Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,451 questions
Single forest two Azure tenants. Commercial GCC high
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(224.00000000000003, 82%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESH%3C/text%3E%3C/svg%3E)
Skip Hofmann
341
Reputation points
We are about to setup an Azure GCC high tenant. We are in the initial stages of discussion around what is the best identity method to use? Currently we have one Active Directory forest. We sync objects from onprem to Azure Commercial, and we use ADFS for federation with the Azure commercial tenant. Devices in commercial tenant are either hybrid azure joined or azure ad joined. I know devices can only be a member of one Azure tenant, so my question is what is the best course of action regarding syncing users to the GCC high tenant? Should i stand up a new AD forest, migrate users from commercial forest to GCC high forest and then sync to Azure GCC high? or for the users that need to sync to GCC high should i disjoin there device from commercial, change the upn for these users , so they sync to GCC high azure? I want to try and avoid setting up an additional forest for this, but i'm trying to understand how this can work using one AD forest? I know i can do create transformation rules in Azure AD connect, that will rewrite the users upn so it can sync to GCC high tenant, but the users device is still joined to Azure commercial. So i'm trying to wrap my head around the best course of action here
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 57.00000000000001%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Shashi Shailaj 7,581 Reputation points Microsoft Employee2022-01-21T17:00:19.15+00:00 @Skip Hofmann ,
Just wanted to confirm if you are trying to completely move out from azure commercial AAD tenant to Azure GCC high tenant or you are going to have both GCC high as well as azure commercial tenants in which case there will be two different identities for every worker in your company ? Let us know and i can answer accordingly . -
Skip Hofmann 341 Reputation points
2022-01-21T17:14:02.04+00:00 Hello
We are going to have both. Commercial and GCC high. My question is around the best course of action for moving users and groups from Commercial tenant to the GCC high tenant. Is it recommended to standup a new onprem AD forest, and then perform a cross forest migration from the commercial forest to the GCC high forest, or can i stand up another azure ad connect server and sync only the objects that need to be in the GCC high azure tenant ? However if i standup a new azure ad connect server just for GCC high, then for things like SSO and azure hybrid device join to work correctly, I'm assuming i would need to disjoin these devices from the commercial azure tenant, and join the device to the GCC high tenant. Another consideration is the changing the upn for the users that need to be moved to the commercial tenant. I'm trying to wrap my head around the best course of action. If the best course of action is using the same forest , and standing up an additional azure ad connect server for gcc high, then what are the high level steps to make this work in a federated hybrid environment ?
I know standing up another AD forest is going to require a lot of work and planning, and i want to avoid having to do this if i can.
Sign in to comment