different custom domain names and the users within both your parent domains do not use same domain suffix for their email addresses, this should work .

    principal.locl

    • principal.locl have email address user@pr.com
    • pr.com is verified in tenant1.onmicrosoft.com and added as a domain suffix within on-premise AD so that new users that are created can use UPN suffix.
    • And users get an email within this tenant as user@pr.com .

    sub.principal.locl

    • sub.principal.locl have email address user@sub .com
    • similarly sub.com is verified in tenant2.onmicrosoft.com and added as a domain suffix within on-premise so that new users that are created can use this UPN suffix.
    • Users will use an email within this tenant as user@sub .com however users here will never be able to use @pr.com as their email domain.

    As long as we take care of above scenarios to avoid any conflicts , we should be able to get this working without an issue. I would suggest you to go through the sync to multiple Azure AD scenarios section in the supported sync topologies article. We do not recommend this for production at this point and we have a list of important points to think as to which scenarios are meant for this kind of deployment . I would encourage you to go through the same.

    Hope this helps. If the information provided is helpful , please do accept this post as answer in the interest of others in the community who may have similar queries. Should you have any other query on this , please feel free to let us know in detail and we will be happy to help further.

    Thank you.

    ----------------------------------------------------------------------------------------------------------------------------------------------------------

    • Please don't forget to click on 130616-image.png button whenever the information provided helps you. Original posters help the community find answers faster by identifying the correct answer. Here is how
    • Want a reminder to come back and check responses? Here is how to subscribe to a notification
    • If you are interested in joining the VM program and help shape the future of Q&A: Here is how you can be part of Q&A Volunteer Moderators
    0 comments