Keeping both On Premise and Azre AD and make Azure as primary source for IDM and segregating current on premise domain into 3 domains in Azure AD

Manjunatha Gowda 1 Reputation point
2022-07-12T10:43:38.343+00:00

We are having a single domain with one forest in on premise and syncing the Objects to M365/Azure using AAD connect
Now we need to design a new environment where we need to

  1. Keep on premise AD intact for serving all non M365 AD requests
  2. Current on premise is syncing to Azure with AAD connect
  3. Plan is to have 3 or 4 different domains/forest in the Azure cloud ( Without making any changs to on premise is it possible)
  4. OR even if on premise needs to be modified what are the steps to be follwed
  5. End goal is to have 3 or 4 different domains for ease of management and data segregation in Azure AD
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
18,736 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Alfredo Revilla (Ex-MSFT) 26,756 Reputation points
    2022-07-14T03:28:38.317+00:00

    Hello @Manjunatha Gowda , you can sync one on premise Active Directory to multiple Azure AD tenants. By default, all users, groups and contacts will be synced to all tenants, but you can customize rules per tenant since you will need 1 AADConnect Server per tenant. No immediate changes to the on-premises directory are required. For more information about requirements and conditions please take a look to Sync AD objects to multiple Azure AD tenants.

    Let us know if this answer was helpful to you or if you need additional assistance! If it was helpful, please accept it and complete the quality survey so it helps other community users facing similar issues.

    2 people found this answer helpful.

  2. Zacharie TOUAMA 1 Reputation point
    2022-07-13T07:56:35.43+00:00

    Hello @Manjunatha Gowda

    Do you need trust relationship between all these domain ?

    First you have to know that Azure Active Directory ADDS (managed service) can only be replicated from your Azure AD without writeback, and azure AD can only be replicated from you on prem AD, but here your can writeback some informations like password hash, group and device (registred from azure AD)

    So, if your want to create multiple domain, you can use VM in Azure, connect them to each other and create your trust relationships, i think it's the better way in you case. It's also possible to make B2B relation between your azure tenant if you need.

    For your on prem AD, no modification is necessary, but you have to create a VPN between on prem and azure VM network.

    0 comments No comments