Azure AD Resource Forest two different domains

Srinivasan Ramdass 96 Reputation points
2023-08-31T17:25:46.86+00:00

Hi,

I need a suggestion in the below scenario.

Current Setup:

I have On-premises domain abc.com in hybrid setup. User identities and computer accounts synced through Azure AD connect and users are accessing EXO, SPO and other Saas applications associated with tenant abc.com.

On-prem applications accessed through Azure App proxy.

Plan:

Planning to move the users and devices to new Azure AD (Cloud only user and Azure AD joined devices).

Is there any way I can move the User accounts and devices to a new Azure AD with different domain name XYZ.com and access all the resources from the source tenant abc.com Saas applications and other workloads including EXO, SPO and OneDrive?

Is this supported scenario in resource / forest model in Azure ADDS?

Also, the users should be to access the on-prem applications abc.com through Azure App proxy from the target azure AD users XYZ.com?

Microsoft Security | Microsoft Entra | Microsoft Entra ID
Microsoft Security | Microsoft Entra | Other
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator
    2023-09-05T21:28:41.4566667+00:00

    @Srinivasan Ramdass

    Thank you for your post and I apologize for the delayed response!

    I understand that you currently have an on-prem domain abc.com and plan to move your users and devices to a new Azure AD tenant with a different domain name xyz.com. After this move, you'd like to know if there's any possibility for the users and devices to access the resources from the previous tenant abc.com. To hopefully help point you in the right direction or resolve your issue, I'll share my findings below.


    Findings:

    I wasn't able to find any information on if this scenario is supported in the resource / forest model of Azure AD DS. However, when it comes to Azure AD DS, please keep in mind that it replicates identity information from Azure AD, so it works with Azure AD tenants that are cloud-only or synchronized with an on-premises AD DS environment. For more info.

    When it comes to your users and devices in tenant xyz.com accessing all the resources from abc.com, this should be possible through the use of cross-tenant synchronization.

    Cross-tenant synchronization automates creating, updating, and deleting B2B collaboration users. Users created with cross-tenant synchronization are able to access both Microsoft applications (such as Teams and SharePoint) and non-Microsoft applications (such as ServiceNow, Adobe, and many more), regardless of which tenant the apps are integrated with.

    Diagram that shows synchronization of users for multiple tenants.


    I hope this helps!

    If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.