Multi-tenant capabilities in Azure AD Sync
Problem scenario: single on-premise domain, multiple O365 / Azure subscriptions. As it stands today it looks like you still need FIM and the Azure AD Connector to accomplish this (or DirSync on a seperate server for each tenant).
I was hoping to be able to use the AADsync tool for this and consolidate the current DirSync servers to a single VM for it.
We are not planning to implement this feature at this time
if basic authentication is stopping in 2020 and we must use modern authentication then this will be a issue for lot`s of hosting providers. as i understand using multiple azure connects is one thing but you can only use 1 SSo ( because a computer object is made that can only exist once in a domain).
Any update on this? I think there is a significant number of people wanting the capability.
Are there any updates on this Topic ?
I want to provide Office 365 Services to several customers but only manage on premise resources in 1 single Active Directory Domain means:
1. Create 1 AD Domain
2. Create UPN Suffix per Customer
3. Sync OUs into differant O365 Tenants ( 1 OU Per Customer )
Any other Solutions available ?
It’s really resource intensive and costly to have to create multiple VMs for each Azure/Office 365 tenant we want to sync.
If you cannot architect it to work with multi-tenancy, perhaps you would consider a container-based solution?
Any update on this, we really need this, especially with difficulties sometimes getting the sync service to start even on new VMs
Rob de Jong (Azure AD IAM) commented
The business opportunity and engineering effort required to improve this aspect of operating multi-tenant AAD currently do not justify any plans for the AAD product group in the forseeable future.
Rob de Jong (Azure AD IAM) commented
The currently supported topology for syncing one Windows Server AD to multiple tenants is documented here: https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-topologies#multiple-azure-ad-tenants
There are currently no plans to extend these capabilities.
James Booth commented
Mirroring what James J said - This is a huge blocker for us, against an otherwise great solution.
Any word when this will be addressed. We are moving forward with creating a VM for each Azure tenant, but this is not ideal, also as previously mentioned, seamless sign on only works for the last one configured.
Trent Milliron commented
I'm really surprised this has not been addressed yet. It would seem installing AD connect on one server for a domain would be easy to make it sync to multiple 365/azure AD tenants. As a hosting provider we want to be able to manage all users from a single AD and still use multiple 365 tenants typically one for each customer.
Runar Verwaal commented
Also, a single AAD Connect client to multiple O365/Azure Tenants would fix the issue with Seamless Single Sign-On.
The problem here is that the last of multiple AAD Connect setup is resetting the password / encryption key for the On Premises Domain Computer Account AZUREADSSOACC
This stops Seamless single sign on for all other tenants than the last configured.
Making Seamless Single Sing-On SSO computer account for a Office365 tenant random or admin configurable would make this both multi-tenant able and more secure
(No predictive attach as described here: https://www.dsinternals.com/en/impersonating-office-365-users-mimikatz/ )
Sven Minor commented
It is not possible to configure multiple AAD Tenants as Identity Providers with the same AD FS service. The reason it is not possible to configure multiple AAD Tenants is because all of them are using the same Azure AD Signing Certificate. AD FS does not allow different IDPs that use the same signing certificate. Basically, you can have only one AAD Tenant in direct trust relationship with the same AD FS Service.
Fortunately, there is a fairly easy way to get around this with the current capabilities of Access Control Services (ACS). ACS does not have this certificate limitation and each ACS instance has its own signing certificate. So if you need to configure multiple AAD Tenants as IDP with the same AD FS Service you will need to configure separate instance of ACS for each of your AAD Tenants, configure them with trusts, then configure each ACS as IDP with your AD FS Service
Daniel Viklund commented
Any update on this?
For hosting companies with lets say 100 o365 tenant, its not feasible to setup 100 VMs with Azure AAD Connect.
Please add so we can select which OU should be synced to which o365 tenant.
Single forest to multiple Azure AD sync is now explained in more detail in https://azure.microsoft.com/nl-nl/documentation/articles/active-directory-aadconnect-topologies/.
I'm trying to figure out how to connect O365(AAD) with different Azure AAD. Situation is like this:
1. I have activated an azure MSDN subscription. On this lab enviorment I'm sychronising my users from the on-premises.
2. With the same MSDN subscription I had an option to activate an O365 tenant (with development license E3). So I did. When activating this, you receive also underlying AD directory.
Now I have managed to integrate two directories together by giving access to admins in both directories.
I want to sync my users from my O365 subscription to Azure subscription but I can't manage this to work. Is there a way around ?
Are there any updates on this feature?
Am I correct in understanding that synchronization from one AD domain to multiple Azure / Office tenants is completely unsupported, even though we can guarantee that the synchronization is filtered per OU, users will not be synchronized to more than one tenant and have their own non-shared Exchange Global Address Lists?
Is the scenario where you install and configure separate instances of Azure AD Connect on separate servers also not supported?
We (and many other hosting providers with us) will really need some way to 'untangle' the on-premise single forest AD and migrate (already functionally separated) on-premise customers to separate Office 365 tenants.
Peter Faber commented
any updates on this?
what is the current workaround when we need to connect users from the same local AD domain to multiple O365 tenants?
the tenants dont need to share anything, sp no need for ex. Shared Global Address List.
This requirement could be alleviated for us if only it was easier to manage 'inviting' users from one AAD tenant to another, our use case is we have a Production Subscription which is synced using AAD connect, as well as production in live we a Preview Subscription (also) 'live' but used for 'canary' users to test features of mobile app's / web apps before we run them in production. The inability to allow easy management between AAD tenants is a major issue because of the overhead of managing >individual< users as guests from the parent (production) subscription into its child (preview) subscription , a brill good feature would be to allow 'inheritance' of AAD groups in the production subscription into the child (preview) subscription this maintaining a low management overhead. (Oh and sharing the parent AADP licence for the user wouldn't go amiss either!!)
I want to setup a DTAP environment for SharePoint Online project. The production environment is configured to get authenticated with ADFS and AADSync is replicating the users to Office 365. I may be developing SharePoint Add-Ins hosted on Azure Web Applications which will also get authenticated by ADFS. So far, so good.
BUT: I want to have an Identical Test environment, as separate Office 365 tenant again using ADFS authentication with the same domain. I know it's not possible till now. So, I can have a subdomain created for the purpose, but still I don't think it's supported yet with one single AADSync instance to sync both domain and subdomain users to two different Office 365 tenants. I don't want to setup FIM 2010 with AAD Connector. Any other alternatives to achieve this? How do you normally make sure that Test & Production environments are having exact configurations like Authentication to avoid any issues after deployment like, my custom Azure hosted app works on UAT but not on Production because authentication scheme is different.
When is this AADSync multi-tenant feature going to be available?