If I understand your architecture correctly, its not supported to have SSO with multiple tenants and one AD forest syncing to them
https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/plan-connect-topologies
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
What is the correct procedure for rotating the Kerberos key used in Seamless SSO when configured in a forest with multiple domains and synced with multiple tenants through Azure AD Connect? The documentation recommends running the Update-AzureADSSOForest command once per forest, but this only updates the key for the tenant that signed in using New-AzureADSSOAuthenticationContext. After the rotation, the Seamless SSO breaks for the other synced tenants. What is the correct way to solve this?
This is my setup:
dsv.ssc.local = AADconnect with tenant C
sko.ssc.local = AADconnect with tenant D
If I understand your architecture correctly, its not supported to have SSO with multiple tenants and one AD forest syncing to them
https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/plan-connect-topologies