![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 37%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJE%3C/text%3E%3C/svg%3E)
1,305 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 57.00000000000001%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
anonymous user-4796 , As far as I understand from your query , you are trying to sync your users from a single forest to multiple azure AD connect using multiple AD connect servers . Yes this is possible. We have an article which talks about this in detail and I would suggest you to go through the same. For your reference I am providing some information below. It is important to understand that certain Azure AD capabilities won't work in a single forest, multiple Azure AD tenants configurations.
The most important thing in this case would be the custom domains that you are already using as email suffix in your environment. During sync setup the user UPN will automatically sync to the Azure AD but one public domain can be uniquely verified only in one tenant. For example if your users have @Company portal .com address then contoso.com will only be verified once in one of your azure AD tenants. So lets say if we have 2 tenants, T1.onmicrosoft.com and T2.onmicrosoft.com and contoso.com is verified in the T1.onmicrosoft.com azure ad tenant and we have 2 Azure AD connect sync servers setup in our on-premise environment syncing to both the tenants separately . In this case when a user named user@Company portal .com is synced to both the tenants SSO for this user will work in T1.onmicrosoft.com but it wont work in T2.onmicrosoft.com because the userprinciplename for the user will be ******@contoso.com in tenant T1 vs ******@T2.onmicrosoft.com in tenant T2 as contoso.com is not a verified domain for T2.onmicrosoft.com tenant. .
However if your forest have multiple domains and you use different public domains as email suffix (internet routable domains) in each forest then you may not see this issue. You can sync different domains in the forest to each tenant and achieve SSO as long as you have specific domains associated specifically to a particular tenant . You can define different sync scope and different sync rules for different tenants.
Yes ADFS in one tenant and PHS in another will work without any issue however device auth will not work in both scenarios as explained below. As explained, you can associate a custom domain (say contoso.com) only in one tenant so at a time if you federate one particular domain within your environment with ADFS then any user in your on-premise domain using that domain suffix (say contoso.com) will always be redirected to the ADFS site. You need to create sync rules which specifically sync users with contoso.com domain suffix in this case to the tenant where you enabled ADFS federation.
So depending upon what your users use for their Userprincipalname , they will accordingly work with either ADFS or PHS . As the on-premise domain is same the user need to be . Technically, anything which depends on Device Auth will only work for the tenant for which have the SCP registered as explained earlier. You may be able to run this environment technically but supportability will depend upon the setup . Not all scenarios will be supported. As long as you are using different custom domains in different tenants , you should be able to implement PHS and ADFS . But using device based conditional access polices will only work in the tenant where you have device registration enabled. It wont work for both scenarios.
Multiple sign-in methods will be defined on the basis of each tenant . So in this case also, one single tenant is only using one sign-in method at a time but you can enable PHS on the tenant where you federate with ADFS for a failover scenarios . When considering on-prem environment, supportability will be restricted to only scenarios which align with technical feasibility . Device auth , and conditional access based on device compliance etc. are scenarios which will only work in one tenant and the ones i can think of on top of my head . There may be more such scenarios but at this point i can only think of two of them. More explanation for device based auth is explained as follows.
For devices you cannot do a hybrid azure AD join to both the tenants . As the service connection point is created in Active directory for one tenant, hence at a time a device can be joined to only one tenant . Multiple Hybrid scenarios do not work in case of single forest -multiple tenants . Certain Azure AD features are specific to the tenant. Scenarios like device writeback , group writeback , Seamless SSO etc. do not work . You can deploy Hybrid Azure AD join in a targeted way for specific devices by removing SCP entries within the on-prem AD and adding individual machine level settings for the same. Please go through the linked articles for more information.
Only one Azure AD tenant sync can be configured to write back to Active Directory for the same object. This includes device and group writeback as well as Hybrid Exchange configurations – these features can only be configured in one tenant. The only exception here is Password Writeback. It is supported to configure Password Hash Sync from Active Directory to multiple Azure AD tenants for the same user object. If Password Hash Sync is enabled for a tenant, then Password Writeback may be enabled as well, and this can be done on multiple tenants: if the password is changed on one tenant, then password writeback will update it in Active Directory, and Password Hash Sync will update the password in the other tenants.
Hope the information helps you in your deployment . I would strongly suggest to go through the articles as they will provide you more details about this scenario and help improve your understanding of the subject . Should you have any further queries , do let us know and we will be happy to help you further. In case the answer is helpful , please do accept the post as answer so that its relevancy is improved and it can help other members searching for similar queries.
Thank you.
----------------------------------------------------------------------------------------------------------------------------------------------------------
- Please don't forget to click on
whenever the information provided helps you. Original posters help the community find answers faster by identifying the correct answer. Here is how - Want a reminder to come back and check responses? Here is how to subscribe to a notification
- If you are interested in joining the VM program and help shape the future of Q&A: Here is how you can be part of Q&A Volunteer Moderators