Forum Discussion
Office 365, SharePoint Online profile sync
I am trying to synchronize all users from two different Azure AD into one single User profile application. I know that this is not possible by writing any custom sync job as CSOM does not have any us...
The very nature of having two different Azure AD means that you 'technically' have two different tenants. You have a primary one, and a secondary one (that was created against the primary one as the parent Azure account - like for billing purposes), but it isn't like a parent AAD and child AAD relationship. They are two very discrete, very separate entities.
You can't sync the two Azure AD's into a single SharePoint Online user profile service. Only accounts in the primary AAD are available to SharePoint Online. Accounts in the secondary AAD can be made available to SharePoint Online only as "external contacts" - but you more than likely don't want to do this. There are no APIs to currently create these contacts based on another AAD either, so it is a manual process to go that route.
Unless someone knows something I don't here, I am pretty certain this is a physical impossibility.
Why have two separate AADs?
You can't sync the two Azure AD's into a single SharePoint Online user profile service. Only accounts in the primary AAD are available to SharePoint Online. Accounts in the secondary AAD can be made available to SharePoint Online only as "external contacts" - but you more than likely don't want to do this. There are no APIs to currently create these contacts based on another AAD either, so it is a manual process to go that route.
Unless someone knows something I don't here, I am pretty certain this is a physical impossibility.
Why have two separate AADs?
Thanks @Brent . I have updted my question with why we are exploring the 2 AAD approach. Looks like this is approach is going towards dead end.
- Gotcha.
We did something similar, it's not a sharepoint based extranet, but a custom developed customer facing web application where we used the secondary AAD as our identity for that, and added our primary corporate users from our primary AAD into the secondary AAD to access the custom application.
Like I mentioned, it is a manual process to add our internal users to the secondary AAD, but we have just incorporated it into our new hire process, so it's not terrible.
What you may consider is the use of the guest/external contacts in your primary AAD, and then just make sure to be diligent in setting permissions in your primary SharePoint environment (using the "Everyone, except external users" group), lots more to think about and plan for there, but we have kind of done this as well, with a dedicate site collection where "external" users are allowed, but all other site collections are "for internal purposes only".- There are around 100+ intranet SharePoint sites and 100+ extranet SharePoint sites. And we cannot rely on Site Owner's diligence while giving permission to users. I have posted another discussion on the whole thing I am trying to do here : https://techcommunity.microsoft.com/t5/SharePoint/SharePoint-Extranet-amp-intranet-migration-to-SPO/m-p/35223#M3173