@Venkat , You can sync your on-premise Identities to multiple azure AD tenants by setting up multiple azure AD connect Servers . But you will not be able to use the same domain suffix. Let me explain by taking example of two different scenarios.
SCENARIO 01
So lets say currently you have a on-premise environment and ne domain called xyz.com .
Also you have setup 3 different Azure AD tenants where you would like to sync your users from on-premise AD environment .
- tenant1.onmicrosoft.com
- tenant2.onmicrosoft.com
- tenant3.onmicrosoft.com
There are three Azure AD connect Servers that you have setup connected to the above three tenants.
I am assuming that you already have setup xyz.com as your primary domain suffix in on-premise AD and all the users have a userprincipalname attribute which is similar to (user)@xyz .com .
xyz.com is a custom domain and any custom domain can be verified in only one single azure AD tenant. You can not verify the same domain xyz.com in more than one azure AD tenant as this is by design and not permitted. This is why it is mentioned above in saurabh's answer that each object is represented in only one tenant . That means The user with UPN user@xyz .com can only be present in one single tenant .
When you start the sync in the above case for all the users to three tenants via three different Azure AD connect servers the following will happen. For simplifications we will take one single on-premise user with the Identity as user@xyz .com .
- user@xyz .com >> AD connect 01 >> user@xyz .com (this assuming that xyz.com was verified in the tenant1.onmicrosoft.com)
- user@xyz .com >> AD connect 02 >> user@tenant2.onmicrosoft.com
- user@xyz .com >> AD connect 03 >> user@tenant3.onmicrosoft.com
The above will be the output for the user in the three tenants in the cloud. While all the 3 objects created in the cloud are mapped to the same object on-premise yet they are different objects with different objectIDs.
SCENARIO 02
Now in another scenario , lets say you have three different domains of three different business units within same on-premise directory.
- user01@xyzauto.com
- user02@xyzfoods.com
- user03@xyzedu.com
In this case if you have a requirement where you would like to map a set of users to different tenants based on the domains that they are part of, you can surely do this. So you will have to verify each domain in a different tenant once and then you can sync these using 3 different Azure AD connect as explained in last scenario to the specific tenants. You would require to do some filtering in the Azure AD connect to sync unique set of users and the sync would work.
- user@xyzauto.com >> AD connect 01 >> user@xyzauto.com (this assuming that xyz.com was verified in the tenant1.onmicrosoft.com)
- user@xyzfoods.com >> AD connect 02 >> user@xyzfoods.com
- user@xyzedu.com >> AD connect 03 >> user@xyzedu.com
Hope the above helps. However if you are trying to sync same user object to there different tenant with same user principal name then that is not possible by design. If the above explanations do not help you , I would suggest to provide more details on your use case so that we can help you better. If it was one of the two scenarios hope the explanations helped you.
Hope this clarifies your query as to what you can actually achieve in terms of hybrid topology with Azure AD. Please do accept the posts as answer whichever would have helped you with relevant information so that it is helpful to other members of the community searching for similar queries. Should you have any further queries on this feel free to let us know in comments and we will be happy to help.
Thank you.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 15%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EV%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 44%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 57.00000000000001%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 72%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELV%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 81%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESD%3C/text%3E%3C/svg%3E)