Forum Discussion
Set AD User with External Email Address
My apologies for the delayed response, been hectic at work with our consolidation. Let me help give more insight as to the current setup.
Company A
Existing On-Prem AD
Existing AAD
O365, no Exchange On-Prem
Company B
O365, no Exchange On-Prem
Existing AAD
no On-Prem AD, all in Azure
I have a two-trust between both companies. We have Company B's users imported in Company A's AD to be able to login and reduce IT Overhead given they are both small companies. I have moved Company B's workstations into Company A's AD but not their servers in the cloud.
I have setup a site to site VPN between both domains so users in Company B can still access their cloud resources. I do not want to add UPN suffix into the current AD environment as this will cause more headaches than what I care to have given this is a 1 man IT show. Besides if that was the case I would have to migrate SPO, O365, etc. which is a hard stop for me.
The main purpose of wanting to add Company B's email address to the users account on Company A domain is to route emails for self service passwords and alike.
Let me know if you need anything further clarified. I know it's a cluster but doing the best with what I got.
This is a really complex scenario. Not so much from the technical side but more because of the restrictions imposed by legal separation.
At a very high level:
- I would have left Company B alone and completely separate;
- I would have then asked for the funding to establish Azure Active Directory Domain Services (Azure AD DS) within their tenant;
- I would have then created a one-way trust from Company B's Azure AD DS to Company A's on-premise Active Directory. This would allow Company B to log into Company A's workstations (so long as they're on-prem or hybrid joined) and access their resources but not vice versa.
You could use a forest trust if that is appropriate, but I wouldn't have thought it would be.
I would not have moved Company B's workstations into Company A's forest - unless Company A's employees are going to log onto Company B's workstations.
Again, I'm reducing a complex requirement into some very basic bullet points but keeping them separate given they are legally separate entities is actually pretty important until such time as they merge and are the one legal identity.
Here's some Microsoft literature on the options.
- How trusts work for Azure AD Domain Services | Microsoft Docs
- Tutorial - Create a forest trust in Azure AD Domain Services | Microsoft Docs
- Tutorial - Create a customized Azure Active Directory Domain Services managed domain | Microsoft Docs
- Azure AD Connect: Supported topologies | Microsoft Docs (the Multiple Azure AD Tenants part in particular - not that I'm recommending this, but you are touching on it already)
- Plan your hybrid Azure Active Directory join deployment | Microsoft Docs (note the limitations, which is another reason to keep them separate)
Cheers,
Lain