This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
How to configure SSO between Azure AD joined devices in Tenant A to Office365 in Tenant B, so that when a user logins into Windows Device using Tenant A onmicrosoft.com id ,they should be also able to login into O365 domain.com hosted in Tenant B without credentials.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 38%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMP%3C/text%3E%3C/svg%3E)
Configure the user as a guest in tenant B
If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.
hth
Marcin
I have a scenario where "M365 is hosted on Tenant A with domain.com" and Azure AD for AAD Joined devices on "Tenant B with onmicrosoft.com" and on premises with "Domain.local" .
Problem-User need to login using different credentials in Azure AD joined devices and then Microsoft 365,issue is multiple logins as Azure AD for devices in one tenant with onmicrosoft.com and email /one drive and sharepoint/teams on office365 provider as domain.com.
AD connect is used between onmicrosoft.com to domain. Local and not domain.com.
Question-What different solutions available to simplify user login process or implement the SSO ,so that once user login with AAD joined device which is in tenant A they should be login without credentials into M365 which is hosted on tenant B.
So solution for this scenario would be Entra AD connect to synchronize users to two different tenants from local domain ?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 78%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESG%3C/text%3E%3C/svg%3E)
Thank you for posting this in Microsoft Q&A.
As I understand you have a device which is joined to Tenant A and you want to access resource in tenant B using SSO.
SSO works between applications in a single tenant and not between multiple tenants. This is because the user accounts and sessions can be shared only within a tenant.
Sharing tokens between multiple tenants in not security complaint.
Device join can only happen in one tenant. When you register a device, it creates a device object in Azure and maps this to the user account. If you want to join a machine to a different tenant, you need to disconnect from the first tenant and register again with the new tenant.
Whenever a new device is registered, there is a token is been issued. Now when user tries to access any same tenant specific resource, the token is been shared and user gets access to the resource.
If token is invalid, then the access is not granted. Now when user from tenant A tries to access resource from tenant B, the token is invalidated and SSO fails.
Currently there is no option where user from device joined to Tenant A can access resources from tenant B using SSO.
However, you can submit a feedback in Azure feedback portal. This portal is directly monitored by our PM's and they can share any update if they have regarding this.
https://feedback.azure.com/d365community/forum/22920db1-ad25-ec11-b6e6-000d3a4f0789
Let us know if you have any further questions.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread.
As per your comment in above answer, yes you can sync users to 2 different tenants. But this can only happen when you are not configuring any of the custom domains.
Because when you sync users from single domain to 2 different tenants, users in Entra ID will be represented as <user>@xxx.onmicrosoft.com.
This is the default domain that get set in Entra ID.
Now user's can login to devices using above UPN while logging in to the device.
Let me know if you have any further questions.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread.