Theoretical question - AD / Azure deployment


Let's say we have an organization on-prem with AD ( and all the usual services.
This company has a lot of clients who need access to some applications such as SAAS that can be implemented in Azure. Let's say company's clients include several hundreds companies and its corresponding users. So each client, would have 5-10 users who need access to the applications provided by

Such external, outside users can and probably should, be maintained in a separate directory ( Let's say this is going to be an active directory which exists on-prem and maintains one-way trust with AD environment. Or completely separated, not really that significantly important I think. maintains their own Azure tenant. Also, for the clients, they can setup a separate tenant or create a separate directory in their own Azure tenant and sync users from Each external company, would be represented by their own OU with users for such company synced from on-prem AD directory to the: either same tenant as under a different directory or synced from AD to the tenant. Multiple "sync profiles" can be created within the AADConnect tool to sync specific OU to the specific directory in the tenant, which basically would results to something like this -,, etc.
I hope this makes sense.

Is that something practical and realistic?
Are there any better or more functional approaches for such design?

Thank you for your time and feedback.

2 Replies

@VickVega, your ideia might work but not as you expect. Look, there's some supported topologies that you can deploy using Azure AD Connect and that will enable your customer to have their credentials (and password) synchronized. 


Have you read this doc already?


Since your customer's clients must connect using their own credentials, I think is worthy to take a look at that documentation. 


Also, creating a structure like * is currently not supported, since you will only have access to domain. What you can do instead is using a custom domain like and then assign the users this domain as their UPN like The problem with that is that you must have a separate domain exclusively to do this and you must be sure that you won't have any conflicts with users credentials (this might be a real headache).

Last thing is: is the application ready to be integrated with social accounts? would the application be compatible with Facebook, Google, etc? If so, you could try using Azure B2C for your customer to solve this.


Hope you find this useful.



@Carlos Oliveira Thank you, I have seen that article and the closest that can be done is this approach. (Each object only once in an Azure AD tenant)