Domain Trusts and O365 Access - User from Domain A logs into device in Domain B but needs to access O365 account associated with Domain A with pass through or SSO

David Turner 66 Reputation points
2022-12-13T21:21:27.807+00:00

Hi, I have two domains in separate forests but will establish a two trust forest wide transitive trust between the 2 (its selective today).

Domain B has Azure AD Connect server synching to Azure AD for O365 tenant where the users have Exchange Online currently.

I need users to be able to log into a device belonging to Domain A but access resources in Domain B but also able to use O365 / Outlook with their existing O365 account without having to log in every time. (PTA or SSO)

Do I need to download PTA Agent and install on all DC's in ON PREM or will this just work as they are already authenticated to Domain B?

thanks

Dave

Microsoft Exchange Online Management
Microsoft Exchange Online Management
Microsoft Exchange Online: A Microsoft email and calendaring hosted service.Management: The act or process of organizing, handling, directing or controlling something.
4,735 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,149 questions
{count} votes

Accepted answer
  1. Marilee Turscak-MSFT 37,141 Reputation points Microsoft Employee
    2022-12-16T18:08:40.707+00:00

    Hi @David Turner ,

    You would need to choose one SSO method, and the best SSO method would depend on your environment. If you do not have a routable suffix and two-way trust for a domain with some users, the setup is more challenging. If you have a requirement to only check on premises for passwords, then pass-through authentication would be the best. If you do not have a requirement for on-premises password checks, you could sync all users and let Azure AD compare password hash, in which case password hash sync would be simpler

    If you use pass-through authentication, any user will go to any available PTA agent. That agent must be able to reach out to the nearest DC and to validate credentials or any user in the forest. The agent does not have to be installed on a DC. (I have a blog post here that goes through the wizard setup for PTA, though in my case I was only dealing with a single-forest configuration.)

    You must have a routable domain suffix with a two-way trust. https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta-faq#can-i-use-pass-through-authentication-in-a-multi-forest-active-directory-environment-

    Let me know if this helps and if you have further questions.

    -

    If the information helped you, please Accept the answer. This will help us and other members of the community who might be researching similar information.

    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.