Cross-tenant synced users and Azure Domain Services

Copper Contributor

Hi,

We have Cross-tenant synced users, these users would appear in Azure Domain Services if we enable the service?

 

Thanks

1 Reply

Hi @afernandezs,

 

Entra ID Domain Services (Entra DS) provides managed domain services such as domain join, group policy, LDAP, and Kerberos/NTLM authentication without the need for you to deploy, manage, and patch domain controllers in the cloud. Entra DS is designed to work with users and groups that are synced from an on-premises Active Directory (AD) environment using Entra ID Connect.

If you have cross-tenant synced users (users synced from another Entra ID tenant), enabling Entra ID Domain Services in your tenant won't automatically bring those users into the Entra DS-managed domain.

Entra DS operates within a single Entra ID tenant and works with the users, groups, and devices within that tenant.

 

For more information, please refer Microsoft documentation: https://learn.microsoft.com/en-us/entra/identity/domain-services/overview


Here's what happens:

Entra ID Users: Entra ID Domain Services can work with users that are created directly in your Entra ID tenant or synced from an on-premises AD environment using Entra ID Connect. Users synced from another Entra ID tenant won't be part of the managed domain.

 

Cross-Tenant Synced Users: If you have users synced from another Entra ID tenant (cross-tenant sync), those users are managed within their respective tenants. Enabling Entra ID Domain Services in your tenant won't change this. Those users will remain in their original tenant and won't be brought into the Entra DS-managed domain.

 

Access for Cross-Tenant Synced Users: If you need to provide access to resources in your Entra DS-managed domain for users from other tenants, you would typically set up federation or trusts between your Entra ID tenant and the other tenants. This allows users from other tenants to authenticate and access resources in your Entra DS-managed domain using their own credentials.