Forum Discussion

Unnie's avatar
Unnie
Iron Contributor
Dec 12, 2016

Office 365, SharePoint Online profile sync

I am trying to synchronize all users from two different Azure AD into one single User profile application. I know that this is not possible by writing any custom sync job as CSOM does not have any user profile creation API. Does the OOTB SharePoint user profile sync job support this? If not what are the alternatives I have here.

 

Why 2 seperate AADs?

 

We are having SharePoint as extranet as well as intranet. External users are created in our Organisation LDAP. So these external users will have pretty much same user identity/functionalities as internal users ie why we are not considering the external sharing feature. But while migrating to office 365, we are trying to avoid creating paid licenses for these users. So I am exploring the possibility of two AADs- one for internal users (paid) , one for external (free AD).

4 Replies

  • Brent Ellis's avatar
    Brent Ellis
    Silver Contributor
    The very nature of having two different Azure AD means that you 'technically' have two different tenants. You have a primary one, and a secondary one (that was created against the primary one as the parent Azure account - like for billing purposes), but it isn't like a parent AAD and child AAD relationship. They are two very discrete, very separate entities.

    You can't sync the two Azure AD's into a single SharePoint Online user profile service. Only accounts in the primary AAD are available to SharePoint Online. Accounts in the secondary AAD can be made available to SharePoint Online only as "external contacts" - but you more than likely don't want to do this. There are no APIs to currently create these contacts based on another AAD either, so it is a manual process to go that route.

    Unless someone knows something I don't here, I am pretty certain this is a physical impossibility.

    Why have two separate AADs?
    • Unnie's avatar
      Unnie
      Iron Contributor
      Thanks @Brent . I have updted my question with why we are exploring the 2 AAD approach. Looks like this is approach is going towards dead end.
      • Brent Ellis's avatar
        Brent Ellis
        Silver Contributor
        Gotcha.

        We did something similar, it's not a sharepoint based extranet, but a custom developed customer facing web application where we used the secondary AAD as our identity for that, and added our primary corporate users from our primary AAD into the secondary AAD to access the custom application.

        Like I mentioned, it is a manual process to add our internal users to the secondary AAD, but we have just incorporated it into our new hire process, so it's not terrible.

        What you may consider is the use of the guest/external contacts in your primary AAD, and then just make sure to be diligent in setting permissions in your primary SharePoint environment (using the "Everyone, except external users" group), lots more to think about and plan for there, but we have kind of done this as well, with a dedicate site collection where "external" users are allowed, but all other site collections are "for internal purposes only".

Resources