Solved

Multi Azure tenant question

Posted on 2016-11-08
7
68 Views
Last Modified: 2016-11-14
Here's a scenario we are facing- this involves a single forest/domain;

Our developers are using Azure to create and test a range of test servers in preparation of a large upgrade. This is managed solely by the development team themselves with relevant Azure AD accounts created as needed (eg user@tenant.onmicrosoft.com

I am heading up a project to prepare for a move to Office 365. We have gone through a pilot test (Initial accounts user@TENANT2@onmicrosoft.com) and I have now set up AD directory sync through ADconnect for SSO.

My question is, at the point where development is pushed out to users for testing I can see our development team requesting that that SSO be configured, and in general it makes sense to have all Azure resources under one tenant.

Has anyone gone through this? Is it possible to either merge tenant accounts or have ADconnect sync a single domain to multiple tenants?

Just looking for options - thanks in advance.
0
Comment
Question by:agradmin
  • 3
  • 2
  • 2
7 Comments
 
LVL 35

Expert Comment

by:Mahesh
ID: 41879897
Azure Ad connect alone will not provide you SSO

You also need to deploy Adfs server farm to achieve SSO so that authentication requests would be fulfilled by on premise AD servers via Adfs

You may put multiple Azure Ad connect servers in single AD domain and point them to multiple Azure tenants but I don't think MS will support that officially and it not make any sense to keep identities in multiple azure tenants though they may be synced from single domain

What Microsoft officially supported scenario is, you can have single Azure / O365 tenant and you can sync multiple forests to that single tenant via Azure AD Connect
You need only one Azure Ad connect server in any one forest and then either you need forest trust between those forests or AD connect server could have direct network and DNS connectivity with those forest domain controllers so that those domains can be added to AD connect server for syncing

Other alternative could be you can use some 3rd party solution like Bit titan to merge accounts from multiple Azure tenants to one
Then create on premise Ad users matching to those migrated IDs and AD connect sync will sync those on premise identities with new migrated identities

Mahesh.
0
 

Author Comment

by:agradmin
ID: 41880440
Mahesh,
Implementing ADFS was my original intent but reading Microsoft's description of SSO this only allows domain users to use one set of credentials for both domain and cloud logon.
My understanding of ADFS implementation is solely where the user is authenticated - with ADFS  user credentials authenticate back to the domain and without ADFS the user authenticates via Azure AD (synchronized with Domain AD via ADConnect).

If you have a different experience I'd like to understand, but in either case this does not satisfy our one domain/2 tenant dilemma.

Thanks for the response!
0
 
LVL 35

Accepted Solution

by:
Mahesh earned 300 total points
ID: 41880952
Implementing ADFS was my original intent but reading Microsoft's description of SSO this only allows domain users to use one set of credentials for both domain and cloud logon
What is your definition of SSO?
Once user logged on to workstation, it should logged on to cloud apps without any authentication just like same way when you access on premise exchange server mailbox...?

when using O365 apps there is SSO but have two flavors
When you use AAD connect (Ad sync) server, you have option to sync your user passwords also to cloud along with identity
User has to enter same Ad password each time he access any cloud app unless it is cached - this is same sign on
We called it as same sign on because it uses two separate identities though they are identical - one is on premise account which is used to logon to Ad and 2nd is Azure AD account which is used to logon to cloud resources, only password is same.

Alternatively when you use Adfs, user is redirected to on premise Adfs server where he needs to provide AD identity and credentials - this is call Single sign on because it uses only one identity for authentication again and again.

Now fact is that you never get real AD integrated application experience like MS exchange authentication
because cloud identity and on premise AD identity are two separate identities and when you use Adfs to get authentication from on premise Ad, actually you are providing AD ID and password to Adfs either through cache or through windows integrated authentication (if you enter Adfs URL to intranet zone in IE, it will automatically pickup logged on user crdentials

if you are talking about single Ad and multiple O365 / Azure tenants, you can deploy multiple AD sync servers but you need to use two different domains in both tenants which in turn you need to maintain two UPNs on your on premise AD because you cannot register one domain to two azure tenants
user1@contoso.com - belongs to 1 tenant
user2@fabricam.com - belong to 2nd tenant
Now you could use Adfs to federate both tenants with on premise AD
users can be either part of fabrikam.com UPN or contoso.com UPN but part of same AD

one last thing, you need to check if your scenario is officially supported byMicrosoft

Mahesh.
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 36

Assisted Solution

by:Jian An Lim
Jian An Lim earned 200 total points
ID: 41881252
I am panning out what i think you want to achieve

you have a azure test tenant @TENANT.onmicrosoft.com
you have a office 365 tenant @tenant2.onmicrosoft.com

you want office 365 tenant and azure tenant use the same credential/token
you can do a Office 365 merge with azure tenant

the caveat is there is a 1to1 relationship directory map between azure tenant and office 365 tenant.  your directory will not map multiple azure tenant to 1 office 365 or multiple office 365 tenant to 1 azure tenant

In a nutshell
1. logon to azure tenant
2. go to directory/custom create/use existing, and put office 365 tenant directory in there
3. sign out and sign in back as office 365 global admin
4. sign back in as azure tenant, you will notice that the azure can now add user from office 365 tenant


Read
https://azure.microsoft.com/en-us/documentation/articles/active-directory-manage-o365-subscription/
https://azure.microsoft.com/en-us/documentation/articles/billing-use-existing-office-365-account-azure-subscription/
https://azure.microsoft.com/en-us/documentation/articles/billing-add-office-365-tenant-to-azure-subscription/



Hopefully this is what you want to achieve.
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 41881763
@Jian:

You are enabling to manage both tenants from one Azure Portal right (Azure AD interface)

But still he needs to manage identities as both places
0
 
LVL 36

Expert Comment

by:Jian An Lim
ID: 41882996
i am not sure what do you means manage identity at both place.
if you merge, account and authentication will be under office 365 tenant . so if you disable the user/block logon from Office 365 portal, they user will lost the ability to log on to Azure portal as well.

Or else, the Azure will be using MIcrosoft account, not Work account.
0
 

Author Closing Comment

by:agradmin
ID: 41886239
Thanks for the help. You have both certainly given me information to move forward on and I will take all into consideration.
0

Featured Post

Why spend so long doing email signature updates?

Do you spend loads of your time carrying out email signature updates? Not very interesting are they? Don’t let signature updates get you down. Let Exclaimer Cloud - Signatures for Office 365 make managing email signatures a breeze.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Companies keep a much closer eye on costs today, so changing to new Technology – Microsoft Office 365 is the smartest move to take.
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now