question

EnterpriseArchitect avatar image
0 Votes"
EnterpriseArchitect asked EnterpriseArchitect commented

Creating separate Azure AD domain to separate Guest users from the main Azure AD domain?

Hi All,

I wonder if anyone here can give some clarification about creating a subdomain in Azure AD.

I have the need to create Azure AD Subdomain (Partner.Domain.com or Partner.domain.onmicrosoft.com) from my parent Azure AD tenant.
Domain.Com is synched from the On-premise AD DS which I do not want to import or invite the guest user into.

The total number of Users/Guest is 3000+
The user will be invited via their personal emails https://docs.microsoft.com/en-us/azure/active-directory/external-identities/tutorial-bulk-invite#understand-the-csv-template
Granted the login: First.LastName@domain.com (F1 License is assigned - https://www.microsoft.com/en-us/microsoft-365/enterprise/f1)

Restrictions enforced:
2FA/MFA login
Those users cannot contact anyone directly using Teams or email, apart from the specifics Address book entry that I will publish.
Those users can receive emails from anyone inbound and can send emails outbound.

Will that be a possible scenario using the separate Azure AD domain like https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-tenant?

Thank you in advance.

azure-active-directorywindows-active-directoryazure-ad-b2cazure-ad-domain-services
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

LimitlessTechnology-2700 avatar image
1 Vote"
LimitlessTechnology-2700 answered EnterpriseArchitect commented

Hi @EnterpriseArchitect

You can Delegate an Azure DNS subdomain instead of Creating a separate Azure AD domain to separate Guest users.

You can use the Azure portal to delegate a DNS subdomain. For example, if you own the contoso.com domain, you may delegate a subdomain called engineering to another separate zone that you can administer separately from the contoso.com zone.

Here is a link for a detailed description of the process that you must follow.
Delegate an Azure DNS subdomain
https://docs.microsoft.com/en-us/azure/dns/delegate-subdomain

Federating multiple, top-level domains with Azure AD requires some additional configuration that is not required when federating with one top-level domain. When a domain is federated with Azure AD, several properties are set on the domain in Azure.

Properties of an Azure Active Directory B2B collaboration user
https://docs.microsoft.com/en-us/azure/active-directory/external-identities/user-properties

Hope this resolves your Query!!

--If the reply is helpful, please Upvote and Accept it as an answer–

· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

EnterpriseArchitect avatar image EnterpriseArchitect ·

Hi @LimitlessTechnology-2700, Thank you for the explanation on this thread.
May I know if using the https://docs.microsoft.com/en-us/azure/active-directory-b2c/overview is simpler and can be done instead of using the delegation above ?

0 Votes 0 ·