Forum Discussion
Allow multiple Azure tenants to sign into my on-prem RDS environment
The customers would prefer to use their own Azure AD Identity to sign into our on-prem session host. Is this possible?
Let's say we have 10 session hosts in our environment. Each host belongs to a different company using different Azure tenant.
I can setup AD Connect to one Azure tenant, but how would all the other customers provide their credentials?
Thanks for any pointers.
- Kim
It's possible but probably not practical.
This model (below) carries a lot of implications that most external organisations won't agree to, not the least of which is how to negate the implied transitive trusts that would then exist between clients (which can be achieved, it's just complex.)
You'd also have to reinvent your RDS deployment entirely.
So, as I say, doable but practical? Unless you've got some folks internally that live and breathe this stuff, I'd say no, it's not practical.
Note: As an aside, you can have a model of a single on-premise AD synchronising to multiple tenants, however, I'd expect these external tenants to be doing their own synchronising via AAD Connect which is all but guaranteed to rule this approach out.
Even if they weren't using AAD Connect (for example if they're cloud-native), it would still be unlikely that anyone would agree to the required changes to make this work.
Cheers,
Lain
2 Replies
It's possible but probably not practical.
This model (below) carries a lot of implications that most external organisations won't agree to, not the least of which is how to negate the implied transitive trusts that would then exist between clients (which can be achieved, it's just complex.)
You'd also have to reinvent your RDS deployment entirely.
So, as I say, doable but practical? Unless you've got some folks internally that live and breathe this stuff, I'd say no, it's not practical.
Note: As an aside, you can have a model of a single on-premise AD synchronising to multiple tenants, however, I'd expect these external tenants to be doing their own synchronising via AAD Connect which is all but guaranteed to rule this approach out.
Even if they weren't using AAD Connect (for example if they're cloud-native), it would still be unlikely that anyone would agree to the required changes to make this work.
Cheers,
Lain
Unfortunately, multi-tenant is not a supported scenario with AVD. Reference: Understanding licensing and per-user access pricing. AVD only works with user accounts provisioned into the associated Azure AD tenant.
To achieve separation, you must provision an Azure subscription which is associated with the customer's existing Azure AD, per: Add an existing Azure subscription to your tenant - Azure AD - Microsoft Entra | Microsoft Learn. Then deploy AVD into that subscription.
Please like or mark this thread as answered if it's helpful, thanks!
