User Authentication

David Frankland
Occasional Visitor

Hi there


I was hoping that I could get a bit of guidance to the challenge I have.


We are an established Office365 customer with SSO with ADFS, for the purpose of this we are using the email address @companya.com


Our organisation recently acquired another organisation, who are an existing Office365 customer on a seperate tenant and active directory domain.  For the purpose of this, the email address is @anothercompany.com.  They also have a sizeable sharepoint online and yammer content environment.  Again they are setup with SSO with ADFS



The management team have set us the following challenge.

  • Migrate email services only from @anothercompany.com to@companya.com, leaving sharepoint and yammer on the existing environment.
  • Retain the existing Active Directory domain and user accounts, these are to be used to access the email accounts setup in @companya.com tenancy
  • Also used to access the retained content in the @anothercompany.com tenancy


I cannot see how this is possible and would appreciate if there are any pointers or guidance that I could be given.  I have carried out previous migrations from onpremise and office365 tenancy migrations, but as of yet I have not come across the above requirements and through the investigations I have carried out I cannot see a possible solution for this. 


Any help would be greatly appreciated.



2 Replies

Hi David,


You will need to do a Tenant to Tenant migration. But for that problem is only possible to have your domainname.com in only one Tenant.


You can read here the process to migrate email.


Hi David,


I think that the biggest problem is the authentication part. There are many ways to migrate emails after that is sorted out so I'll skip that part for now.


The scenario you mentioned is possible, here are the steps. For clarity, I use TenantA and TenantB.

  1. You need move the @anothercompany.com domain from TenantB to TenantA
    1. Register a new domainname to TenantB, such as @cloud.anothercompany.com
    2. Modify the Azure AD Connect (aka directory sync) synchronization rules so that users' UPN is synced as @cloud.anothercompany.com instead of @anothercompany.com
    3. You may need to manually change existing users' UPNs to the new one (a PowerShell script will do) in cloud, don't forget the groups (although they do not matter).
    4. Remove the domain from TenantB and add & verify it in the TenantA
  2. Configure Azure AD Connect of TenantA
    1. Add all email aliases to proxyAddresses attribute for @anothercompany.com users in their AD.
    2. Add a new forest to Azure AD Connect  (@anothercompany.com) of TenantA
    3. Modify the Azure AD Connect rules so that @anothercompany.com users' UPN is synced as @companya.com (OR leave it as is)

That should do it. Now the @anothercompany.com users can login to TenantA using @companya.com email address (OR @anothercompany.com) and to TenantB using @cloud.anothercompany.com. 


Please note that in this scenario there are two Azure AD Connect instances syncing the same on-premise AD (original @anothercompany.com) to the cloud, which is not officially supported scenario. However, as long as nothing is written back from TenantB everything should be okay.