question

robcool avatar image
0 Votes"
robcool asked ShwetaMathur rolled back

Merge Non-PROD with PROD tenant

Hi,

We are performing a merge of non-prod tenant to PROD tenant. This is minimise the effort involved in maintaining two Azure AD tenants.

As part of this process, the custom domain in non-prod tenant can't be added to PROD tenant as there can't be same domain in two different Azure environments. Please let me know how can this issue be tackled as we need to move the identities from one tenant to another while ensuring the access to workloads in non-prod tenant remains as is until the final cutover ?

Thanks.

azure-ad-connectazure-ad-domain-services
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered amanpreetsingh-msft edited

Hi @robcool • Thank you for reaching out.

If you are synchronizing identities from the Local AD forest to the Non-prod Azure AD tenant, you can sync those identities to the Prod tenant using AD Connect. As Azure AD Connect supports Multiple forests, single Azure AD tenant scenario, you will get the Non-prod users synced to the prod tenant but they will be synced with @ProdTenant.onmicrosoft.com UPN suffix. At this point, you will have all users in the prod tenant and the Non-prod tenant will also have the existing synced users that can be used to access to workloads in that tenant.

During the final cutover, you will have to remove/update all the entities that are using the custom domain in the non-prod tenant so that the custom domain can be removed from the non-prod tenant and added to the prod tenant. Once the custom domain is moved, all you need to do is to flip the UPN suffix of the non-prod users in the prod tenant from @ProdTenant.onmicrosoft.com to @CustomDomain.com using the Set-MsolUserPrincipalName cmdlet.

If you are using cloud-only users and not synced users, you will have to provision the users in bulk to the prod tenant by either using PowerShell Script or Graph batching. Below is the PowerShell Script for your reference:

199470-image.png

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


image.png (207.6 KiB)
· 3
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

robcool avatar image robcool ·

Thanks @amanpreetsingh-msft

Also, in order to include the non-prod forest in existing AAD connect (which already has the PROD forest directory configured), is it possible to have two separate sign-in methods configured for each of these forests like Federation for PROD forest and PTA for non-prod forest ?

Please confirm.

0 Votes 0 ·
amanpreetsingh-msft avatar image amanpreetsingh-msft robcool ·

@robcool • As of now, it is not possible to enable both PTA and PHS on one AAD Connect server. So, you cannot enable different user sign-in methods on a per forest basis.

You can have PHS as a backup through "Customize synchronization options" > connect to Azure and AD > Optional features > PHS, but this will just act as a backup and PTA will remain your primary mode of authentication. Authentication will not fall back to PHS automatically and you will have to manually switch to PHS if needed.

0 Votes 0 ·
amanpreetsingh-msft avatar image amanpreetsingh-msft amanpreetsingh-msft ·

@robcool • Just checking if this answers your question. Feel free to tag me in your reply if you have any questions.

0 Votes 0 ·