office 365 identity - diff user and workstation AD

Hasan Reza 161 Reputation points
2024-01-31T22:30:50.2766667+00:00

Dear All, We have customer would has below requirement, 1- user would be synced from Forest A to O365 2- Forest B would contain the same user A and workstation would be joined to Forest B 3- Identity in Forest A and Forest B would be synced for password using a third party solution ( IBM) The customer has requirement to setup the below office 365 1- MFA 2- Privilege identity management 3- Conditional Access 4- Intune (MDM and MAM Policies) 5- Defender for Cloud 6- Cloud App Security We are looking at risk in such setup and if such a scenario would work or supported by Microsoft, Awaiting Kind response, Regards - Hasan Reza

Microsoft 365
Microsoft 365
Formerly Office 365, is a line of subscription services offered by Microsoft which adds to and includes the Microsoft Office product line.
3,332 questions
Microsoft Identity Manager
Microsoft Identity Manager
A family of Microsoft products that manage a user's digital identity using identity synchronization, certificate management, and user provisioning.
573 questions
Microsoft Defender for Cloud Apps
Microsoft Defender for Cloud Apps
A Microsoft cloud access security broker that enables customers to control the access and use of software as a service apps in their organization.
86 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Catherine Kyalo 160 Reputation points Microsoft Employee
    2024-02-20T11:23:17.43+00:00

    Hi @Hasan Reza The scenario that you've described can work, although it does bring up some complexities. For the initial setup with multiple forests (A and B), Azure AD Connect can sync multiple forests into a single Azure AD tenant. The key here is ensuring that the userPrincipalName (UPN) attribute is unique across all forests. You can check more on this in the documentation here. As for syncing passwords from both forests with a third-party tool, it could potentially work, but it's not a scenario that Microsoft can fully support. Azure AD Connect does support password hash synchronization, pass-through authentication, and federation. More on this can be found here. The rest of the services you've listed (MFA, Privileged Identity Management, Conditional Access, Intune, Defender for Cloud, Cloud App Security) can all work with this setup, as they operate at the Azure AD level, not at the on-premises AD level. The primary risk in this setup is the complexity it introduces, especially in terms of managing and troubleshooting. It would be recommended to simplify the setup where possible, for example, by consolidating the forests or by using Azure AD Connect for password synchronization. Keep in mind that Microsoft support may be limited due to the use of third-party solutions in your scenario.

    0 comments No comments