Sync AD Users to multiple O365 Tenants using ADConnect

%3CLINGO-SUB%20id%3D%22lingo-sub-1406894%22%20slang%3D%22en-US%22%3ESync%20AD%20Users%20to%20multiple%20O365%20Tenants%20using%20ADConnect%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1406894%22%20slang%3D%22en-US%22%3E%3CP%3EDomain1%20and%20Domain2%20are%20two%20DCs%20we%20have%20with%20trust%20enabled.%3C%2FP%3E%3CP%3EDomain1%20has%20ADConnect%20installed%20and%20syncs%20users%20from%20both%20Domain1%20and%20Domain2%20to%20Tenant1%20on%20O365.%20ADConnect%20on%20Domain1%20uses%20ms-DS-ConsistencyGuid%20to%20identify%20users%20with%20Azure%20AD%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20also%20have%20Tenant2%20for%20which%20we%20want%20to%20sync%20users%20only%20from%20Domain2.%20Is%20it%20possible%20to%20change%20ms-DS-ConsistencyGuid%20for%20ADConnect%20on%20Domain2%20to%20sync%20users%20to%20Tenant2%20also%3F%20I%20tried%20to%20set%20it%20to%20msDS-cloudExtensionAttribute20%20but%20it%20does%20not%20sync%20users%20to%20Tenant2.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPlease%20see%20attached.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1406894%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAD%20Azure%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAD%20Connect%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAD%20DS%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EO365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1409374%22%20slang%3D%22en-US%22%3ERe%3A%20Sync%20AD%20Users%20to%20multiple%20O365%20Tenants%20using%20ADConnect%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1409374%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F251639%22%20target%3D%22_blank%22%3E%40kpsingh%3C%2FA%3E%26nbsp%3Bas%20long%20as%20you%20use%20OU%20Filtering%20so%20that%20each%20object%20is%20only%20synced%20to%20a%20single%20Azure%20AD%20Tenant%20then%20you%20are%20in%20a%20supported%20design%20as%20per%20the%20Microsoft%20documentation%20here%3A%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22singleforestfiltered.png%22%20style%3D%22width%3A%20452px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F193621i66736DF2F815AA6C%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22singleforestfiltered.png%22%20alt%3D%22singleforestfiltered.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EThe%20Azure%20AD%20Connect%20sync%20servers%20must%20be%20configured%20for%20filtering%20so%20that%20each%20has%20a%20mutually%20exclusive%20set%20of%20objects%20to%20operate%20on.%20You%20can%2C%20for%20example%2C%20scope%20each%20server%20to%20a%20particular%20domain%20or%20organizational%20unit.%3C%2FP%3E%3CP%3EA%20DNS%20domain%20can%20be%20registered%20in%20only%20a%20single%20Azure%20AD%20tenant.%20The%20UPNs%20of%20the%20users%20in%20the%20on-premises%20Active%20Directory%20instance%20must%20also%20use%20separate%20namespaces.%20For%20example%2C%20in%20the%20preceding%20picture%2C%20three%20separate%20UPN%20suffixes%20are%20registered%20in%20the%20on-premises%20Active%20Directory%20instance%3A%20contoso.com%2C%20fabrikam.com%2C%20and%20wingtiptoys.com.%20The%20users%20in%20each%20on-premises%20Active%20Directory%20domain%20use%20a%20different%20namespace.%3C%2FP%3E%3CP%3EThis%20topology%20has%20the%20following%20restrictions%20on%20otherwise%20supported%20scenarios%3A%3C%2FP%3E%3CUL%3E%3CLI%3EOnly%20one%20of%20the%20Azure%20AD%20tenants%20can%20enable%20an%20Exchange%20hybrid%20with%20the%20on-premises%20Active%20Directory%20instance.%3C%2FLI%3E%3CLI%3EWindows%2010%20devices%20can%20be%20associated%20with%20only%20one%20Azure%20AD%20tenant.%3C%2FLI%3E%3CLI%3EThe%20single%20sign-on%20(SSO)%20option%20for%20password%20hash%20synchronization%20and%20pass-through%20authentication%20can%20be%20used%20with%20only%20one%20Azure%20AD%20tenant.%3C%2FLI%3E%3C%2FUL%3E%3CP%3EThe%20requirement%20for%20a%20mutually%20exclusive%20set%20of%20objects%20also%20applies%20to%20writeback.%20Some%20writeback%20features%20are%20not%20supported%20with%20this%20topology%20because%20they%20assume%20a%20single%20on-premises%20configuration.%20These%20features%20include%3A%3C%2FP%3E%3CUL%3E%3CLI%3EGroup%20writeback%20with%20default%20configuration.%3C%2FLI%3E%3CLI%3EDevice%20writeback.%3C%2FLI%3E%3C%2FUL%3E%3CP%3E-ERR%3AREF-NOT-FOUND-%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fhybrid%2Fplan-connect-topologies%23each-object-only-once-in-an-azure-ad-tenant%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fhybrid%2Fplan-connect-topologies%23each-object-only-once-in-an-azure-ad-tenant%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

I'm trying to implement two cases to sync AD users to O365.

Case A: Domain1 and Domain2 are two DCs we have with trust enabled.

Domain1 has ADConnect installed and syncs users from both Domain1 and Domain2 to Tenant1 on O365. ADConnect on Domain1 uses ms-DS-ConsistencyGuid to identify users with Azure AD

 

Case B: We also have Tenant2 for which we want to sync users only from Domain2. Is it possible to change ms-DS-ConsistencyGuid for ADConnect on Domain2 to sync users to Tenant2 also? I tried to set it to msDS-cloudExtensionAttribute20 but it does not sync users to Tenant2.

 

Please see attached. It shows 2 cases (Case A works but Case B does not)

1 Reply
Highlighted

@kpsingh as long as you use OU Filtering so that each object is only synced to a single Azure AD Tenant then you are in a supported design as per the Microsoft documentation here:

singleforestfiltered.png

The Azure AD Connect sync servers must be configured for filtering so that each has a mutually exclusive set of objects to operate on. You can, for example, scope each server to a particular domain or organizational unit.

A DNS domain can be registered in only a single Azure AD tenant. The UPNs of the users in the on-premises Active Directory instance must also use separate namespaces. For example, in the preceding picture, three separate UPN suffixes are registered in the on-premises Active Directory instance: contoso.com, fabrikam.com, and wingtiptoys.com. The users in each on-premises Active Directory domain use a different namespace.

This topology has the following restrictions on otherwise supported scenarios:

  • Only one of the Azure AD tenants can enable an Exchange hybrid with the on-premises Active Directory instance.
  • Windows 10 devices can be associated with only one Azure AD tenant.
  • The single sign-on (SSO) option for password hash synchronization and pass-through authentication can be used with only one Azure AD tenant.

The requirement for a mutually exclusive set of objects also applies to writeback. Some writeback features are not supported with this topology because they assume a single on-premises configuration. These features include:

  • Group writeback with default configuration.
  • Device writeback.

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-topologies#each-object-o...