Creating separate Azure AD domain to separate Guest users from the main Azure AD domain?

EnterpriseArchitect 4,761 Reputation points
2022-03-30T00:52:47.047+00:00

Hi All,

I wonder if anyone here can give some clarification about creating a subdomain in Azure AD.

I have the need to create Azure AD Subdomain (Partner.Domain.com or Partner.domain.onmicrosoft.com) from my parent Azure AD tenant.
Domain.Com is synched from the On-premise AD DS which I do not want to import or invite the guest user into.

The total number of Users/Guest is 3000+
The user will be invited via their personal emails https://learn.microsoft.com/en-us/azure/active-directory/external-identities/tutorial-bulk-invite#understand-the-csv-template
Granted the login: First.LastName@keyman .com (F1 License is assigned - https://www.microsoft.com/en-us/microsoft-365/enterprise/f1)

Restrictions enforced:
2FA/MFA login
Those users cannot contact anyone directly using Teams or email, apart from the specifics Address book entry that I will publish.
Those users can receive emails from anyone inbound and can send emails outbound.

Will that be a possible scenario using the separate Azure AD domain like https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-tenant?

Thank you in advance.

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,898 questions
Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,652 questions
Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,559 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Limitless Technology 39,371 Reputation points
    2022-04-06T01:32:02.63+00:00

    Hi @EnterpriseArchitect

    You can Delegate an Azure DNS subdomain instead of Creating a separate Azure AD domain to separate Guest users.

    You can use the Azure portal to delegate a DNS subdomain. For example, if you own the contoso.com domain, you may delegate a subdomain called engineering to another separate zone that you can administer separately from the contoso.com zone.

    Here is a link for a detailed description of the process that you must follow.
    Delegate an Azure DNS subdomain
    https://learn.microsoft.com/en-us/azure/dns/delegate-subdomain

    Federating multiple, top-level domains with Azure AD requires some additional configuration that is not required when federating with one top-level domain. When a domain is federated with Azure AD, several properties are set on the domain in Azure.

    Properties of an Azure Active Directory B2B collaboration user
    https://learn.microsoft.com/en-us/azure/active-directory/external-identities/user-properties

    Hope this resolves your Query!!

    --------------

    --If the reply is helpful, please Upvote and Accept it as an answer–

    1 person found this answer helpful.