Forum Discussion
Join and manage Windows 10 device in different tenant than home tenant
andrew1810
Thanks for your answer.
The problem is that regions IT management wish to enroll and administer their own devices in Intune. A role which is currently limited by the global admins as the tenant is mostly managed by one region. It is correct that tagging and granular RBAC could allow them to do this in the same tenant.
However if global admins mistakenly enforce a policy to all devices in Intune, the regions experience impact on their machines and that is what they want to avoid. They have no control whatsoever and now they want to be in control.
andrew1810
To clarify the (requested) situation a bit more, I would like to show the current environment and the requested design.The current situation is as indicated underneath
current situation
The customer would like to keep the Microsoft 365 which are shared between the domains in the first tenant.
To avoid the Global Admins or Intune administrators to damage endpoints managed for users which are synced from domain C, they would like to have a separate tenant that holds their users and devices. So in other words they would like to join their devices to the 2nd tenant, managed them on the tenant while not removing any functionality built in tenant 1requested situation
I hope the design clarifies this a bit more.
StanMorisse You can't have a custom domain on two different tenants, it won't let you add to a second without removing from the first. You're also restricted to AAD sync to one tenant only.
You could potentially add a new UPN for the extra tenant and then another AAD Connect server pointing to that one, but I have never tried it myself. It would effectively be a completely separate instance at that point though.
You also have to consider O365 apps which would then need to be logged in with their other UPN presumably so any SSO is no longer an option