Using the same identity in multiple azure tenants owned by the same organization

YP 0 Reputation points
2023-01-28T14:28:52.82+00:00

We are on a journey towards migrating workloads to Azure cloud and want to use hybrid identity between Corp AD and Azure AD. We currently have an Office 365 tenant (o365) with identities synchronized from On-Prem AD via Azure AD connector.

 All the identities are being managed in our On-Prem AD and these identities are synchronized to our Corp Azure AD using Microsoft Azure AD connect. This is for accessing o365 applications and few other SaaS products. 

We are creating another dev tenant in Azure for our application development. We want to use On-Prem identities in the new dev tenant as well. Since identities are already synchronized from Corp AD to our o365 tenant, is there a way to enable identities sync between our o365 tenant and dev tenant. High-level Requirements:

  • Avoid using another Azure AD connector to synchronize between Corp AD and the new dev tenant
  • Synchronize IDs between o365 tenant and new dev tenant or federate identities from dev tenant to use identities available in o365 tenant
  • (For synchronization) only a small small subset of AD groups available in o365 tenant need to be made available in the new dev tenant
  • Due to security reasons, we don’t prefer to configure groups in the new dev tenant
  • Looked into Azure AD B2B Direct Connect: looks like current configuration seems to be only for enabling access to shared Microsoft Teams channels
  • Looked in Azure AD B2B collaboration: in this case need to explicitly send the invitation from the dev tenant to o365 tenants, however the group management needs to be done in the dev tenant (and we are trying to avoid this) due to administration overheads and security concerns.

This should be one of the common use case for many companies embarking on the hybrid cloud journey, and wanted to understand various approaches for handling this scenario in which we can leverage existing identities from one tenant to another tenant owned by the same organization.

User's image

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,730 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,477 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. JimmySalian-2011 42,186 Reputation points
    2023-01-28T14:41:01.19+00:00

    Hi,
    Yes this is supported scenario and topology for this there are some limitations and you have take care of the attributes and domain name as it cannot be same so Dev has to be Dev.onmicrosoft.com and Prod Prod.onmicrosoft.com and viceversa for custom domain names.

    Diagram that shows a topology of multiple Azure A D tenants.

    This topology implements the following use cases:

    • AADConnect can synchronize the users, groups, and contacts from a single Active Directory to multiple Azure AD tenants. These tenants can be in different Azure environments, such as the Azure China environment or the Azure Government environment, but they could also be in the same Azure environment, such as two tenants that are both in Azure Commercial. For more details on options, see [Planning identity for Azure Government applications] (/azure/azure-government/documentation-government-plan-identity).
    • The same Source Anchor can be used for a single object in separate tenants (but not for multiple objects in the same tenant). (The verified domain can't be the same in two tenants. More details are needed to enable the same object to have two UPNs.)
    • You will need to deploy an AADConnect server for every Azure AD tenant you want to synchronize to - one AADConnect server cannot synchronize to more than one Azure AD tenant.
    • It is supported to have different sync scopes and different sync rules for different tenants.
    • Only one Azure AD tenant sync can be configured to write back to Active Directory for the same object. This includes device and group writeback as well as Hybrid Exchange configurations – these features can only be configured in one tenant. The only exception here is Password Writeback – see below.
    • It is supported to configure Password Hash Sync from Active Directory to multiple Azure AD tenants for the same user object. If Password Hash Sync is enabled for a tenant, then Password Writeback may be enabled as well, and this can be done on multiple tenants: if the password is changed on one tenant, then password writeback will update it in Active Directory, and Password Hash Sync will update the password in the other tenants.
    • It is not supported to add and verify the same custom domain name in more than one Azure AD tenant, even if these tenants are in different Azure environments.
    • It is not supported to configure hybrid experiences that utilize forest level configuration in AD, such as Seamless SSO and Hybrid Azure AD Join (non-targeted approach), with more than one tenant. Doing so would overwrite the configuration of the other tenant, making it no longer usable. You can find additional information in Plan your hybrid Azure Active Directory join deployment.
    • You can synchronize device objects to more than one tenant but a device can be Hybrid Azure AD Joined to only one tenant.
    • Each Azure AD Connect instance should be running on a domain-joined machine.

    Check this for reference - https://learn.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-topologies

    Hope this helps.

    JS

    ==

    Please Accept the answer if the information helped you. This will help us and others in the community as well.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.