Forum Discussion

  • LeonPavesic's avatar
    LeonPavesic
    Silver Contributor
    Jun 28, 2023

    Hello MarkusKnuhr,

    Using cross-tenant synchronization, you can grant users in one AAD tenant access to resources, such as Azure Virtual Desktop (AVD), located in a different AAD tenant.

    It's important to note that cross-tenant synchronization requires establishing trust relationships between the participating AAD tenants. This involves configuring federation trust, identity synchronization, and appropriate access permissions.

    Here are some general steps to set up cross-tenant synchronization for accessing Azure Virtual Desktop (AVD) in another Azure Active Directory (AAD) tenant:

    1. Establish trust between the two AAD tenants:
    - In the source tenant:
    - Register an application in Azure Active Directory that represents the source tenant.
    - Configure the application to expose the necessary API permissions and generate the client secret.
    - In the target tenant:
    - Add the source tenant's AAD as a trusted organization.
    - Configure the trust relationship by providing the client ID and client secret generated in the source tenant.

    2. Enable identity synchronization between the two tenants:
    - Set up Azure AD Connect to synchronize user identities between the source and target tenants. This involves installing and configuring Azure AD Connect on a server in the source tenant.
    - During the configuration, select the appropriate synchronization options, including password synchronization or federation, based on your requirements.
    - Ensure that the user accounts in the source tenant are synchronized to the target tenant, either by matching the user principal names (UPNs) or by using alternate attribute mappings.

    3. Configure permissions and access controls in the target tenant:
    - Grant users from the source tenant access to the AVD resources in the target tenant.
    - In the target tenant:
    - Create a security group or identify an existing one to which the users from the source tenant will be added.
    - Assign the necessary roles and permissions to the security group at the resource group, subscription, or AVD resource levels.
    - For AVD, consider assigning roles such as "Desktop Application Group Administrator" or "Desktop User" to the security group.

    4. Test the cross-tenant synchronization setup:
    - Ensure that the user accounts from the source tenant are successfully synchronized to the target tenant.
    - Verify that the users from the source tenant can authenticate and access AVD resources in the target tenant using their respective credentials.
    - Test different scenarios, such as creating, accessing, and managing AVD sessions, to validate the cross-tenant synchronization.

    Keep in mind that the specific steps and configurations may vary depending on the version of Azure AD Connect you are using and any additional requirements specific to your environment. It is recommended to consult the official Microsoft documentation on cross-tenant synchronization and AVD configuration for detailed instructions and best practices.

    Kindest regards

Resources