question

Rahul-7230 avatar image
0 Votes"
Rahul-7230 asked YashGarg-6451 answered

Hybrid Azure AD Join during M&A Scenario approach

Hi All,

Just wanted to cross check during a merger & acquisition scenario what is the best approach for Windows Device migration from one forest to another forest.

Option 1: Use any 3rd party migration tool and sync all the users , groups and computers from one forest to another forest and use this Azure AD connect topology "single-forest-single-azure-ad-tenant"

Option 2: Use this topology Multiple forests, single Azure AD tenant to have two forests sync users, groups and computers to single Azure AD tenant.

End goal is to achieve Hybrid Azure AD Join for devices to trigger Conditional Access Policies

Few Concerns around the same:

  • Since it's a federated scenario will option 2 support Hybrid Azure AD join or not ?

  • For federated environment and Hybrid Azure AD Join , Is Device Writeback mandatory ? as per Device Writeback article it cannot work


azure-active-directoryazure-ad-connectazure-ad-conditional-access
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

YashGarg-6451 avatar image
0 Votes"
YashGarg-6451 answered

Hi,

Both the approaches are good but the 2nd option seems to be reliable the reasons being

Users have only 1 identity across all forests – the uniquely identifying users
The user authenticates to the forest in which their identity is located
UPN and Source Anchor (immutable id) will come from this forest
All forests are accessible by Azure AD Connect

Objects that exist in both on-premises and in the cloud are “connected” via a unique identifier. In the context of Directory Synchronization, this unique identifier is referred to as the SourceAnchor

If the end goal is to achieve the CA policies there are many criteria which you can set for CA like initiating MFA or making the device compliant by enrolling it in intune and applying compliance policies to them.

As per this article https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-device-writeback

Devices must be located in the same forest as the users. Since devices must be written back to a single forest, this feature does not currently support a deployment with multiple user forests.
Only one device registration configuration object can be added to the on-premises Active Directory forest. This feature is not compatible with a topology where the on-premises Active Directory is synchronized to multiple Azure AD directories.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.