question

MikeWork-0913 avatar image
1 Vote"
MikeWork-0913 asked MikeWork-0913 answered

Two Azure accounts, One AD to rule them all

Think I already know the answer to this. But looking at all possibilities.

We have a Production MS AD environment were we have AD Connect set up and configured to work with Azure AD in what we consider our Production Azure environment.

Along comes our application department, signs up for an Azure account, we'll call this the Development Azure environment, user uses their own credit card info to get it started. Builds out a few things in this Azure account, aaaaand now a few of those things are considered a production resource. That's great (sarcastically). Ghost IT to the max!

Now the Applications department realizes that users in our Production AD domain cannot log into or access resources in this Development Azure environment and you guessed it, now wants to allow users in our production AD to access these resources in the Development Azure environment.

From what I have found so far connecting 2 Azure accounts running their own individual Azure ADs back to a single MS AD is NOT supported.

The only 2 supported options I have found are:

Option One: Setup a new MS AD environment, create a trust between this new Development MS AD environment and our Production MS AD environment, then setup AD Connect for this new Development MS AD to this Development Azure account.

Option Two: Create a new Azure AD user in the Development Azure environment, but during creation you can specify it as an external user from our Production Azure AD environment that is syncing to our MS AD environment.

Am I on the right track? Any better suggestions or options I am missing other then migrating or merging the two Azure accounts.

Thanks!
Mike

azure-active-directory
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MarileeTurscak-MSFT avatar image
1 Vote"
MarileeTurscak-MSFT answered

I'm so sorry for the late reply on this. But yes, you are on the right track! Based on your scenario external users sounds like a good way to handle this. If you want users from one tenant to be able to access resources in the other tenant, you can just make those users guest users in the other tenant.

I would check out the guides on multi-tenant applications.

https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/licensing-directory-independence

https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-convert-app-to-be-multi-tenant

The trust option that you mentioned would also work.

10406-multiforestscenario.png

See multiple forests, one Azure AD Tenant in supported topologies

Another option is to migrate tenants but that's a lot more involved and seems unnecessary in your case.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MikeWork-0913 avatar image
0 Votes"
MikeWork-0913 answered

Awesome thanks Marilee!

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.