Azure AD Connector - Empty-Root/User-domain Forest integration

Question

Hello!

Please guide me for integration my org's two level AD forest with Azure AD.

This is architercture:

Internal forest corp.contoso.com with two domains:

• corp.contoso.com - empty root domain;
• hq.corp.contoso.com - user domain (all user accounts here).

External DNS-domain is: contoso.com.

I have created Azure Active Directory contoso.com and prooved my domain (TXT-record on public DNS).

Questions are:

1. Azure AD Connector waits for corp.contoso.com and hq.corp.contoso.com Azure AD domains. Is there a concept of Forest on Azure AD?
2. Do I need to add to Azure internal domains too (There is no DNS for corp.* and hq.corp.* on my public DNS) and how?
3. Is it possible something like UPN suffixes for second level user domain only? Internal users have public @contoso.com mail adresses - this is interesting to abstract from internal domain structure when user sign in to azure.

Thanks for any help!

Answer 1

1. No

2. You should add those as verified domains - you implement it the same way as for the contoso.com domain

3. Yes - you can use the UPN using the second level domain - assuming you completed step 2 

hth
Marcin