Looking for the best solution to integrate azure AD with on-prem and other subsidiaries to share teams, calender, sharepoint online.

BN04 21 Reputation points

we have our AD domain in azure for example as abc.com with on-prem as abc.local, we want to connect for single sign on. Also looking for a solution to connect other subsidiaries for example def.com, xyz.com etc to share teams, calendar, sharepoints with single sign on.

Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,222 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,646 questions
0 comments No comments
{count} votes

Accepted answer
  1. Shashi Shailaj 7,581 Reputation points Microsoft Employee

    Hello @BN04 ,

    You can surely integrate Azure AD with on-prem for single-sign on. you would need to use a federated Identity provider like ADFS for the same. You can use the following steps to decide initial onboarding.

    • As you mention that you already have added abc.com to your azure AD tenant when you say that you have your domain already in Azure hence I will go with assumption that you already have created a Office365/Azure AD tenant
    • There are two important parts to get onboarded to Office 365 and use single sign-on
      • Setting up online identities by syncing to Azure AD/Office365 tenant .
      • Setting up Federated Identity Provider.
    • In order to use Office 365 services like Sharepoint and enable collaboration we will first need to setup Azure AD connect to sync the on-premises Identities(users/devices) to the cloud. You should start with AD connect Installation pre-requisites.
    • You can also setup cloud provisioning for synchronizing the users to the Azure AD if your environment does not have any complex sync rule(custom filtering) requirements.
    • Once we have Identities synced using Azure AD connect , you can decide on the type of authentication you would want to use. You can decide on using either Password Hash Sync authentication(requires a federation service like ADFS etc.) or using Pass through authentication (which requires setting up of PTA agents in your on-premise environment.)
    • This can be configured through the AD connect server itself by running the AD connect configuration wizard.
    • After you have federation / Pass through Authentication setup , any application single signon will work without an issue.

    Coming back to your second query about a solution for connecting other subsidiaries you can use B2B feature within Azure AD to enable access . I would encourage you to go through Office365 inter-tenant collaboration article to understand more and the capabilities that you will get using the Office365/AzureAD service. You can always manage external access in Microsoft Teams and Sharepoint. This is a broad topic and collaboration is certainly possible and depends on your requirements hence I would not elaborate on this. the linked articles will help you understand how to do the same. Collaboration also depends on how things are setup within your end an in your case how you would like to setup . Does all the subsidiaries want to keep their respective Azure AD tenant separate or the users in them are part of same on-prem active directory(just with different UPN suffixes for different email addresses) and they would want to continue the same and be in same tenant or every subsidiary has its own IT team and would like to keep everything separate. Most companies keep one single tenant and segregate their users by specific UPN suffixes (like user1@jaswant .com , user2@xyz .com ). This simplifies collaboration amongst users and less customizations required in IT infrastructure . However startups keep separate Azure AD tenants for separate entities mainly because they sometimes think that if a business unit is not working they could sell that off and during the time of selling it is easy to siphon off a individual tenant and sell it off with least IT customizations. so it actually depends on the businesses on how they would like to setup their subsidiaries on Azure AD .

    I have attached a Cloud Identity Infographic which has a lot of information in pictorial format which will help you understand more. Some of the features may require Azure AD premium license for your users. I believe this might be a lot of information if you are stating out to sync your identities to the cloud however if you are totally new to Azure AD single sign on , I would suggest to engage a O365 / Azure AD consultant to help you with the same. The easiest way will be to setup a small test domain on-prem and a test tenant in azure AD and try these things before implementing in production.

    I have included a lot of links in my answer and I would suggest you to go through it . In case the information provided here helps , please do accept it as answer.

    Thank you.

    0 comments No comments

0 additional answers

Sort by: Most helpful