office 365 identity - diff user and workstation AD

Question

Dear All, We have customer would has below requirement, 1- user would be synced from Forest A to O365 2- Forest B would contain the same user A and workstation would be joined to Forest B 3- Identity in Forest A and Forest B would be synced for password using a third party solution ( IBM) The customer has requirement to setup the below office 365 1- MFA 2- Privilege identity management 3- Conditional Access 4- Intune (MDM and MAM Policies) 5- Defender for Cloud 6- Cloud App Security We are looking at risk in such setup and if such a scenario would work or supported by Microsoft, Awaiting Kind response, Regards - Hasan Reza

Answer 1

Hi @Hasan Reza The scenario that you've described can work, although it does bring up some complexities. For the initial setup with multiple forests (A and B), Azure AD Connect can sync multiple forests into a single Azure AD tenant. The key here is ensuring that the userPrincipalName (UPN) attribute is unique across all forests. You can check more on this in the documentation here. As for syncing passwords from both forests with a third-party tool, it could potentially work, but it's not a scenario that Microsoft can fully support. Azure AD Connect does support password hash synchronization, pass-through authentication, and federation. More on this can be found here. The rest of the services you've listed (MFA, Privileged Identity Management, Conditional Access, Intune, Defender for Cloud, Cloud App Security) can all work with this setup, as they operate at the Azure AD level, not at the on-premises AD level. The primary risk in this setup is the complexity it introduces, especially in terms of managing and troubleshooting. It would be recommended to simplify the setup where possible, for example, by consolidating the forests or by using Azure AD Connect for password synchronization. Keep in mind that Microsoft support may be limited due to the use of third-party solutions in your scenario.