Azure Active Directory Connect - different on-prem to Azure AD domain names

Luke C 6 Reputation points
2021-09-27T01:00:48.323+00:00

Hi,
We have an on prem AD forest/domain called contoso.com.
Inside contoso.com domain we have an OU called fabrikam. Fabrikam OU contains a bunch of users who work for a company called Fabrikam and have their own domain on the Internet fabrikam.com.

Basically it is a shared domain for two separate companies (not a great idea - I know).

We have registered a M365 tenant as fabrikam.com and have verified the domain using the TXT record - so far so good.

Now I am trying to get the Azure Active Directory Connect software to synchronize the contoso.com \ Fabrikam OU into the AzureAD domain called fabrikam.com

Is it even possible to have an on prem domain synchronize to an AzureAD domain with a totally different name? I am at the AzureAD sign-in configuration page of the Wizard. In the Active Directory UPN Suffix, I can see contoso.com (on prem domain) and beside that in the Azure AD Domain column I see Not Added as though it is expecting to find a matching AzureAD domain.

If this is achievable - does anyone have any advice or guidance for how to get this to work? I haven't been able to find a lot about this particular situation (probably for good reason - its a bad idea).

Thank you in advance for any assistance you can provide.

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments No comments
{count} vote

2 answers

Sort by: Most helpful
  1. Shashi Shailaj 7,631 Reputation points Microsoft Employee Moderator
    2021-09-28T13:46:11.063+00:00

    @Luke C , From what you have mentioned , I understand that you have used fabrikam.com to setup M365 tenant . This means that you already have fabrikam.com verified as a domain within the tenant that you have.

    **

    Is it even possible to have an on-prem domain synchronize to an AzureAD domain with a totally different name?

    Yes , this is very much possible When you create a azure AD instance , it always gets created as [tenantName].onmicrosoft.com which can be visible to you while creation or this can be skipped depending upon how you have signed up . You can see this later in the azure AD portal which gets listed as primary domain or from Microsoft 365 admin portal where you can go to settings > domains and that will help you see the primary domain name for your Azure AD tenant .

    This means you can run multiple different domain emails on the same M365 tenant however you will face some issues like for example.

    john@Company portal .com and ******@farikam.com both cannot be present within your Azure AD tenant. John here is a username which if created once will have a domain identity john@[tenantName].onmicrosoft.com . Now lets say it was synced from on-premise form the fabrikam OU so I believe the UPN for this user will be ******@fabrikam.com automatically . If you try to create a john@Company portal .com it will not allow you to do so .

    **

    In the Active Directory UPN Suffix, I can see contoso.com (on-prem domain) and beside that in the Azure AD Domain column I see Not Added as though it is expecting to find a matching AzureAD domain.

    You are exactly correct , you see that because you need to have the domain contoso.com verified in Azure AD . You can do that by following the article how to add and verify custom domain in Azure AD. If contoso.com is some non-routable domain on the internet and only used internally then you can ignore that message and go ahead . In this case you will have to provide a email suffix @fabrikam.com for all your users or [username]@[tenantName].onmicrosoft.com .

    You might already have both contoso.com and fabrikam.com as a domain suffix in your local active directory. And the users in the Fabrikam OU may be using an outside email provider with @fabrikam.com email suffix while other users in other OU may be using @Company portal .com as email suffix. Before you could use @Company portal .com email suffix for other users with this Azure AD you would need to verify the contoso.com in this directory as well. If it is already verified in some other Azure AD tenant then you will need to remove the domain from there and add it here. Removing a custom domain from a Azure AD tenant is a project in itself and you need to be careful about it . I would suggest you to go through the MSLearn module on managing domains.

    So as you said its doable but its not a great idea to do this. :) . You may find small issues like this here and there in these scenarios where you are effectively trying to share azure Active directory between multiple organizations. Though it can be done if you are ready to handle a few limitations here and there .

    I hope this answers your queries. If the post is helpful , please accept this as answer so that it helps other members in the community with similar queries. Please check the linked articles and learning modules. They will help you understand more on adding and removing domains . Should you have any further queries on this , do let me know and I will help you further.

    Thank you.

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

  2. Luke C 6 Reputation points
    2021-09-29T00:41:53.51+00:00

    Thank you so much for taking the time to reply and really providing a lot of detail. I will have a look through this and the links too.

    I will try to explain the situation again because as I re-read what I wrote, I was not clear about all details.

    • There are two companies - Contoso and Fabrikam
    • We have a single on premises domain contoso.com
    • ALL users are username@Company portal .com (even users in the Fabrikam OU are username@Company portal .com)
    • FYI - Email is On Prem Exchange and accepts email for contoso.com and fabrikam.com addresses
    • Fabrikam.com only exists in public DNS for MX records and Website. There is NO internal Fabrikam.com DNS zone, domain, etc.
    • We have created a tenant in M365 for contoso.com - this will be for Contoso employees AzureAD (mainly Teams)
    • We have added public DNS records to contoso.com to verify ownership of the domain
    • We have created a tenant in M365 for fabrikam.com - this will be for Fabrikam employees AzureAD (mainly Teams)
    • We have added public DNS records to fabrikam.com to verify ownership of the domain
    • We plan to have Azure AD connect replicate specific OU's of the AD contoso.com domain to the contoso.com tenant Azure AD
    • We plan to have Azure AD connect replicate specific OU's of the AD contoso.com domain to the fabrikam.com tenant Azure AD

    So publically, contoso.com and fabrikam.com are separate DNS domains, but internally (AD/DNS) they are a single domain contoso.com
    If I add contoso.com as a secondary domain to the fabrikam.com Azure AD tenant - I assume there will be a conflict of some sort (a single domain owned by multiple tenants).

    I will re-read your reply and follow the links, but if the above information explains what I am trying to do a little more clearly - I would appreciate any other thoughts you might have on it.

    Once again, thank you for your time and reply.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.