Multi Azure tenant question

Posted on 2016-11-08
Last Modified: 2016-11-14
Here's a scenario we are facing- this involves a single forest/domain;

Our developers are using Azure to create and test a range of test servers in preparation of a large upgrade. This is managed solely by the development team themselves with relevant Azure AD accounts created as needed (eg

I am heading up a project to prepare for a move to Office 365. We have gone through a pilot test (Initial accounts and I have now set up AD directory sync through ADconnect for SSO.

My question is, at the point where development is pushed out to users for testing I can see our development team requesting that that SSO be configured, and in general it makes sense to have all Azure resources under one tenant.

Has anyone gone through this? Is it possible to either merge tenant accounts or have ADconnect sync a single domain to multiple tenants?

Just looking for options - thanks in advance.
Question by:agradmin
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
LVL 37

Expert Comment

ID: 41879897
Azure Ad connect alone will not provide you SSO

You also need to deploy Adfs server farm to achieve SSO so that authentication requests would be fulfilled by on premise AD servers via Adfs

You may put multiple Azure Ad connect servers in single AD domain and point them to multiple Azure tenants but I don't think MS will support that officially and it not make any sense to keep identities in multiple azure tenants though they may be synced from single domain

What Microsoft officially supported scenario is, you can have single Azure / O365 tenant and you can sync multiple forests to that single tenant via Azure AD Connect
You need only one Azure Ad connect server in any one forest and then either you need forest trust between those forests or AD connect server could have direct network and DNS connectivity with those forest domain controllers so that those domains can be added to AD connect server for syncing

Other alternative could be you can use some 3rd party solution like Bit titan to merge accounts from multiple Azure tenants to one
Then create on premise Ad users matching to those migrated IDs and AD connect sync will sync those on premise identities with new migrated identities


Author Comment

ID: 41880440
Implementing ADFS was my original intent but reading Microsoft's description of SSO this only allows domain users to use one set of credentials for both domain and cloud logon.
My understanding of ADFS implementation is solely where the user is authenticated - with ADFS  user credentials authenticate back to the domain and without ADFS the user authenticates via Azure AD (synchronized with Domain AD via ADConnect).

If you have a different experience I'd like to understand, but in either case this does not satisfy our one domain/2 tenant dilemma.

Thanks for the response!
LVL 37

Accepted Solution

Mahesh earned 300 total points
ID: 41880952
Implementing ADFS was my original intent but reading Microsoft's description of SSO this only allows domain users to use one set of credentials for both domain and cloud logon
What is your definition of SSO?
Once user logged on to workstation, it should logged on to cloud apps without any authentication just like same way when you access on premise exchange server mailbox...?

when using O365 apps there is SSO but have two flavors
When you use AAD connect (Ad sync) server, you have option to sync your user passwords also to cloud along with identity
User has to enter same Ad password each time he access any cloud app unless it is cached - this is same sign on
We called it as same sign on because it uses two separate identities though they are identical - one is on premise account which is used to logon to Ad and 2nd is Azure AD account which is used to logon to cloud resources, only password is same.

Alternatively when you use Adfs, user is redirected to on premise Adfs server where he needs to provide AD identity and credentials - this is call Single sign on because it uses only one identity for authentication again and again.

Now fact is that you never get real AD integrated application experience like MS exchange authentication
because cloud identity and on premise AD identity are two separate identities and when you use Adfs to get authentication from on premise Ad, actually you are providing AD ID and password to Adfs either through cache or through windows integrated authentication (if you enter Adfs URL to intranet zone in IE, it will automatically pickup logged on user crdentials

if you are talking about single Ad and multiple O365 / Azure tenants, you can deploy multiple AD sync servers but you need to use two different domains in both tenants which in turn you need to maintain two UPNs on your on premise AD because you cannot register one domain to two azure tenants - belongs to 1 tenant - belong to 2nd tenant
Now you could use Adfs to federate both tenants with on premise AD
users can be either part of UPN or UPN but part of same AD

one last thing, you need to check if your scenario is officially supported byMicrosoft

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 37

Assisted Solution

by:Jian An Lim
Jian An Lim earned 200 total points
ID: 41881252
I am panning out what i think you want to achieve

you have a azure test tenant
you have a office 365 tenant

you want office 365 tenant and azure tenant use the same credential/token
you can do a Office 365 merge with azure tenant

the caveat is there is a 1to1 relationship directory map between azure tenant and office 365 tenant.  your directory will not map multiple azure tenant to 1 office 365 or multiple office 365 tenant to 1 azure tenant

In a nutshell
1. logon to azure tenant
2. go to directory/custom create/use existing, and put office 365 tenant directory in there
3. sign out and sign in back as office 365 global admin
4. sign back in as azure tenant, you will notice that the azure can now add user from office 365 tenant


Hopefully this is what you want to achieve.
LVL 37

Expert Comment

ID: 41881763

You are enabling to manage both tenants from one Azure Portal right (Azure AD interface)

But still he needs to manage identities as both places
LVL 37

Expert Comment

by:Jian An Lim
ID: 41882996
i am not sure what do you means manage identity at both place.
if you merge, account and authentication will be under office 365 tenant . so if you disable the user/block logon from Office 365 portal, they user will lost the ability to log on to Azure portal as well.

Or else, the Azure will be using MIcrosoft account, not Work account.

Author Closing Comment

ID: 41886239
Thanks for the help. You have both certainly given me information to move forward on and I will take all into consideration.

Featured Post

Free Webinar: AWS Backup & DR

Join our upcoming webinar with experts from AWS, CloudBerry Lab, and the Town of Edgartown IT to discuss best practices for simplifying online backup management and cutting costs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains the steps required to use the default Photos screensaver to display branding/corporate images
A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question