Azure Hybrid Topology

Venkat 1 Reputation point
2020-05-06T08:22:40.627+00:00

We have a requirement to build a hybrid topology for SSO configuration for Azure accounts using on-premise AD. We have single AD forest & single domain name (for ex: xyz.com), but we have multiple Azure AD tenants. We want to integrate the single domain with multiple Azure AD tenants using multiple Azure AD connector? is it possible or is there any better soln for this scenario

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
12,610 questions
No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Saurabh Sharma 17,291 Reputation points Microsoft Employee
    2020-05-06T23:23:07.933+00:00

    No, it is not supported. You cannot sync same users to multiple Azure AD tenants.
    You can only achieve this if you have separate Azure AD connects with mutually exclusive set of objects to sync to Azure AD. Please refer to Each object only once in an Azure AD tenant documentation for details.
    This document also provides different supported and unsupported typologies.


  2. ShashiShailaj-MSFT 7,411 Reputation points Microsoft Employee
    2020-05-12T13:02:23.813+00:00

    @Venkat , You can sync your on-premise Identities to multiple azure AD tenants by setting up multiple azure AD connect Servers . But you will not be able to use the same domain suffix. Let me explain by taking example of two different scenarios.

    SCENARIO 01

    So lets say currently you have a on-premise environment and ne domain called xyz.com .
    Also you have setup 3 different Azure AD tenants where you would like to sync your users from on-premise AD environment .

    • tenant1.onmicrosoft.com
    • tenant2.onmicrosoft.com
    • tenant3.onmicrosoft.com

    There are three Azure AD connect Servers that you have setup connected to the above three tenants.
    I am assuming that you already have setup xyz.com as your primary domain suffix in on-premise AD and all the users have a userprincipalname attribute which is similar to (user)@xyz .com .

    xyz.com is a custom domain and any custom domain can be verified in only one single azure AD tenant. You can not verify the same domain xyz.com in more than one azure AD tenant as this is by design and not permitted. This is why it is mentioned above in saurabh's answer that each object is represented in only one tenant . That means The user with UPN user@xyz .com can only be present in one single tenant .

    When you start the sync in the above case for all the users to three tenants via three different Azure AD connect servers the following will happen. For simplifications we will take one single on-premise user with the Identity as user@xyz .com .

    • user@xyz .com >> AD connect 01 >> user@xyz .com (this assuming that xyz.com was verified in the tenant1.onmicrosoft.com)
    • user@xyz .com >> AD connect 02 >> user@tenant2.onmicrosoft.com
    • user@xyz .com >> AD connect 03 >> user@tenant3.onmicrosoft.com

    The above will be the output for the user in the three tenants in the cloud. While all the 3 objects created in the cloud are mapped to the same object on-premise yet they are different objects with different objectIDs.

    SCENARIO 02

    Now in another scenario , lets say you have three different domains of three different business units within same on-premise directory.

    • user01@xyzauto.com
    • user02@xyzfoods.com
    • user03@xyzedu.com

    In this case if you have a requirement where you would like to map a set of users to different tenants based on the domains that they are part of, you can surely do this. So you will have to verify each domain in a different tenant once and then you can sync these using 3 different Azure AD connect as explained in last scenario to the specific tenants. You would require to do some filtering in the Azure AD connect to sync unique set of users and the sync would work.

    • user@xyzauto.com >> AD connect 01 >> user@xyzauto.com (this assuming that xyz.com was verified in the tenant1.onmicrosoft.com)
    • user@xyzfoods.com >> AD connect 02 >> user@xyzfoods.com
    • user@xyzedu.com >> AD connect 03 >> user@xyzedu.com

    Hope the above helps. However if you are trying to sync same user object to there different tenant with same user principal name then that is not possible by design. If the above explanations do not help you , I would suggest to provide more details on your use case so that we can help you better. If it was one of the two scenarios hope the explanations helped you.

    Hope this clarifies your query as to what you can actually achieve in terms of hybrid topology with Azure AD. Please do accept the posts as answer whichever would have helped you with relevant information so that it is helpful to other members of the community searching for similar queries. Should you have any further queries on this feel free to let us know in comments and we will be happy to help.

    Thank you.


  3. Stephanie de Hoog 1 Reputation point
    2020-05-11T02:50:34.173+00:00

    You might consider using Azure B2C, set up multi tenant Azure AD SSO and sync the on-prem domain to it's own AAD?
    Have a look at this doc: https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-azure-ad-multi-tenant-custom?tabs=applications