question

Dev11 avatar image
0 Votes"
Dev11 asked ahelland commented

Syncing multiple AD domains to a single Azure AD?

Hello,

If I integrate with the Azure AD using the Password Hash Sync model, is it possible to run a separate instance of the Sync tool on each customer’s domain? Basically, I would like to allow company A and company B to use my app, provided that they install the Sync tool on their domains.

Thank you!

azure-active-directory
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

amanpreetsingh-msft avatar image
4 Votes"
amanpreetsingh-msft answered

@Dev1-4239 Having more than one Azure AD Connect sync server connected to a single Azure AD tenant is not supported. Refer to multiple-forests-multiple-sync-servers-to-one-azure-ad-tenant for more details.


Please "mark as answer" or "vote as helpful" wherever the information provided helps you to help others in the community.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

OlegK-5458 avatar image
0 Votes"
OlegK-5458 answered amanpreetsingh-msft commented
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Yes, this would help in your case.

0 Votes 0 ·
ahelland avatar image
0 Votes"
ahelland answered ahelland commented

As stated above it is possible to sync multiple domains to a single AAD tenant, but when your use case is providing an app to multiple customers I'm struggling to see the architecture you're planning.

Is this single AAD tenant one owned/controlled by you, and the customers are non-related separate entities? If so it's a terrible idea to sync them into a common AAD. If "customers" are different companies in the same corporate structure it's something else.

The generic "offer a SaaS app to multiple customers" setup would usually be:
- SaaS provider has an AAD tenant
- Each customer has an AAD tenant
- SaaS provider creates a multi-tenant app and let users sign in based on other AAD tenants.


· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@ahelland It’s not you, it’s my lack of understanding about how AAD works.

Can you expand a bit more about the “SaaS app to multiple customers” option?

“- SaaS provider has an AAD tenant”  so I create an AAD in my subscription. Check

“- Each customer has an AAD tenant”  on their own Azure subscription, separately from my own subscription? Would they be using the AD Sync Tool and setup AD sync to Azure in their environment? I’m not clear on this.

“- SaaS provider creates a multi-tenant app and let users sign in based on other AAD tenants.” -> I can search documentation on how to create a multi-tenant app. When users sign in based on their AAD, is it be possible to retrieve AD groups for them as part of the authentication?

0 Votes 0 ·

Well, AAD does take more than five minutes to learn that's true :)

Each customer would sign up for an AAD tenant if they don't already have one. If you have an Azure subscription you will have Azure AD, but it's also possible to create an AAD tenant without a sub. (Basic SSO features are free.)

It is up to the customer if they want to sync an on-prem AD with AAD Connect or just have "pure cloud". For the sake of developing a SaaS app with AAD integration it doesn't matter - whether the users are synced and the details of logging is taken care of. You just point to the right AAD endpoint.

When registering a multi-tenant app you specify which permissions it needs in the customer tenants and the admin of the customer will need to consent to directory level permissions (things like groups) whereas the user contents for things you might do on behalf of them (send mail and the like).

It's recommended to check specific groups rather than pull down all groups to avoid "token bloat".

0 Votes 0 ·

Very helpful. Thank you!

How/when does the admin of the customer knows to consent permissions?

0 Votes 0 ·
Show more comments