Comments on: Top tips for syncing on-premises Active Directory objects to multiple tenants

By: Anthony Rusonik

Anthony Rusonik — Wed, 13 Mar 2024 15:44:13 +0000

Hi Drago…. Great article. I agree it is all about the OU planning and filtering. However, according to the latest Microsoft support article (newer than when you wrote the blog) Microsoft does now support “AADConnect can synchronize the users, groups, and contacts from a single Active Directory to multiple Microsoft Entra tenants. ” I am reading that we could synch the same user to two different tenants if we added an attribute or two to change the UPN suffix of one of the account synchs? Would you agree?
https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/plan-connect-topologies

By: Venu

Venu — Tue, 19 May 2020 01:38:39 +0000

Hi Drago,
It’s a great article explaining how OU filtering can be used to separate AD objects to two AAD Tenanats. In our situation, we want to use Tenant1 for all users in the organization for all Microsoft 365 services and want to use Tenant 2 for only Microsoft 365 Sharepoint service for limited users. Is this possible to configure. Thank you.

Venu

By: Drago Petrovic

Drago Petrovic — Mon, 30 Mar 2020 08:12:58 +0000

In reply to Chris.

Hello, Chris,
I can’t tell you much about it, as far as I know, there’s an on-premise integration.
Maybe this article will help you:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-howitworks

By: Drago Petrovic

Drago Petrovic — Mon, 30 Mar 2020 08:06:23 +0000

In reply to Gilles Villeneuve.

Hello, Gilles,
good question, I hope I got it right.
If you have external or on-premise applications, you can set them up (per tenant) with the Azure Application Proxy.
Take a look at this link:
https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy

I hope this helps you?

By: Drago Petrovic

Drago Petrovic — Mon, 30 Mar 2020 08:01:30 +0000

In reply to PS.

Hello, PS,
In general, Exchange only allows the combination of one environment (on-premise and EXO). If you have other third party tools in use, you can try to create them instead of MAPI as IMAP accounts on your EXO.
So you can create your users of the child on-premise domain on the EXO of Tenant 1.
Here are some infos about IMAP with EXO:
https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/pop3-and-imap4/pop3-and-imap4

Regarding your second point: W10 Device Registrations, Group & Device write-back, etc. this was well described by the Microsoft link, that you have posted.
How this affects your multi-tenant planning I can’t describe so quickly now, but this question would be worth an article.

By: PS

PS — Fri, 27 Mar 2020 18:30:55 +0000

Hi Drago
Excellent Article. I am not sure I understand the Exchange Online Part. So if we have a single Forest with the AD setup for Tenant1 and child domain for Tenant2 and implement ADFS for Tenant1 and PHS for Tenant2 using separate AADConnect instance, then only one organization can use Exchange Online service? What if the Organization is migrating from a non-Exchange Messaging platform, for example Groupwise? Will both Tenants be able to use Exchange Online? Please clarify.
I am seeing additional limitations of Single Forest with Multiple Tenants as shown by this document. Your article addresses the SSO workaround but I see more limitations discussed like GAL, W10 Device Registrations, Group & Device write-back, etc.
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-topologies
How does that affect the planning if Multiple Tenants are a must? Will this require 3rd Party Identity as source instead of AD?

By: Chris

Chris — Thu, 26 Mar 2020 13:39:12 +0000

Hi,

So my organization is looking to have a more robust SSPR capability and we are thinking about taking advantage of our current Azure ADFS environment. It looks as if this can easily be done for users that are say off-site to change locked passwords, but what about users on-site and only have the workstation login screen/credential provider? Is there a design where users can reset their passwords from their logon screen on-premise using Azure SSPR? Does there need to be an updated Credential Provider installed on the workstation?

By: Gilles Villeneuve

Gilles Villeneuve — Fri, 07 Feb 2020 23:11:29 +0000

Hi Drago,

First of all, fantastic article, and thanks for the tips.

I have one question though when it comes to SSO across SaaS application.
When setting up SSO with third party application, on the SaaS application side, I usually can point only one IDP. If I have a SaaS application that need to allow both IDPs ( Tenant 1 and Tenant 2 ), what would be the best approach to this?

Thanks,

By: Drago Petrovic

Drago Petrovic — Thu, 16 Jan 2020 07:03:10 +0000

In reply to Alex. Hi Alex, sure, I will try to deliver the images in a better size.

By: Alex

Alex — Thu, 16 Jan 2020 05:01:24 +0000

Thanks for this. Could you save images in a bigger size for the next articles? 600 pixcels is not that big with today screens 😉