One on-premis AD, multiple AAD tenants

Tobi 21 Reputation points
2021-02-16T17:32:18.247+00:00

Hi all

We sync a single on-premise AD to multiple Azure AD Tenants. According to https://learn.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-topologies this scenario is supported. But I have some questions:

  1. When we configure PTA for this scenario we need a PTA agent (or two for redundancy) installed for each AAD tenant is that correct?
  2. What does "Windows 10 devices can be associated with only one Azure AD tenant." mean? It's not possible to have a device in multiple tenants or you can only register devices to one of the tenants and device registartion in the other tenants is not possible?
  3. "The single sign-on (SSO) option for password hash synchronization and pass-through authentication can be used with only one Azure AD tenant.". I understand this means SSO can only be configured for one Tenant. Is that right?

Thank for feedback.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,427 questions
0 comments No comments
{count} votes

Accepted answer
  1. Marilee Turscak-MSFT 36,931 Reputation points Microsoft Employee
    2021-02-16T23:27:31.88+00:00

    Hi @Tobi ,

    1 - Yes, you need at least one for each tenant.

    "Pass-through Authentication is a tenant-level feature."

    It's associated with Azure AD Connect as well, and Azure AD Connect has a 1:1 relationship with the Azure AD tenant. https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta-quick-start

    2 - It means that the same device object cannot exist in more than one tenant and cannot be registered in multiple Azure AD tenants. When you register a device it creates a device object in Azure and maps this to the user account. If you want to join a machine to a different tenant, you need to disconnect from the first tenant and register again with the new tenant.

    3 - "The single sign-on (SSO) option for password hash synchronization and pass-through authentication can be used with only one Azure AD tenant." This means that you can't have multi-tenant/cross-tenant single sign-on for password hash synchronization and pass-through authentication.


1 additional answer

Sort by: Most helpful
  1. testuser7 271 Reputation points
    2022-07-13T19:24:33.023+00:00

    Hi @Shashi Shailaj @Marilee Turscak-MSFT

    I was reading this thread. I wanted to summarize and validate one point. Appreciate your help.

    So we know that any Windows 10/11 device can be joined to only one AAD-tenant.
    The device could be AAD-joined OR Hybrid-joined or AAD-registered.

    But once the device is joined to tenant T1, when user want to sign into the device , he must be in tenant T1
    however, once user of T1 signs in, he can always add his 2 different accounts of Tenant T2 and T3 from
    Settings --> Accounts ---> Email & Accounts --> Add Work or School Account

    In other words, this device now has PRT of 3 accounts from 3 Tenants T1, T2 and T3
    We will find the same device as "AAD-registered" in T2 and T3

    Now if this user want to access any app registered in tenant T2, he will choose the account of T2 from account-picker popup.

    Am I correct ?

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.