Solved

Multi Azure tenant question

Posted on 2016-11-08
7
44 Views
Last Modified: 2016-11-14
Here's a scenario we are facing- this involves a single forest/domain;

Our developers are using Azure to create and test a range of test servers in preparation of a large upgrade. This is managed solely by the development team themselves with relevant Azure AD accounts created as needed (eg user@tenant.onmicrosoft.com

I am heading up a project to prepare for a move to Office 365. We have gone through a pilot test (Initial accounts user@TENANT2@onmicrosoft.com) and I have now set up AD directory sync through ADconnect for SSO.

My question is, at the point where development is pushed out to users for testing I can see our development team requesting that that SSO be configured, and in general it makes sense to have all Azure resources under one tenant.

Has anyone gone through this? Is it possible to either merge tenant accounts or have ADconnect sync a single domain to multiple tenants?

Just looking for options - thanks in advance.
0
Comment
Question by:agradmin
  • 3
  • 2
  • 2
7 Comments
 
LVL 35

Expert Comment

by:Mahesh
ID: 41879897
Azure Ad connect alone will not provide you SSO

You also need to deploy Adfs server farm to achieve SSO so that authentication requests would be fulfilled by on premise AD servers via Adfs

You may put multiple Azure Ad connect servers in single AD domain and point them to multiple Azure tenants but I don't think MS will support that officially and it not make any sense to keep identities in multiple azure tenants though they may be synced from single domain

What Microsoft officially supported scenario is, you can have single Azure / O365 tenant and you can sync multiple forests to that single tenant via Azure AD Connect
You need only one Azure Ad connect server in any one forest and then either you need forest trust between those forests or AD connect server could have direct network and DNS connectivity with those forest domain controllers so that those domains can be added to AD connect server for syncing

Other alternative could be you can use some 3rd party solution like Bit titan to merge accounts from multiple Azure tenants to one
Then create on premise Ad users matching to those migrated IDs and AD connect sync will sync those on premise identities with new migrated identities

Mahesh.
0
 

Author Comment

by:agradmin
ID: 41880440
Mahesh,
Implementing ADFS was my original intent but reading Microsoft's description of SSO this only allows domain users to use one set of credentials for both domain and cloud logon.
My understanding of ADFS implementation is solely where the user is authenticated - with ADFS  user credentials authenticate back to the domain and without ADFS the user authenticates via Azure AD (synchronized with Domain AD via ADConnect).

If you have a different experience I'd like to understand, but in either case this does not satisfy our one domain/2 tenant dilemma.

Thanks for the response!
0
 
LVL 35

Accepted Solution

by:
Mahesh earned 300 total points
ID: 41880952
Implementing ADFS was my original intent but reading Microsoft's description of SSO this only allows domain users to use one set of credentials for both domain and cloud logon
What is your definition of SSO?
Once user logged on to workstation, it should logged on to cloud apps without any authentication just like same way when you access on premise exchange server mailbox...?

when using O365 apps there is SSO but have two flavors
When you use AAD connect (Ad sync) server, you have option to sync your user passwords also to cloud along with identity
User has to enter same Ad password each time he access any cloud app unless it is cached - this is same sign on
We called it as same sign on because it uses two separate identities though they are identical - one is on premise account which is used to logon to Ad and 2nd is Azure AD account which is used to logon to cloud resources, only password is same.

Alternatively when you use Adfs, user is redirected to on premise Adfs server where he needs to provide AD identity and credentials - this is call Single sign on because it uses only one identity for authentication again and again.

Now fact is that you never get real AD integrated application experience like MS exchange authentication
because cloud identity and on premise AD identity are two separate identities and when you use Adfs to get authentication from on premise Ad, actually you are providing AD ID and password to Adfs either through cache or through windows integrated authentication (if you enter Adfs URL to intranet zone in IE, it will automatically pickup logged on user crdentials

if you are talking about single Ad and multiple O365 / Azure tenants, you can deploy multiple AD sync servers but you need to use two different domains in both tenants which in turn you need to maintain two UPNs on your on premise AD because you cannot register one domain to two azure tenants
user1@contoso.com - belongs to 1 tenant
user2@fabricam.com - belong to 2nd tenant
Now you could use Adfs to federate both tenants with on premise AD
users can be either part of fabrikam.com UPN or contoso.com UPN but part of same AD

one last thing, you need to check if your scenario is officially supported byMicrosoft

Mahesh.
0
 
LVL 36

Assisted Solution

by:Jian An Lim
Jian An Lim earned 200 total points
ID: 41881252
I am panning out what i think you want to achieve

you have a azure test tenant @TENANT.onmicrosoft.com
you have a office 365 tenant @tenant2.onmicrosoft.com

you want office 365 tenant and azure tenant use the same credential/token
you can do a Office 365 merge with azure tenant

the caveat is there is a 1to1 relationship directory map between azure tenant and office 365 tenant.  your directory will not map multiple azure tenant to 1 office 365 or multiple office 365 tenant to 1 azure tenant

In a nutshell
1. logon to azure tenant
2. go to directory/custom create/use existing, and put office 365 tenant directory in there
3. sign out and sign in back as office 365 global admin
4. sign back in as azure tenant, you will notice that the azure can now add user from office 365 tenant


Read
https://azure.microsoft.com/en-us/documentation/articles/active-directory-manage-o365-subscription/
https://azure.microsoft.com/en-us/documentation/articles/billing-use-existing-office-365-account-azure-subscription/
https://azure.microsoft.com/en-us/documentation/articles/billing-add-office-365-tenant-to-azure-subscription/



Hopefully this is what you want to achieve.
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 41881763
@Jian:

You are enabling to manage both tenants from one Azure Portal right (Azure AD interface)

But still he needs to manage identities as both places
0
 
LVL 36

Expert Comment

by:Jian An Lim
ID: 41882996
i am not sure what do you means manage identity at both place.
if you merge, account and authentication will be under office 365 tenant . so if you disable the user/block logon from Office 365 portal, they user will lost the ability to log on to Azure portal as well.

Or else, the Azure will be using MIcrosoft account, not Work account.
0
 

Author Closing Comment

by:agradmin
ID: 41886239
Thanks for the help. You have both certainly given me information to move forward on and I will take all into consideration.
0

Join & Write a Comment

Monitoring systems evolution, cloud technology benefits and cloud cost calculators business utility.
Healthcare organizations in the United States must adhere to the guidance of both the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) for securing and protec…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now