Automatic device join in single AD - multiple Azure topology

%3CLINGO-SUB%20id%3D%22lingo-sub-1195277%22%20slang%3D%22en-US%22%3EAutomatic%20device%20join%20in%20single%20AD%20-%20multiple%20Azure%20topology%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1195277%22%20slang%3D%22en-US%22%3E%3CDIV%20class%3D%22question-body%20post-body%22%3E%3CP%3EHi%20all%2C%3C%2FP%3E%3CP%3EOur%20customer%20is%20considering%20implementing%20topology%20with%20single%20onprem%20AD%20synchronized%20to%20multiple%20Azure%20AD%20tenants%2C%20using%20a%20single%20ADFS%20farm.%20The%20customer%20needs%20availability%20of%20Autopilot%20with%20Hybrid%20AD%20join%20for%20devices%20in%20all%20Azure%20AD%20tenants.%3C%2FP%3E%3CP%3EThe%20document%20in%20the%20link%20below%20suggests%20that%20this%20is%20not%20supported%2C%20but%20maybe%20somebody%20has%20experience%20with%20this%20kind%20of%20set%20up%20and%20can%20comment%20%3F%3C%2FP%3E%3CP%3EMS%20documentation%20also%20says%20that%20device%20writeback%20is%20not%20supported%20in%20such%20topology.%20But%20as%20I%20understand%2C%20that%20should%20not%20be%20an%20issue%20when%20using%20Autopilot%2C%20because%20it%20is%20the%20Intune%20connector%20(and%20not%20the%20AD%20sync%20agent)%20that%20creates%20onprem%20AD%20account%20for%20the%20machine%2C%20is%20that%20correct%20%3F%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fhybrid%2Fhow-to-connect-fed-single-adfs-multitenant-federation%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fhybrid%2Fhow-to-connect-fed-single-adfs-multitenant-federation%3C%2FA%3E%3C%2FP%3E%3CP%3EBR%2C%20Ruslan%3C%2FP%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1195277%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1202115%22%20slang%3D%22en-US%22%3ERe%3A%20Automatic%20device%20join%20in%20single%20AD%20-%20multiple%20Azure%20topology%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1202115%22%20slang%3D%22en-US%22%3EHi%20Ruslan%2C%3CBR%20%2F%3EI%20use%20Seamless%20SSO%20and%20able%20to%20use%20hybrid%2C%20write%20back%20and%20AutoPilot.%20My%20environment%20is%20Two%20on%20prem%20domains%20sync%20to%20one%20tenant.%3CBR%20%2F%3E%3CBR%20%2F%3EUsed%20to%20have%20ADFS%20but%20moved%20to%20SSSO%20because%20of%20the%20limitations%20with%20ADFS.%3CBR%20%2F%3E%3CBR%20%2F%3EHope%20this%20helps!%3CBR%20%2F%3EMoe%3C%2FLINGO-BODY%3E
Contributor

Hi all,

Our customer is considering implementing topology with single onprem AD synchronized to multiple Azure AD tenants, using a single ADFS farm. The customer needs availability of Autopilot with Hybrid AD join for devices in all Azure AD tenants.

The document in the link below suggests that this is not supported, but maybe somebody has experience with this kind of set up and can comment ?

MS documentation also says that device writeback is not supported in such topology. But as I understand, that should not be an issue when using Autopilot, because it is the Intune connector (and not the AD sync agent) that creates onprem AD account for the machine, is that correct ?

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-single-adfs-multit...

BR, Ruslan

1 Reply
Hi Ruslan,
I use Seamless SSO and able to use hybrid, write back and AutoPilot. My environment is Two on prem domains sync to one tenant.

Used to have ADFS but moved to SSSO because of the limitations with ADFS.

Hope this helps!
Moe