Office 365 migration with different AD but same domain for email and other considerations

%3CLINGO-SUB%20id%3D%22lingo-sub-195138%22%20slang%3D%22en-US%22%3EOffice%20365%20migration%20with%20different%20AD%20but%20same%20domain%20for%20email%20and%20other%20considerations%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-195138%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EHi%20folks%2C%3C%2FSPAN%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSPAN%3EI%20have%20the%20following%20scenario%20and%20I'd%20love%20to%20hear%20your%20feedback.%26nbsp%3B%3C%2FSPAN%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSPAN%3E-%20The%20organization%20has%20two%20entities%2C%20let's%20say%20A%20and%20B%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3E-%20Two%20domains.%20Entity%20A%20has%20%40abc.com%20and%20entity%20B%20had%20%40cde.com%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3E-%20Both%20entities%20have%20the%20same%20the%20domain%20for%20email%20only.%20So%20an%20A%20user%20and%20a%20B%20user%2C%20would%20have%20A%40abc.com%20and%20B%40abc.com%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3E-%20Every%20entity%20has%20it's%20own%20AD.%20However%2C%20B%20users%20have%20two%20identities%20because%20entity%20A%20manages%20exchange%20for%20the%20whole%20organization.%20So%20a%20B%20user%2C%20would%20have%20an%20identity%20in%20entity%20A%20AD%20(let's%20say%2C%20B%40abc.com%20for%20email)%20and%20another%20identity%20in%20B%20AD%20(B%40cde.com%20to%20sign%20in%20to%20corporate%20apps)%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3E-%20Entity%20B%20has%20already%20a%20SSO%20solution%20(Apegeo%20CAS)%20that%20they'd%20like%20to%20keep%20and%20manage%20by%20themselves%20only%20for%20their%20users%3C%2FSPAN%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSPAN%3EThe%20customer%20needs%20to%20migrate%20to%20office%20365%2C%20my%20questions%20are%3A%3C%2FSPAN%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSPAN%3E-%20AD%20connect%20recommended%20topology%2C%20how%20should%20we%20sync%20users%3F%20Should%20we%20use%20email%20as%20UPN%3F%20(SSO%20would%20not%20work%20because%20it%20requires%20different%20domains%20to%20distinguish%20users%20from%20A%20and%20B)%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3E-%20If%20we%20add%20the%20two%20domains%2C%20abc.com%20and%20cde.com%2C%20can%20a%20B%20user%20login%20with%20their%20AD%20credentials%20B%40cde.com%20but%20have%20a%20different%20email%20address%20B%40abc.com.%20There%20would%20be%20only%20a%20hybrid%20exchange%20server%20which%20is%20managed%20by%20A%20entity.%20What%20configuration%20could%20work%3F%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3E-%20Other%20considerations%3C%2FSPAN%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSPAN%3E-%20I%20have%20attached%20a%20picture%2C%20if%20it%20helps.%20%3A)%3C%2Fimg%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-195138%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdmin%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EHybrid%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-195721%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20migration%20with%20different%20AD%20but%20same%20domain%20for%20email%20and%20other%20considerations%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-195721%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3E-%20AD%20connect%20recommended%20topology%2C%20how%20should%20we%20sync%20users%3F%20Should%20we%20use%20email%20as%20UPN%3F%20(SSO%20would%20not%20work%20because%20it%20requires%20different%20domains%20to%20distinguish%20users%20from%20A%20and%20B)%3C%2FSPAN%3E%3C%2FP%3E%3CP%3ESSO%20will%20not%20work%20regardless%20as%20UPN's%20need%20to%20be%20existing%20and%20authenticated%20in%20a%20single%20domain%3C%2FP%3E%3CP%3E%3CBR%20%2F%3E%3CSPAN%3E-%20If%20we%20add%20the%20two%20domains%2C%20abc.com%20and%20cde.com%2C%20can%20a%20B%20user%20login%20with%20their%20AD%20credentials%20B%40cde.com%20but%20have%20a%20different%20email%20address%20B%40abc.com.%20There%20would%20be%20only%20a%20hybrid%20exchange%20server%20which%20is%20managed%20by%20A%20entity.%20What%20configuration%20could%20work%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EYes%20that%20is%20fine%20as%20you%20just%20add%20both%20domains%20to%20AADC.%20If%20the%20users%20UPN's%20are%20different%20and%20there%20is%20a%20trust%20between%20the%20domains%20then%20SSO%20will%20work.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Microsoft

Hi folks,

I have the following scenario and I'd love to hear your feedback. 

- The organization has two entities, let's say A and B
- Two domains. Entity A has @abc.com and entity B had @cde.com
- Both entities have the same the domain for email only. So an A user and a B user, would have A@abc.com and B@abc.com
- Every entity has it's own AD. However, B users have two identities because entity A manages exchange for the whole organization. So a B user, would have an identity in entity A AD (let's say, B@abc.com for email) and another identity in B AD (B@cde.com to sign in to corporate apps)
- Entity B has already a SSO solution (Apegeo CAS) that they'd like to keep and manage by themselves only for their users

The customer needs to migrate to office 365, my questions are:

- AD connect recommended topology, how should we sync users? Should we use email as UPN? (SSO would not work because it requires different domains to distinguish users from A and B)
- If we add the two domains, abc.com and cde.com, can a B user login with their AD credentials B@cde.com but have a different email address B@abc.com. There would be only a hybrid exchange server which is managed by A entity. What configuration could work?
- Other considerations

- I have attached a picture, if it helps. :)

1 Reply
Highlighted

- AD connect recommended topology, how should we sync users? Should we use email as UPN? (SSO would not work because it requires different domains to distinguish users from A and B)

SSO will not work regardless as UPN's need to be existing and authenticated in a single domain


- If we add the two domains, abc.com and cde.com, can a B user login with their AD credentials B@cde.com but have a different email address B@abc.com. There would be only a hybrid exchange server which is managed by A entity. What configuration could work?

Yes that is fine as you just add both domains to AADC. If the users UPN's are different and there is a trust between the domains then SSO will work.