Share via

Azure AD Connect setup Questions

Mike Murphy 41 Reputation points
2021-01-11T23:53:11.3+00:00

Hello Everyone,
This is my first attempt at trying to do an Azure AD Connect sync and I'm not sure if i'm failing miserably or just not gone far enough.

First, I need to confirm a couple things;

  1. Azure AD Connect is a "one way" sync (as long as write back is off) correct? If I just wholesale delete the azure domain, nothing happens to my on prem domain, is that right?

2) I think I created problems by adding a second custom domain to a single tenant that was already setup for about 70 office 365 users. Is this okay or should I have created a second tenant?

Background:

We need to configure this because a 3rd party application uses this method to authenticate its user base. They told us to follow this doc:
https://learn.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-configure-password-hash-sync

After reviewing a couple docs it wasn't clear to me to create a second tenant, because I thought I read you can have only one tenant per subscription. Whoever set up the initial domain and added the first custom name set up the office 365. My intent was to create a second custom domain name and set it to primary in the same tenant with our actual full domain name. I setup a server and installed the Azure AD Connect tool to it. The domain was verified and the sync completed successfully, however, it appears accounts that were associated with the original custom office 365 domain can no longer authenticate to azure portal, The accounts from the new synced domain can not auth either. It looks like that's because the idenity issuer is the default domain name and not the actual domain name that was synced. so if I do a test login to the portal, ******@ourdomain.com does not work, but mike@azure .defaultdomain.com does.

Any guidance here is much appreciated.

Microsoft Security | Microsoft Entra | Microsoft Entra ID
Accepted answer
  1. Marilee Turscak-MSFT 37,206 Reputation points Microsoft Employee Moderator
    2021-01-12T00:32:29.797+00:00
    1. Yes. User writeback is not possible with Azure AD. You can write back groups and passwords if you set those up, but the users can only sync from on-premises to Azure AD and not the other way around.
    2. It depends on your use case. It is possible to have multiple domains in a single tenant but having more than one Azure AD Connect sync server connected to a single Azure AD tenant is not supported. Refer to multiple-forests-multiple-sync-servers-to-one-azure-ad-tenant for more details.

    Since there can be only one Azure AD Connect instance for a single Azure tenant you would have to use one AAD Connect instance for all of the users if you want to have a single tenant. If all of these users are from the same company that shouldn't be a problem, but if they are from different companies or organizations I would not recommend it as they would share the same tenant.

    Azure AD Connect does support connecting multiple forests to a single Azure AD tenant.

    https://learn.microsoft.com/en-us/azure/active-directory/cloud-provisioning/what-is-cloud-provisioning

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.