Multi Azure tenant question

Posted on 2016-11-08
Last Modified: 2016-11-14
Here's a scenario we are facing- this involves a single forest/domain;

Our developers are using Azure to create and test a range of test servers in preparation of a large upgrade. This is managed solely by the development team themselves with relevant Azure AD accounts created as needed (eg

I am heading up a project to prepare for a move to Office 365. We have gone through a pilot test (Initial accounts and I have now set up AD directory sync through ADconnect for SSO.

My question is, at the point where development is pushed out to users for testing I can see our development team requesting that that SSO be configured, and in general it makes sense to have all Azure resources under one tenant.

Has anyone gone through this? Is it possible to either merge tenant accounts or have ADconnect sync a single domain to multiple tenants?

Just looking for options - thanks in advance.
Question by:agradmin
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
LVL 37

Expert Comment

ID: 41879897
Azure Ad connect alone will not provide you SSO

You also need to deploy Adfs server farm to achieve SSO so that authentication requests would be fulfilled by on premise AD servers via Adfs

You may put multiple Azure Ad connect servers in single AD domain and point them to multiple Azure tenants but I don't think MS will support that officially and it not make any sense to keep identities in multiple azure tenants though they may be synced from single domain

What Microsoft officially supported scenario is, you can have single Azure / O365 tenant and you can sync multiple forests to that single tenant via Azure AD Connect
You need only one Azure Ad connect server in any one forest and then either you need forest trust between those forests or AD connect server could have direct network and DNS connectivity with those forest domain controllers so that those domains can be added to AD connect server for syncing

Other alternative could be you can use some 3rd party solution like Bit titan to merge accounts from multiple Azure tenants to one
Then create on premise Ad users matching to those migrated IDs and AD connect sync will sync those on premise identities with new migrated identities


Author Comment

ID: 41880440
Implementing ADFS was my original intent but reading Microsoft's description of SSO this only allows domain users to use one set of credentials for both domain and cloud logon.
My understanding of ADFS implementation is solely where the user is authenticated - with ADFS  user credentials authenticate back to the domain and without ADFS the user authenticates via Azure AD (synchronized with Domain AD via ADConnect).

If you have a different experience I'd like to understand, but in either case this does not satisfy our one domain/2 tenant dilemma.

Thanks for the response!
LVL 37

Accepted Solution

Mahesh earned 300 total points
ID: 41880952
Implementing ADFS was my original intent but reading Microsoft's description of SSO this only allows domain users to use one set of credentials for both domain and cloud logon
What is your definition of SSO?
Once user logged on to workstation, it should logged on to cloud apps without any authentication just like same way when you access on premise exchange server mailbox...?

when using O365 apps there is SSO but have two flavors
When you use AAD connect (Ad sync) server, you have option to sync your user passwords also to cloud along with identity
User has to enter same Ad password each time he access any cloud app unless it is cached - this is same sign on
We called it as same sign on because it uses two separate identities though they are identical - one is on premise account which is used to logon to Ad and 2nd is Azure AD account which is used to logon to cloud resources, only password is same.

Alternatively when you use Adfs, user is redirected to on premise Adfs server where he needs to provide AD identity and credentials - this is call Single sign on because it uses only one identity for authentication again and again.

Now fact is that you never get real AD integrated application experience like MS exchange authentication
because cloud identity and on premise AD identity are two separate identities and when you use Adfs to get authentication from on premise Ad, actually you are providing AD ID and password to Adfs either through cache or through windows integrated authentication (if you enter Adfs URL to intranet zone in IE, it will automatically pickup logged on user crdentials

if you are talking about single Ad and multiple O365 / Azure tenants, you can deploy multiple AD sync servers but you need to use two different domains in both tenants which in turn you need to maintain two UPNs on your on premise AD because you cannot register one domain to two azure tenants - belongs to 1 tenant - belong to 2nd tenant
Now you could use Adfs to federate both tenants with on premise AD
users can be either part of UPN or UPN but part of same AD

one last thing, you need to check if your scenario is officially supported byMicrosoft

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

LVL 37

Assisted Solution

by:Jian An Lim
Jian An Lim earned 200 total points
ID: 41881252
I am panning out what i think you want to achieve

you have a azure test tenant
you have a office 365 tenant

you want office 365 tenant and azure tenant use the same credential/token
you can do a Office 365 merge with azure tenant

the caveat is there is a 1to1 relationship directory map between azure tenant and office 365 tenant.  your directory will not map multiple azure tenant to 1 office 365 or multiple office 365 tenant to 1 azure tenant

In a nutshell
1. logon to azure tenant
2. go to directory/custom create/use existing, and put office 365 tenant directory in there
3. sign out and sign in back as office 365 global admin
4. sign back in as azure tenant, you will notice that the azure can now add user from office 365 tenant


Hopefully this is what you want to achieve.
LVL 37

Expert Comment

ID: 41881763

You are enabling to manage both tenants from one Azure Portal right (Azure AD interface)

But still he needs to manage identities as both places
LVL 37

Expert Comment

by:Jian An Lim
ID: 41882996
i am not sure what do you means manage identity at both place.
if you merge, account and authentication will be under office 365 tenant . so if you disable the user/block logon from Office 365 portal, they user will lost the ability to log on to Azure portal as well.

Or else, the Azure will be using MIcrosoft account, not Work account.

Author Closing Comment

ID: 41886239
Thanks for the help. You have both certainly given me information to move forward on and I will take all into consideration.

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In previous parts of this Nano Server deployment series, we learned how to create, deploy and configure Nano Server as a Hyper-V host. In this part, we will look for a clustering option. We will create a Hyper-V cluster of 3 Nano Server host nodes w…
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question