Hi Team,

I have a below scenario to discuss and looking for a single IAM solution.

- Business units ( 3 :(
- A, B & C

- 200 employees in each business unit i.e around 600 users

- Users email accounts are Microsoft O365 accounts

- No local AD currently and no ADFC in place

- 3 different tenants on 0365. 1 for each business unit i.e A, B & C

- users machines are in a workgroup

- Business Applications are hosted in AWS (SaaS services mostly)

**Solution required:**

- Single IAM solution for the company as its difficult to manage and control the distributed IDs all over the place
- Machines/laptops need to be domain joined and local workgroup profiles need to me migrated to target domain

**My thought process:**
- Setup local AD from A domain/business unit (Have separate OU to manage other business units). Local AD will become single source of Identities and can be managed centrally
- Make it hybrid using Azure AD Connect. Sync IDs to O365 Azure AD tenenats with UPN
- Setup SSO using federation between AWS SaaS applications with local AD.
- Bring workgroup machines into the domain and migrate local profiles to domain profiles on the machines using 3rd party tools

**Challenges:**
- Is it possible to sync single AD source through Azure AD connect to multiple O365 Azure AD tenants (as we have 3 in the scenario)? And with UPN
- If I create new IDs in local AD and sync them, what will actually happen to the existing O365 IDs for users in Azure AD? and how these IDs will be merged as users already have an email account with emails, calendar, etc.?
- Is it possible to set up a Federation between AWS SaaS Services and local AD using ADFS or is there any way to probably create a Federation between Azure AD and AWS Saas application?

Any pointers will be helpful to achieve IAM for the above scenario

Thanks in advance

Regards,