Forum Discussion
Two different domains in one Office 365 tenant
Hi all,
Our scenario is the following:
CompanyA has on-premise AD and Exchange. They have deployed Azure AD Connect and ADFS with their own Azure tenant and everything is working fine.
CompanyB har their own on-premise AD and Exchange. They want to use same tenant as CompanyA, but want On-premise AD to be seperated. What is supported scenario, if any?
According to this article, the closest they get is Multiple forest, single Azure AD tenant: https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-topologies
What are pros and cons ?
They will probably need to setup trust between them?
Other ways this can be achieve?
thanks!
Hi,
There can be only one Azure AD Connect instance for a single Azure tenant. This means, you have to use one AAD Connect instance for both companies, if you want to go single tenant.
Azure AD Connect supports connecting multiple forests to a single Azure AD tenant. A server that runs Azure AD Connect does not have to be joined to any domain locally, however, it must be able to access domain controllers in both forests.
In some cases, you can choose to place the Azure AD Connect server in a (DMZ), especially if you do not have a direct network connection to all forests that you would like to include in the synchronization.
If you need more information, you probable should tell what is your goal and how both companies must work together.
Hi,
There can be only one Azure AD Connect instance for a single Azure tenant. This means, you have to use one AAD Connect instance for both companies, if you want to go single tenant.
Azure AD Connect supports connecting multiple forests to a single Azure AD tenant. A server that runs Azure AD Connect does not have to be joined to any domain locally, however, it must be able to access domain controllers in both forests.
In some cases, you can choose to place the Azure AD Connect server in a (DMZ), especially if you do not have a direct network connection to all forests that you would like to include in the synchronization.
If you need more information, you probable should tell what is your goal and how both companies must work together.
Hi Dominik and thanks for prompt reply.
As of now, the main goal is that both company can collaborate with each other in Office 365, but keep internal system seperate.
Not sure if its better they merge on-premise environment or go for the trust and use single AD connect.
thanks!
You are welcome.
From my perspective, if they want to manage their own on-premise Active Directory, use one AAD Connect instance and go to a single Azure tenant.
You can merge it later if you want, this is no problem. Depending of the AAD Connect server placement (domain joined, locally or DMZ) you need no trust relationship.
Make sure both admins from both companies have a good design decision what to sync, merge and which attributes are needed. Then this will be no problem.
If you have two companies as follows:
Company A
Domain: CompanyA.com
Manage and Control their own AD/Exchange forest
Company B
Domain: CompanyB.com
Manage and Control their own AD/Exchange forest
1. Could you migrate these two companies to a single domain (companyC.com)
2. If so, could you run Exchange hybrid until the migration is complete, for example, Joe from Company B is migrated to O365 he now has (joe@companyC.com), but Beth also from Company B has not been migrated, so she's still (beth@companyB.com). Mary from Company A is migrated to O365 so she now has (mary@companyC.com), but Tom also from Company A has not been migrated, so he's still (tom@companyB.com).
3. Could you migrate these two companies to multiple domains under a single tenancy, for example, company A stays companyA.com and company B stays companyB.com in O365, but under a single tenancy structure where administration, billing, and usage are tracked under a single account.
Appreciate your feedback.
1: yes you can
2: this also works fine (i've done this for a customer with 8 different source forests)
3: Microsoft will consider the tenant as a single customer, so you'd have to figure out some way to allocate license costs to the different companies. In addition, administrators will be able to administer ALL users (depending a little on setup), so you'll need some governance on that.
- Not sure how post I cloudnt find the link but I have a question
Is it possible to add an additional domain to o365 tenant and have it share o365 services (teams, mail, onedrive) with users from the same tenant but using a different domain?
e.g. we have Domain1.com in our o365 tenant, imagine I add doamin2.com as an additional domain.
Would user@domain1.com be able to browse the directory of Domain2.com and message anyone@domain1.com or share files natively like user is part of the same tenant?- yes, that is how it works by design, it'll look like they are in the same tenant. You can add up to 900 domains.
In the case of having multiple Azure AD tenants, AAD sync, separate AD Forests with trusts:
Can a user in Company A manage an Exchange resource in Company B?
