we have a customer who is just challenged to migrate to Exchange Online. In first line they were interested to move to their own dedicated tenant, but their parent company advised to join their global tenant.
So we have Company A and SubCompany B. We already told SubCompany B that there is only one AAD Connect server allowed. It is for sure that Company A already utilizes this service. Therefore it is only needed that the AAD Connect server needs to fetch the Active Directory form SubCompany B.
So there are scenarios where there will be an AD trust and some without. Does it matter if the AAD Connect server is located in the internal or the DMZ network?
I already learned, if you are not using the trust, the only choice for authentication is ADFS. But what possibilities do we have, if we create a trust?
We don't know, yet if Company A uses passthrough authentication for example. If this would be the case, would SubCompany B be forced to use this authentication as well?
Are there limitations for the new company joining an established multi forest single tenant scenario?
Recommendation from Company A is to migrate the whole accounts to their infrastructure. For them it sounds easy, because the have migrated some smaller companies. It looks like they are not considerating that there will be a huge amount of data to move.
What are the disadvantages for SubCompany B for migrating to Company A?
- No dedicated GPO's
- No Control regarding the own user accounts
- complicated if some services will stay in SubCompany B forest