Allow multi-tenant automatic registration of windows domain-joined devices
The guide available here:
Is not multi-tenant aware.
This prevents the use of meaningful conditional access polices where multiple customers are sharing the same source Windows Server OnPrem AD in a hybrid 365 scenario.
I would like a solution that allows the SCP information to be delivered by an alternate means, GPO for example.
We could then sync multiple customers in AD to multiple 365 tenants and implement conditional access effectively.
We are in the process of updating docs to include Hybrid Azure AD join as a supported scenario in a single AD forest to multiple Azure AD tenants. This could be achieved using client side SCP settings that can be configured using GPO. However, there are certain limitations with a single AD forest to multiple Azure AD tenant setup. Capabilities like Windows Hello for Business using cert trust deployment model, enabling Conditional Access for on-prem apps federated with AD FS, Syncing Office 365 Groups back to on-prem Exchange, enabling Seamless SSO and enabling Azure AD Password Protection for on-prem AD DS will not work.
So can you DRS register to 2 tenants or not?
We have CA rules around device based trust that we need to replicate in 2 tenants during a co existence divesture.
Anthony R. commented
Also looking for an update.
Edgar C. Rodríguez Robles commented
Azure Team, when will the documentation be updated?
Any updates on this? We have a customer wanting to use this feature...