Multi Azure tenant question

Posted on 2016-11-08
Medium Priority
Last Modified: 2016-11-14
Here's a scenario we are facing- this involves a single forest/domain;

Our developers are using Azure to create and test a range of test servers in preparation of a large upgrade. This is managed solely by the development team themselves with relevant Azure AD accounts created as needed (eg user@tenant.onmicrosoft.com

I am heading up a project to prepare for a move to Office 365. We have gone through a pilot test (Initial accounts user@TENANT2@onmicrosoft.com) and I have now set up AD directory sync through ADconnect for SSO.

My question is, at the point where development is pushed out to users for testing I can see our development team requesting that that SSO be configured, and in general it makes sense to have all Azure resources under one tenant.

Has anyone gone through this? Is it possible to either merge tenant accounts or have ADconnect sync a single domain to multiple tenants?

Just looking for options - thanks in advance.
Question by:agradmin
  • 3
  • 2
  • 2
LVL 40

Expert Comment

ID: 41879897
Azure Ad connect alone will not provide you SSO

You also need to deploy Adfs server farm to achieve SSO so that authentication requests would be fulfilled by on premise AD servers via Adfs

You may put multiple Azure Ad connect servers in single AD domain and point them to multiple Azure tenants but I don't think MS will support that officially and it not make any sense to keep identities in multiple azure tenants though they may be synced from single domain

What Microsoft officially supported scenario is, you can have single Azure / O365 tenant and you can sync multiple forests to that single tenant via Azure AD Connect
You need only one Azure Ad connect server in any one forest and then either you need forest trust between those forests or AD connect server could have direct network and DNS connectivity with those forest domain controllers so that those domains can be added to AD connect server for syncing

Other alternative could be you can use some 3rd party solution like Bit titan to merge accounts from multiple Azure tenants to one
Then create on premise Ad users matching to those migrated IDs and AD connect sync will sync those on premise identities with new migrated identities


Author Comment

ID: 41880440
Implementing ADFS was my original intent but reading Microsoft's description of SSO this only allows domain users to use one set of credentials for both domain and cloud logon.
My understanding of ADFS implementation is solely where the user is authenticated - with ADFS  user credentials authenticate back to the domain and without ADFS the user authenticates via Azure AD (synchronized with Domain AD via ADConnect).

If you have a different experience I'd like to understand, but in either case this does not satisfy our one domain/2 tenant dilemma.

Thanks for the response!
LVL 40

Accepted Solution

Mahesh earned 1200 total points
ID: 41880952
Implementing ADFS was my original intent but reading Microsoft's description of SSO this only allows domain users to use one set of credentials for both domain and cloud logon
What is your definition of SSO?
Once user logged on to workstation, it should logged on to cloud apps without any authentication just like same way when you access on premise exchange server mailbox...?

when using O365 apps there is SSO but have two flavors
When you use AAD connect (Ad sync) server, you have option to sync your user passwords also to cloud along with identity
User has to enter same Ad password each time he access any cloud app unless it is cached - this is same sign on
We called it as same sign on because it uses two separate identities though they are identical - one is on premise account which is used to logon to Ad and 2nd is Azure AD account which is used to logon to cloud resources, only password is same.

Alternatively when you use Adfs, user is redirected to on premise Adfs server where he needs to provide AD identity and credentials - this is call Single sign on because it uses only one identity for authentication again and again.

Now fact is that you never get real AD integrated application experience like MS exchange authentication
because cloud identity and on premise AD identity are two separate identities and when you use Adfs to get authentication from on premise Ad, actually you are providing AD ID and password to Adfs either through cache or through windows integrated authentication (if you enter Adfs URL to intranet zone in IE, it will automatically pickup logged on user crdentials

if you are talking about single Ad and multiple O365 / Azure tenants, you can deploy multiple AD sync servers but you need to use two different domains in both tenants which in turn you need to maintain two UPNs on your on premise AD because you cannot register one domain to two azure tenants
user1@contoso.com - belongs to 1 tenant
user2@fabricam.com - belong to 2nd tenant
Now you could use Adfs to federate both tenants with on premise AD
users can be either part of fabrikam.com UPN or contoso.com UPN but part of same AD

one last thing, you need to check if your scenario is officially supported byMicrosoft

Get 10% Off Your First Squarespace Website

Ready to showcase your work, publish content or promote your business online? With Squarespace’s award-winning templates and 24/7 customer service, getting started is simple. Head to Squarespace.com and use offer code ‘EXPERTS’ to get 10% off your first purchase.

LVL 38

Assisted Solution

by:Jian An Lim
Jian An Lim earned 800 total points
ID: 41881252
I am panning out what i think you want to achieve

you have a azure test tenant @TENANT.onmicrosoft.com
you have a office 365 tenant @tenant2.onmicrosoft.com

you want office 365 tenant and azure tenant use the same credential/token
you can do a Office 365 merge with azure tenant

the caveat is there is a 1to1 relationship directory map between azure tenant and office 365 tenant.  your directory will not map multiple azure tenant to 1 office 365 or multiple office 365 tenant to 1 azure tenant

In a nutshell
1. logon to azure tenant
2. go to directory/custom create/use existing, and put office 365 tenant directory in there
3. sign out and sign in back as office 365 global admin
4. sign back in as azure tenant, you will notice that the azure can now add user from office 365 tenant


Hopefully this is what you want to achieve.
LVL 40

Expert Comment

ID: 41881763

You are enabling to manage both tenants from one Azure Portal right (Azure AD interface)

But still he needs to manage identities as both places
LVL 38

Expert Comment

by:Jian An Lim
ID: 41882996
i am not sure what do you means manage identity at both place.
if you merge, account and authentication will be under office 365 tenant . so if you disable the user/block logon from Office 365 portal, they user will lost the ability to log on to Azure portal as well.

Or else, the Azure will be using MIcrosoft account, not Work account.

Author Closing Comment

ID: 41886239
Thanks for the help. You have both certainly given me information to move forward on and I will take all into consideration.

Featured Post

Easily manage email signatures in Office 365

Managing email signatures in Office 365 can be a challenging task if you don't have the right tool. CodeTwo Email Signatures for Office 365 will help you implement a unified email signature look, no matter what email client is used by users. Test it for free!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Considering cloud tradeoffs and determining the right mix for your organization.
In this article, we will discuss how you can secure Active Directory using free tools, and how you can choose a safe and secure Active Directory security auditing tool.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question