User Authentication

Copper Contributor

Hi there


I was hoping that I could get a bit of guidance to the challenge I have.


We are an established Office365 customer with SSO with ADFS, for the purpose of this we are using the email address


Our organisation recently acquired another organisation, who are an existing Office365 customer on a seperate tenant and active directory domain.  For the purpose of this, the email address is  They also have a sizeable sharepoint online and yammer content environment.  Again they are setup with SSO with ADFS



The management team have set us the following challenge.

  • Migrate email services only from, leaving sharepoint and yammer on the existing environment.
  • Retain the existing Active Directory domain and user accounts, these are to be used to access the email accounts setup in tenancy
  • Also used to access the retained content in the tenancy


I cannot see how this is possible and would appreciate if there are any pointers or guidance that I could be given.  I have carried out previous migrations from onpremise and office365 tenancy migrations, but as of yet I have not come across the above requirements and through the investigations I have carried out I cannot see a possible solution for this. 


Any help would be greatly appreciated.



2 Replies

Hi David,


You will need to do a Tenant to Tenant migration. But for that problem is only possible to have your in only one Tenant.


You can read here the process to migrate email.

Hi David,


I think that the biggest problem is the authentication part. There are many ways to migrate emails after that is sorted out so I'll skip that part for now.


The scenario you mentioned is possible, here are the steps. For clarity, I use TenantA and TenantB.

  1. You need move the domain from TenantB to TenantA
    1. Register a new domainname to TenantB, such as
    2. Modify the Azure AD Connect (aka directory sync) synchronization rules so that users' UPN is synced as instead of
    3. You may need to manually change existing users' UPNs to the new one (a PowerShell script will do) in cloud, don't forget the groups (although they do not matter).
    4. Remove the domain from TenantB and add & verify it in the TenantA
  2. Configure Azure AD Connect of TenantA
    1. Add all email aliases to proxyAddresses attribute for users in their AD.
    2. Add a new forest to Azure AD Connect  ( of TenantA
    3. Modify the Azure AD Connect rules so that users' UPN is synced as (OR leave it as is)

That should do it. Now the users can login to TenantA using email address (OR and to TenantB using 


Please note that in this scenario there are two Azure AD Connect instances syncing the same on-premise AD (original to the cloud, which is not officially supported scenario. However, as long as nothing is written back from TenantB everything should be okay.