Multi-forest and AAD Sync

%3CLINGO-SUB%20id%3D%22lingo-sub-684854%22%20slang%3D%22en-US%22%3EMulti-forest%20and%20AAD%20Sync%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-684854%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20trying%20to%20understand%20the%20AAD%20requirements%20for%20AATP%20in%20my%20setup.%26nbsp%3B%20My%20primary%20domain%20(ContosoA.com)%20holds%20the%20majority%20of%20our%20user%20accounts.%26nbsp%3B%20All%20accounts%20in%20ContosoA.com%20are%20replicated%20to%20our%20AAD%20tenant%20using%20AD%20Connect.%26nbsp%3B%20We%20have%20an%20additional%20domain%20which%20is%20located%20in%20a%20separate%20forest%20named%20ContosoB.com.%26nbsp%3B%20There%20is%20a%202%20way%20transitive%20trust%20setup%20between%20ContosoA%20and%20ContosoB.%26nbsp%3B%20The%20only%20accounts%20setup%20in%20ContosoB%20are%20admin%20and%20service%20accounts.%26nbsp%3B%20Staff%20use%20their%20ContosoA%20accounts%20to%20access%20resources%20in%20ContosoB%20when%20needed.%26nbsp%3B%20We%20also%20have%20a%203rd%20domain%20named%20ContosoDemo%20which%20does%20not%20have%20a%20trust%20with%20either%20of%20the%20other%20forests.%26nbsp%3B%20We%20have%20admin%2Fservice%20accounts%20in%20ContosoDemo%20plus%20a%20handful%20of%20demo%20user%20accounts.%26nbsp%3B%20I%20plan%20to%20install%20the%20AAD%20sensor%20on%20the%20DCs%20in%20all%203%20domains.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDo%20I%20need%20to%20setup%20AD%20Connect%20to%20replicate%20all%20accounts%20in%20ContosoB%20and%20ContosoDemo%20to%20my%20current%20AAD%20in%20order%20for%20AATP%20to%20protect%20all%203%20domains%20or%20is%20it%20only%20required%20for%20ContosoA%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%3C%2FP%3E%3CP%3EBrian%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-684928%22%20slang%3D%22en-US%22%3ERe%3A%20Multi-forest%20and%20AAD%20Sync%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-684928%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F358482%22%20target%3D%22_blank%22%3E%40Brian_Sutton%3C%2FA%3E%26nbsp%3BNo%2C%20for%20now%2C%20AATP%20only%20protects%20on%20prem%20DCs.%3C%2FP%3E%0A%3CP%3ESo%20what%20you%20need%20to%20do%20is%20install%20sensors%20on%20all%20DCs%20from%20all%20domains%2Fforests.%3C%2FP%3E%0A%3CP%3Efor%20domains%20without%20trust%2C%20you%20will%20need%20to%20supply%20additional%20credentials%20in%20the%20configuration%20console.%3C%2FP%3E%0A%3CP%3EAnd%20that's%20it!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-688516%22%20slang%3D%22en-US%22%3ERe%3A%20Multi-forest%20and%20AAD%20Sync%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-688516%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F106935%22%20target%3D%22_blank%22%3E%40Eli%20Ofek%3C%2FA%3E%26nbsp%3B-%20Thanks%20for%20the%20quick%20reply!%26nbsp%3B%20I%20was%20receiving%20conflicting%20info%20from%20a%20Microsoft%20support%20case%20however%20what%20you%20stated%20matches%20the%20way%20I%20thought%20it%20worked.%26nbsp%3B%20Thanks.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

I am trying to understand the AAD requirements for AATP in my setup.  My primary domain (ContosoA.com) holds the majority of our user accounts.  All accounts in ContosoA.com are replicated to our AAD tenant using AD Connect.  We have an additional domain which is located in a separate forest named ContosoB.com.  There is a 2 way transitive trust setup between ContosoA and ContosoB.  The only accounts setup in ContosoB are admin and service accounts.  Staff use their ContosoA accounts to access resources in ContosoB when needed.  We also have a 3rd domain named ContosoDemo which does not have a trust with either of the other forests.  We have admin/service accounts in ContosoDemo plus a handful of demo user accounts.  I plan to install the AAD sensor on the DCs in all 3 domains.

 

Do I need to setup AD Connect to replicate all accounts in ContosoB and ContosoDemo to my current AAD in order for AATP to protect all 3 domains or is it only required for ContosoA?

 

Thanks,

Brian

2 Replies
Highlighted

@Brian_Sutton No, for now, AATP only protects on prem DCs.

So what you need to do is install sensors on all DCs from all domains/forests.

for domains without trust, you will need to supply additional credentials in the configuration console.

And that's it!

Highlighted

@Eli Ofek - Thanks for the quick reply!  I was receiving conflicting info from a Microsoft support case however what you stated matches the way I thought it worked.  Thanks.