Two Azure accounts, One AD to rule them all

MikeKeller 26 Reputation points
2020-06-03T13:39:03.633+00:00

Think I already know the answer to this. But looking at all possibilities.

We have a Production MS AD environment were we have AD Connect set up and configured to work with Azure AD in what we consider our Production Azure environment.

Along comes our application department, signs up for an Azure account, we'll call this the Development Azure environment, user uses their own credit card info to get it started. Builds out a few things in this Azure account, aaaaand now a few of those things are considered a production resource. That's great (sarcastically). Ghost IT to the max!

Now the Applications department realizes that users in our Production AD domain cannot log into or access resources in this Development Azure environment and you guessed it, now wants to allow users in our production AD to access these resources in the Development Azure environment.

From what I have found so far connecting 2 Azure accounts running their own individual Azure ADs back to a single MS AD is NOT supported.

The only 2 supported options I have found are:

Option One: Setup a new MS AD environment, create a trust between this new Development MS AD environment and our Production MS AD environment, then setup AD Connect for this new Development MS AD to this Development Azure account.

Option Two: Create a new Azure AD user in the Development Azure environment, but during creation you can specify it as an external user from our Production Azure AD environment that is syncing to our MS AD environment.

Am I on the right track? Any better suggestions or options I am missing other then migrating or merging the two Azure accounts.

Thanks!
Mike

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,606 questions
0 comments
Accepted answer
  1. Marilee Turscak-MSFT 34,061 Reputation points Microsoft Employee
    2020-06-19T18:01:45.267+00:00

    I'm so sorry for the late reply on this. But yes, you are on the right track! Based on your scenario external users sounds like a good way to handle this. If you want users from one tenant to be able to access resources in the other tenant, you can just make those users guest users in the other tenant.

    I would check out the guides on multi-tenant applications.

    https://learn.microsoft.com/en-us/azure/active-directory/users-groups-roles/licensing-directory-independence

    https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-convert-app-to-be-multi-tenant

    The trust option that you mentioned would also work.

    10406-multiforestscenario.png

    See multiple forests, one Azure AD Tenant in supported topologies

    Another option is to migrate tenants but that's a lot more involved and seems unnecessary in your case.

    1 person found this answer helpful.
    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. MikeKeller 26 Reputation points
    2020-06-19T19:27:06.763+00:00

    Awesome thanks Marilee!

    0 comments