Forum Discussion
Azure AD Connect - One forest - Two tenants - Same OUs
Hi, Brad.
As you've noted, the topology is supported - albeit it with a growing list of caveats as noted here:
You do not need to separate the Active Directory objects (user or otherwise) into separate organisational units, but to reinforce one of the caveats from the article above, only a single instance of AAD Connect can be configured to write back to Active Directory meaning you must pay particular attention to ensure writeback is disabled when running AAD Connect's setup for the new per tenant instances of AAD Connect.
If I was going to call out just one additional caveat from the list in the article, it'd be the fourth last one:
It is not supported to add and verify the same custom domain name in more than one Microsoft Entra tenant, even if these tenants are in different Azure environments.
If the synchronised objects are going to use tenant-specific domain suffixes on their userPrincipalName, proxyAddresses, mail, sipAddress, etc. then this is not an issue (and my assumption this is the scenario you're facing). But if you're expecting they retain the same value across tenant, that's not going to be possible.
Cheers,
Lain