Forum Discussion
Azure AD Connect - One forest - Two tenants - Same OUs
Thank you for the response, we definitely know there will be a lot of challenges with this. Here's the interesting part, the tenant has the users provisioned already through powershell directly into the tenant. We are being asked to bolt on a new Azure AD Connect, the immutable IDs match what is in the on premise AD. Would we need custom attribute mappings for upn, proxy address, mail, and sip if the same user object is going to be synchronized from on premise AD with the different domains to two tenants? We have been pushing to create two IDs since the two tenants are really separate entities. B2B can be used down the road for cross tenant collaboration.
You'd certainly need to apply attribute transformations to those name-based attributes to ensure they are per tenant-specific. i.e. You cannot have a user with the same userPrincipalName in two separate tenants.
If the immutableId is the same across all tenants and the joining criteria are the same, then all the Azure AD accounts across all tenants will join the underpinning Active Directory account, at which point any Azure attributes populated by the script will be updated with the on-premise values where applicable (be that with the direct value or transformed value).
Depending on how the attribute transformations are implemented within AAD Connect, and how closely that aligns to how the script behaved, it's definitely possible that some/all of these attributes could change value in each tenant.
Cheers,
Lain