Forum Discussion
Multi-forest and AAD Sync
I am trying to understand the AAD requirements for AATP in my setup. My primary domain (ContosoA.com) holds the majority of our user accounts. All accounts in ContosoA.com are replicated to our AAD tenant using AD Connect. We have an additional domain which is located in a separate forest named ContosoB.com. There is a 2 way transitive trust setup between ContosoA and ContosoB. The only accounts setup in ContosoB are admin and service accounts. Staff use their ContosoA accounts to access resources in ContosoB when needed. We also have a 3rd domain named ContosoDemo which does not have a trust with either of the other forests. We have admin/service accounts in ContosoDemo plus a handful of demo user accounts. I plan to install the AAD sensor on the DCs in all 3 domains.
Do I need to setup AD Connect to replicate all accounts in ContosoB and ContosoDemo to my current AAD in order for AATP to protect all 3 domains or is it only required for ContosoA?
Thanks,
Brian
- EliOfekMicrosoft
Brian_Sutton No, for now, AATP only protects on prem DCs.
So what you need to do is install sensors on all DCs from all domains/forests.
for domains without trust, you will need to supply additional credentials in the configuration console.
And that's it!
- Brian_SuttonCopper Contributor
EliOfek - Thanks for the quick reply! I was receiving conflicting info from a Microsoft support case however what you stated matches the way I thought it worked. Thanks.