Think I already know the answer to this. But looking at all possibilities.
We have a Production MS AD environment were we have AD Connect set up and configured to work with Azure AD in what we consider our Production Azure environment.
Along comes our application department, signs up for an Azure account, we'll call this the Development Azure environment, user uses their own credit card info to get it started. Builds out a few things in this Azure account, aaaaand now a few of those things are considered a production resource. That's great (sarcastically). Ghost IT to the max!
Now the Applications department realizes that users in our Production AD domain cannot log into or access resources in this Development Azure environment and you guessed it, now wants to allow users in our production AD to access these resources in the Development Azure environment.
From what I have found so far connecting 2 Azure accounts running their own individual Azure ADs back to a single MS AD is NOT supported.
The only 2 supported options I have found are:
Option One: Setup a new MS AD environment, create a trust between this new Development MS AD environment and our Production MS AD environment, then setup AD Connect for this new Development MS AD to this Development Azure account.
Option Two: Create a new Azure AD user in the Development Azure environment, but during creation you can specify it as an external user from our Production Azure AD environment that is syncing to our MS AD environment.
Am I on the right track? Any better suggestions or options I am missing other then migrating or merging the two Azure accounts.