Forum Discussion
Azure AD Connect and On-Prem ADFS federated with multiple partner organization
Scenario: We have an on-prem ADFS which is configured to federate with couple of partner organizations. The federated authentication with both our partners works well in On-Prem. Now we want to use ...
I'd assume they wouldn't want them using a Microsoft account for account management purposes. You can signup for a Microsoft account with any email address. If they do it with their work email address, two things would happen that would be issues with a lot of organizations. 1. It would be a separate account with a separate password. 2. If they left the partner company, they would still be able to login with the Microsoft account after the company partner account is deactivated or password changed.
The partner would need their own Azure AD with on-prem accounts synced or their own ADFS and you would federate your Azure AD with that.
The partner would need their own Azure AD with on-prem accounts synced or their own ADFS and you would federate your Azure AD with that.
Good point, it would be better from the management point-of-view to have all users in Azure AD in partner's own tenant.
However, there is no need to federate anything, Office 365 takes care of authentication. Besides, if the partner is already using Office 365, their domain is registered to their tenant it cannot be federated to other tenants.
However, there is no need to federate anything, Office 365 takes care of authentication. Besides, if the partner is already using Office 365, their domain is registered to their tenant it cannot be federated to other tenants.
- I think you might be mixing up federation with sync. You can't sync a domain to more than one tenant but you can absolutely federate with other directories. If they are in another Azure tenant, you have two options, invite them as external users to your tenant or setup federation between two tenants using custom policies. If you don't mind external users in your directory, then inviting them as external users is by far the easiest of the two options.
The term federation means many things in Office 365/Azure AD, so I think we are simply talking about different things here.
What I meant by federation is that you either create a new federated domain to Office 365 or convert an existing one to federated:
# Create a new federated domain New-MsolFederatedDomain -DomainName mydomain.com # Convert a domain to federated Convert-MsolDomainToFederated -DomainName mydomain.com
This naturally requires that the domain is registered to that Office 365 tenant. Moreover, what the federation does is that it only authenticates the user. To log in and use Office 365 services, there must be a matching user object in the Office 365 tenant.
I suppose by federation you meant something like Azure B2B Collaboration?
- I mean federation as defined, which is joining two distinct or disconnected directories. The purpose is so you do not have to create and manage users in the other directory. The user account exists and is maintained in one directory, but can access resources trusted by another directory. You can setup a B2B tenant if you'd like, but that is just one way to accomplish it. You are correct that a user object has to exist in the Azure AD tenant to login to O365, that is what the invite as external user from another Azure AD tenant option does. This only makes the user available to be granted access to applications under the tenant, but their user account still exists and is maintained in the other tenant.