Aug 22 2017
06:13 AM
- last edited on
Feb 01 2023
12:52 PM
by
TechCommunityAP
Aug 22 2017
06:13 AM
- last edited on
Feb 01 2023
12:52 PM
by
TechCommunityAP
Hi all,
Our scenario is the following:
CompanyA has on-premise AD and Exchange. They have deployed Azure AD Connect and ADFS with their own Azure tenant and everything is working fine.
CompanyB har their own on-premise AD and Exchange. They want to use same tenant as CompanyA, but want On-premise AD to be seperated. What is supported scenario, if any?
According to this article, the closest they get is Multiple forest, single Azure AD tenant: https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-topologi...
What are pros and cons ?
They will probably need to setup trust between them?
Other ways this can be achieve?
thanks!
Aug 22 2017 06:32 AM
SolutionHi,
There can be only one Azure AD Connect instance for a single Azure tenant. This means, you have to use one AAD Connect instance for both companies, if you want to go single tenant.
Azure AD Connect supports connecting multiple forests to a single Azure AD tenant. A server that runs Azure AD Connect does not have to be joined to any domain locally, however, it must be able to access domain controllers in both forests.
In some cases, you can choose to place the Azure AD Connect server in a (DMZ), especially if you do not have a direct network connection to all forests that you would like to include in the synchronization.
If you need more information, you probable should tell what is your goal and how both companies must work together.
Aug 22 2017 06:41 AM
Hi Dominik and thanks for prompt reply.
As of now, the main goal is that both company can collaborate with each other in Office 365, but keep internal system seperate.
Not sure if its better they merge on-premise environment or go for the trust and use single AD connect.
thanks!
Aug 22 2017 06:53 AM - edited Aug 22 2017 06:54 AM
You are welcome.
From my perspective, if they want to manage their own on-premise Active Directory, use one AAD Connect instance and go to a single Azure tenant.
You can merge it later if you want, this is no problem. Depending of the AAD Connect server placement (domain joined, locally or DMZ) you need no trust relationship.
Make sure both admins from both companies have a good design decision what to sync, merge and which attributes are needed. Then this will be no problem.
Aug 22 2017 11:15 PM
Thanks Dominik,
Currently we do not have full overview of their environment and not sure which workload they want to migrate to Office 365.
My guess is that they have AADC joined to domain at CompanyA.
Will they need to create a trust between them for this setup to work?
Thanks!
Aug 22 2017 11:19 PM
Aug 22 2017 11:56 PM
Thanks Dominik,
what about ADFS with single sign-on, it does not need trust between them either?
You mean they can freely collaborate in O365 without having any trust between their on-premise environment?
Trying to read up some documentations, but this scenario seems to be a bit vague
Oct 14 2017 03:46 AM
Feb 14 2018 08:14 AM - edited Feb 14 2018 08:16 AM
If you have two companies as follows:
Company A
Domain: CompanyA.com
Manage and Control their own AD/Exchange forest
Company B
Domain: CompanyB.com
Manage and Control their own AD/Exchange forest
1. Could you migrate these two companies to a single domain (companyC.com)
2. If so, could you run Exchange hybrid until the migration is complete, for example, Joe from Company B is migrated to O365 he now has (joe@companyC.com), but Beth also from Company B has not been migrated, so she's still (beth@companyB.com). Mary from Company A is migrated to O365 so she now has (mary@companyC.com), but Tom also from Company A has not been migrated, so he's still (tom@companyB.com).
3. Could you migrate these two companies to multiple domains under a single tenancy, for example, company A stays companyA.com and company B stays companyB.com in O365, but under a single tenancy structure where administration, billing, and usage are tracked under a single account.
Appreciate your feedback.
Feb 14 2018 09:06 AM
1 and 2 is a no go, since companyC has to be owned by one of the companies and you cannot share UPN domain with multiple forest in a trust..not 100% sure.
3 is yes, CompanyA and company be has trust and communuications to each other. Azure AD connect is setup in the domain that is setup for O365. Same azure ad connect can sync users from the other domain. They will then share same tenancy., this is called multiple forest : https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-topologi...
Both Domains should have own Exchange on-premise in hybrid setup, since linked mailboxes is not supported in O365.
May 22 2018 02:46 PM
Hi @Off2w0rk, were you able to successfully federate two different domains/companies to one O365 Tenant?
We have it where we have a longterm partnership with a company that has their own O365 Tenant and AD On Prem Environment.
But want to add their domain to our O365 only/ (not our on Prem) From reading this forum, you are able to use Azure AD Connect and add the other company from there?
And they would be able to still access their tenant and our tenant?
May 22 2018 11:00 PM
Hi Mark,
yes we ended up with full trust between on-premises AD and used Azure AD Connect to Sync both AD to O365.
Please look at supported topologies for Azure AD Connect here:
Can you describe the part where you want to add their domain only to your O365?
What kind of collaboration are you looking for?
For you, I think B2B is the best option, then you don't need to have any On-premises AD trust.
More info here: https://docs.microsoft.com/en-us/azure/active-directory/b2b/what-is-b2b
May 23 2018 01:01 AM
1: yes you can
2: this also works fine (i've done this for a customer with 8 different source forests)
3: Microsoft will consider the tenant as a single customer, so you'd have to figure out some way to allocate license costs to the different companies. In addition, administrators will be able to administer ALL users (depending a little on setup), so you'll need some governance on that.
Jun 30 2018 03:23 AM
Jul 01 2018 01:42 AM
Jul 25 2018 11:33 PM
In the case of having multiple Azure AD tenants, AAD sync, separate AD Forests with trusts:
Can a user in Company A manage an Exchange resource in Company B?
Jul 26 2018 12:02 AM
You can grant delegated access to another company so they can manage your O365 tenant using their credential.
Jul 26 2018 05:27 AM
Jul 27 2018 11:35 AM
Is there a solution for Company A with on premise Exchange to manage Company B's resource calendar on O365?
Jul 29 2018 06:36 AM
Can u please explain how did this migration ??/
Aug 22 2017 06:32 AM
SolutionHi,
There can be only one Azure AD Connect instance for a single Azure tenant. This means, you have to use one AAD Connect instance for both companies, if you want to go single tenant.
Azure AD Connect supports connecting multiple forests to a single Azure AD tenant. A server that runs Azure AD Connect does not have to be joined to any domain locally, however, it must be able to access domain controllers in both forests.
In some cases, you can choose to place the Azure AD Connect server in a (DMZ), especially if you do not have a direct network connection to all forests that you would like to include in the synchronization.
If you need more information, you probable should tell what is your goal and how both companies must work together.