Azure Hybrid Topology

Venkat 1 Reputation point

We have a requirement to build a hybrid topology for SSO configuration for Azure accounts using on-premise AD. We have single AD forest & single domain name (for ex:, but we have multiple Azure AD tenants. We want to integrate the single domain with multiple Azure AD tenants using multiple Azure AD connector? is it possible or is there any better soln for this scenario

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,499 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Saurabh Sharma 23,791 Reputation points Microsoft Employee

    No, it is not supported. You cannot sync same users to multiple Azure AD tenants.
    You can only achieve this if you have separate Azure AD connects with mutually exclusive set of objects to sync to Azure AD. Please refer to Each object only once in an Azure AD tenant documentation for details.
    This document also provides different supported and unsupported typologies.

    1 person found this answer helpful.

  2. Shashi Shailaj 7,581 Reputation points Microsoft Employee

    @Venkat , You can sync your on-premise Identities to multiple azure AD tenants by setting up multiple azure AD connect Servers . But you will not be able to use the same domain suffix. Let me explain by taking example of two different scenarios.


    So lets say currently you have a on-premise environment and ne domain called .
    Also you have setup 3 different Azure AD tenants where you would like to sync your users from on-premise AD environment .


    There are three Azure AD connect Servers that you have setup connected to the above three tenants.
    I am assuming that you already have setup as your primary domain suffix in on-premise AD and all the users have a userprincipalname attribute which is similar to (user)@xyz .com . is a custom domain and any custom domain can be verified in only one single azure AD tenant. You can not verify the same domain in more than one azure AD tenant as this is by design and not permitted. This is why it is mentioned above in saurabh's answer that each object is represented in only one tenant . That means The user with UPN user@xyz .com can only be present in one single tenant .

    When you start the sync in the above case for all the users to three tenants via three different Azure AD connect servers the following will happen. For simplifications we will take one single on-premise user with the Identity as user@xyz .com .

    • user@xyz .com >> AD connect 01 >> user@xyz .com (this assuming that was verified in the
    • user@xyz .com >> AD connect 02 >>
    • user@xyz .com >> AD connect 03 >>

    The above will be the output for the user in the three tenants in the cloud. While all the 3 objects created in the cloud are mapped to the same object on-premise yet they are different objects with different objectIDs.


    Now in another scenario , lets say you have three different domains of three different business units within same on-premise directory.


    In this case if you have a requirement where you would like to map a set of users to different tenants based on the domains that they are part of, you can surely do this. So you will have to verify each domain in a different tenant once and then you can sync these using 3 different Azure AD connect as explained in last scenario to the specific tenants. You would require to do some filtering in the Azure AD connect to sync unique set of users and the sync would work.

    • >> AD connect 01 >> (this assuming that was verified in the
    • >> AD connect 02 >>
    • >> AD connect 03 >>

    Hope the above helps. However if you are trying to sync same user object to there different tenant with same user principal name then that is not possible by design. If the above explanations do not help you , I would suggest to provide more details on your use case so that we can help you better. If it was one of the two scenarios hope the explanations helped you.

    Hope this clarifies your query as to what you can actually achieve in terms of hybrid topology with Azure AD. Please do accept the posts as answer whichever would have helped you with relevant information so that it is helpful to other members of the community searching for similar queries. Should you have any further queries on this feel free to let us know in comments and we will be happy to help.

    Thank you.

    1 person found this answer helpful.

  3. Stephanie de Hoog 1 Reputation point

    You might consider using Azure B2C, set up multi tenant Azure AD SSO and sync the on-prem domain to it's own AAD?
    Have a look at this doc: