Microsoft Security | Microsoft Entra | Microsoft Entra ID
A cloud-based identity and access management service for securing user authentication and resource access
Azure Active Directory
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(262.40000000000003, 42%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3END%3C/text%3E%3C/svg%3E)
Nick Diaz
286
Reputation points
The scenario is that we need to have 2 different Azure accounts (assume account A and B) but the Azure Active Directory is to be hosted on account A. Now, can I provide RBAC roles on my services in account B based on AD from account A? Or do I need to have the users synced into my AD in account B as well before my services can be used by users from account A?
When Account B is migrated to A, both accounts have different domains – will that work the same way as separate accounts?
So managing the user logins from account B will be the same?
And what if we establish peering between the AD accounts and wanted to manage the users login profiles via AD of account A – although tenant is same but AD accounts are different, will this is be possible without syncing the users from B to A.
Impact on network configuration – per my understanding VNET peering gets dropped in migration and do we need to recreate it?
Thanks for the help.
Microsoft Security | Microsoft Entra | Microsoft Entra ID
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 57.00000000000001%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Shashi Shailaj 7,651 Reputation points Microsoft Employee Moderator2021-08-30T18:05:52.453+00:00 When you say account , do you mean azure subscriptions ? If you mean azure subscriptions then you have two subscriptions and one azure AD tenant . A subscription is a unit where you can create azure resources like Virtual machine , SQL Db etc. An azure AD tenant can be associated with multiple azure subscriptions. So in your case . You can have both your account A and account B associated with same Azure AD which is holding all your users.
In the second section , I am assuming you mean email domains. Even if the users have different email domains both the domains can be added to the azure Active directory instance and users can be assigned licenses accordingly . The email migration may require a little downtime. They will work as separate account and will be managed from within same directory .
For VNet peering , I would suggest you to go through https://learn.microsoft.com/en-us/azure/virtual-network/create-peering-different-subscriptions. Also both users from A and Users from need to be synced to same active directory first and subscriptions need to be associated with this active directory .
What you have described, probably seems to be a complex migration project. I would highly recommend to get a Azure Identity+Infra consultant who can help you through this one.
I hope I understood your issue correctly . If I did not understand it correctly , please do let me know and I will be happy to help you further.
Thank you.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(12.8, 68%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVK%3C/text%3E%3C/svg%3E)
Vineet Kumar Gupta 161 Reputation points2022-04-13T09:43:36.417+00:00 When Account B is migrated to A, both accounts have different domains – will that work the same way as separate accounts . if you have same azure tenant it will be one account only means what ever will be domain user you are migrating it will be only one azure account name .
So managing the user logins from account B will be the same? Yes
And what if we establish peering between the AD accounts and wanted to manage the users login profiles via AD of account A – although tenant is same but AD accounts are different, will this is be possible without syncing the users from B to A.--- No impacts on this
Impact on network configuration – per my understanding VNET peering gets dropped in migration and do we need to recreate it? .No Not required
Sign in to comment
Sign in to answer