Allow Azure AD to Azure AD Trust
Add the ability to trust another 365 tenant like exists with on prem active directory. The scenario is a company that has an establish 365 acquires another company that has a 365 environment. In a on prem scenario a domain trust would be put in place, however federation and external user access is the only options. This capability needs to be in place for Azure AD to trust another Azure AD.
We’re working on a few features in this space that will likely help address this scenario but don’t have an ETA yet to share. Thanks to the folks who have added additional details of what they’re looking for, and if you have more scenarios for how this capability could help you please do add them as comments.
Gene Rugg commented
Azure AD joined machines allowing logins from the other tenant (helping with asset migration).
Being able to Trust another AAD would allow trust of that Tenants Registered devices
which means Conditional Access in M&A scenarios and Corporate User v Hosting Azure AD tenants ibecomes sooo much easier.
Ashley Walton commented
Another scenario which is similar to Murray's point, is where you are hosting an application (via App Registration) in your tenant, but you want to trust users from another tenant to access that application. Currently you need to invite each user as a guest and the each need to accept the terms individually.
It would be good if you could pre-authorise that tenant to say that all invited users automatically accept those terms - although this is likely to be actioned from the child tenant.
You can do something similar as an Admin on a registered app for your own tenant users (via the API Permissions / Grant Consent area), but you cannot do this for guests.
Murray Webber commented
Another scenario is existing federation based on the root domain. Right now, if you federate using the top-level domain in your organisation, it forces you to use "Federated" sub-domains forever, unless your environment is new enough to tear down and rebuild using a sub-domain first. If not, you can never add a cloud-only "Managed" sub-domain to your tenant, and the O365/AAD teams can offer zero solution to this. With a two-way trust between AAD tenants, sites would be able to create a new tenant for their managed domain, verify the sub-domain via DNS on the second tenant, then still have the users from these separate tenants function as one.
There is now an AAD B2B piece of the puzzle, but this requires that all users be invited to the new tenant as guests, and accept those invitations before they can access resources, and this is not a suitable replacement. Either we get AAD-to-AAD trusts, or we need a way to rebuild the boundaries for federated domains and/or merge different directories. Somehow, I think a two-way trust would be an easier fix.