Apr 22 2022 08:43 AM
Apr 22 2022 08:43 AM
A customer who owns an International Enterprise, has multiple regional AD forest domains syncing to one Azure AD tenant/ O365. He now has a special request.
The customer would like to join the Windows 10 devices to Azure AD, but to a different tenant than the home tenant, where all users are synced towards.
Is this a possible scenario, where autopilot or self registration (no hybrid join), can join another Azure AD domain than the current tenant where O365 has been configured for all users.
The customer in this case would like to separate device management from the existing tenant.
Apr 22 2022 09:09 AM
Apr 22 2022 09:19 AM
Thanks for your answer.
The problem is that regions IT management wish to enroll and administer their own devices in Intune. A role which is currently limited by the global admins as the tenant is mostly managed by one region. It is correct that tagging and granular RBAC could allow them to do this in the same tenant.
However if global admins mistakenly enforce a policy to all devices in Intune, the regions experience impact on their machines and that is what they want to avoid. They have no control whatsoever and now they want to be in control.
Apr 22 2022 09:26 AM
Apr 25 2022 08:37 AM
To clarify the (requested) situation a bit more, I would like to show the current environment and the requested design.
The current situation is as indicated underneath
The customer would like to keep the Microsoft 365 which are shared between the domains in the first tenant.
To avoid the Global Admins or Intune administrators to damage endpoints managed for users which are synced from domain C, they would like to have a separate tenant that holds their users and devices. So in other words they would like to join their devices to the 2nd tenant, managed them on the tenant while not removing any functionality built in tenant 1
I hope the design clarifies this a bit more.
Apr 26 2022 01:43 AM
@StanMorisse You can't have a custom domain on two different tenants, it won't let you add to a second without removing from the first. You're also restricted to AAD sync to one tenant only.
You could potentially add a new UPN for the extra tenant and then another AAD Connect server pointing to that one, but I have never tried it myself. It would effectively be a completely separate instance at that point though.
You also have to consider O365 apps which would then need to be logged in with their other UPN presumably so any SSO is no longer an option
Apr 26 2022 02:07 AM
Aug 16 2022 01:01 AM