This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 72%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETC%3C/text%3E%3C/svg%3E)
The customer is a finance provider who has multiple Azure tenants across Direct (PAYG) and CSP. The Azure Active Directory is currently replicated from on-premise to the CSP tenant where a number of application and database services are located. The customer would like to consolidate their Azure AD domains services under a new domain in the direct PAYG tenant and has requested architetural guidance on best practice implementation.
Current and future state architecture diagrams are available and will be provided seperately.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 21%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERB%3C/text%3E%3C/svg%3E)
Hi Tim,
Apologies for responding with questions on your question :). Would like to clarify few things.
By multiple tenants do you mean, they have multiple Azure subscriptions (CSP/PAYG) associated with different tenants ? (very common for CSP customers, where CSP sub is associated with CSPs own tenant (aka directory) and Cx's PAYG with their own tenants).
When you say "Azure Active Directory is currently replicated from on-premise to the CSP tenant", I am assuming you mean the on-prem (traditional) Active Directory is synced to this tenant perhaps?
Regarding the consolidation question, "Azure AD Domain Service (AADDS)" is a managed version of traditional AD. Do they have this AADDS instance in CSP tenant and the ask is to move to PAYG tenant ?
Just for the sake of clarity:
AD = Traditional AD (which provides LDAP/Kerberos/GPO etc etc)
AAD = Tenant which is used for IAM for Azure/Office365 etc - Azure Subscriptions are associated with a tenant. (can only be linked to one AAD at a time)
AADDS = a Managed version of traditional AD running in Azure where we (Microsoft) manages domain controllers and offers the traditional AD Service.
What aspects of the identity services above needs to be consolidated ?
Hi @Tirumalai Ravi ,
So using the https://learn.microsoft.com/en-us/azure/active-directory-domain-services/compare-identity-solutions what the Azure Active Directory Domain Services cannot do compare with the OnPremise AD DS?
Very few differences, like you don't get traditional Domain or Enterprise Admin account, Schema extensions are not possible and Azure AD Domain Service can only be served as a Resource Forest, hence only one way trust. Please scroll down the link you have provided.