How to connect two on-premise domain controllers (not in the same network) to a single AzureAD

Bastien1920 1 Reputation point
2020-04-03T12:01:58.59+00:00

Good afternoon, everyone,

Someone could tell me if it is possible to connect two domain controllers to a single Azure AD.

Let me explain:

I work in a IT company and we offer remote offices to our clients. Authentication in our remote offices is done via our domain controller. One of our clients, already having a domain controller in their network, asked us if it was possible to use his AD account to authenticate on our remote offices. So an SSO installation with two remote domain controllers on-premise.

Thank you in advance for your clarification.

Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,223 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,604 questions
{count} votes

5 answers

Sort by: Most helpful
  1. soumi-MSFT 11,766 Reputation points Microsoft Employee
    2020-04-03T12:13:06.187+00:00

    @Bastien1920 , The requirement is still not clear. Based on the explanation given it looks like you are trying to create a relationship between you local and remote sites, which can pretty much be done using your on-prem Domain Controllers. SSO would be delivered using Kerberos within your org network. I am not sure where Azure AD is coming into picture here.

    Do clarify your requirement with AAD, so that we can help better.


  2. EmiliaB 1 Reputation point
    2020-04-03T15:42:20.82+00:00

    If I understand correctly, you're talking about federated identity management. Well, according to this article it is possible: https://learn.microsoft.com/en-us/azure/active-directory/hybrid/whatis-fed

    0 comments No comments

  3. Konrad 'Sagus' Sagala 81 Reputation points MVP
    2020-04-04T08:57:02.503+00:00

    I think that better solution for your clients would be separate forest in DMZ or external zone, with ADFS service and federation with your internal AD and AD of your clients. It will work for different clients, even when they don't have local AD. It deliver better protection of your internal resources and better control on access.

    0 comments No comments

  4. rbrayb 21 Reputation points MVP
    2020-04-05T23:22:30.153+00:00

    You tagged the question with "ADFS" so I assume that's an option.

    In this scenario, you would install ADFS for your domain, they would install ADFS for their domain and then you would then federate the two ADFS.

    The domain-B users can then access domain-A applications using their domain-B credentials.

    If this is a possible solution, let me know and I can elaborate.

    0 comments No comments

  5. Jesse Coyne 1 Reputation point Microsoft Employee
    2020-04-05T23:56:37.307+00:00

    You would need to setup federated services and also setup SAML authentication on your domain to allow their federated domains credentials. I don't recommend this method unless you want to go through great lengths to manage and secure your companies internal domain, for yours and your customers sake.

    I would also suggest a method that involves a stop gap in the case of a credential is compromised by a bad actor or something with the knowledge to harm your internal domain or your customers remote offices. This would involve setting up your domain with 2FA integrations to control desktop sign ons. This would be possible with many 2FA products but my experience has been successful with Duo.

    I suggest also looking into moving your own environments into Azure if this is going to be a common practice between you and your customers since this would make your own infrastructure management a breeze and also make you very flexible to integrate with any future customer. Hope this helps!

    https://www.appliedis.com/federated-authentication-with-a-saml-identity-provider/

    0 comments No comments