question

Venkat-6177 avatar image
0 Votes"
Venkat-6177 asked LakshminarayananVenkatasudhan-2328 commented

Azure Hybrid Topology

We have a requirement to build a hybrid topology for SSO configuration for Azure accounts using on-premise AD. We have single AD forest & single domain name (for ex: xyz.com), but we have multiple Azure AD tenants. We want to integrate the single domain with multiple Azure AD tenants using multiple Azure AD connector? is it possible or is there any better soln for this scenario

azure-active-directoryazure-ad-connect
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SaurabhSharma-msft avatar image
1 Vote"
SaurabhSharma-msft answered Venkat-6177 commented

No, it is not supported. You cannot sync same users to multiple Azure AD tenants.
You can only achieve this if you have separate Azure AD connects with mutually exclusive set of objects to sync to Azure AD. Please refer to Each object only once in an Azure AD tenant documentation for details.
This document also provides different supported and unsupported typologies.


· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Please let me know if you find above reply useful. If yes, do click on 'Mark as answer' link in above reply.

1 Vote 1 ·

Thanks, let me chec

0 Votes 0 ·
StephaniedeHoog-3683 avatar image
0 Votes"
StephaniedeHoog-3683 answered Venkat-6177 commented

You might consider using Azure B2C, set up multi tenant Azure AD SSO and sync the on-prem domain to it's own AAD?
Have a look at this doc: https://docs.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-azure-ad-multi-tenant-custom?tabs=applications

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

In our case, we have only one domain which needs to be federated to multi tenants..We just want to do SSO to the Azure portal using on-prem AD credentials, no applications are involved. Will B2C still helps? In my understanding B2C comes into play when we have any web or mobile apps that needs a identity mechanism.

0 Votes 0 ·
shashishailaj avatar image
1 Vote"
shashishailaj answered LakshminarayananVenkatasudhan-2328 commented

@Venkat-6177 , You can sync your on-premise Identities to multiple azure AD tenants by setting up multiple azure AD connect Servers . But you will not be able to use the same domain suffix. Let me explain by taking example of two different scenarios.

SCENARIO 01

So lets say currently you have a on-premise environment and ne domain called xyz.com .
Also you have setup 3 different Azure AD tenants where you would like to sync your users from on-premise AD environment .

There are three Azure AD connect Servers that you have setup connected to the above three tenants.
I am assuming that you already have setup xyz.com as your primary domain suffix in on-premise AD and all the users have a userprincipalname attribute which is similar to (user)@xyz.com .


xyz.com is a custom domain and any custom domain can be verified in only one single azure AD tenant. You can not verify the same domain xyz.com in more than one azure AD tenant as this is by design and not permitted. This is why it is mentioned above in saurabh's answer that each object is represented in only one tenant . That means The user with UPN user@xyz.com can only be present in one single tenant .

When you start the sync in the above case for all the users to three tenants via three different Azure AD connect servers the following will happen. For simplifications we will take one single on-premise user with the Identity as user@xyz.com .

The above will be the output for the user in the three tenants in the cloud. While all the 3 objects created in the cloud are mapped to the same object on-premise yet they are different objects with different objectIDs.

SCENARIO 02

Now in another scenario , lets say you have three different domains of three different business units within same on-premise directory.

In this case if you have a requirement where you would like to map a set of users to different tenants based on the domains that they are part of, you can surely do this. So you will have to verify each domain in a different tenant once and then you can sync these using 3 different Azure AD connect as explained in last scenario to the specific tenants. You would require to do some filtering in the Azure AD connect to sync unique set of users and the sync would work.

Hope the above helps. However if you are trying to sync same user object to there different tenant with same user principal name then that is not possible by design. If the above explanations do not help you , I would suggest to provide more details on your use case so that we can help you better. If it was one of the two scenarios hope the explanations helped you.

Hope this clarifies your query as to what you can actually achieve in terms of hybrid topology with Azure AD. Please do accept the posts as answer whichever would have helped you with relevant information so that it is helpful to other members of the community searching for similar queries. Should you have any further queries on this feel free to let us know in comments and we will be happy to help.

Thank you.






· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks alot for such a detailed response. Mine is scenario-1, Single forest -> Single domain -> Multiple Azure AD tenants.

Is it possible to achieve this using B2B (or) B2C setup?

0 Votes 0 ·

Can this be achieved using direct federation feature using SAML 2.0 ?

0 Votes 0 ·