We are using email services hosted in office365 and application with is hosted in our HQ .Our HQ application are authenticate(SSO) from abc.com
Both services we do not have any access for the administration and now my company want to implement domain controller for our site only .After we finish the proposal then suddenly change the direction local AD must sync with Azure .I have now idea for this .
Now we notice that ,HQ are using azure connect in office365 to archive the SSO for email and application. I am confusing what they said ,hopefully
Below is the msg send from them:
They request us sync the local domain controller to our global domain control .
Premise of SSO between Local AD and Azure AD]
- Migrate Office 365 authentication infrastructure from Secioss to Azure AD
- Configure seamless SSO with Azure AD Connect and link Local AD and Azure AD
A user is only able to synchronize between Local AD and Azure AD on a 1:1 basis.
Users between Global AD (Tomato AD) and Azure AD (Office 365 users) already have a 1: 1 relationship.
So, for example, to synchronize Tomato users between Tomato and Azure AD, we have to terminate the synchronization of Tomato users between global AD and Azure AD. Then you need to synchronize Tomato users between Tomato AD and Azure AD.
Local AD and Azure AD do not have to be the same forest.
There are three.
1. Reliability of ID managed on Local AD
There is a possibility that Local AD includes administrator ID, test ID, user who retired in addition to real user.
It is necessary to synchronize with Azure AD only for real users.
# The license fee becomes higher as the number of users increases
2. Control so that IDs do not overlap globally
3. Continue Azure AD (Office 365) users in case of personnel change across company with AD
[Subsidiary to introduce AD from now on]
It might be a good to duplicate the global AD domain controller and delegate to TomatoAsia so that you can only manage users and groups that belong to TomatoAsia OU.
We will consider what's good from now on.