none
Sync Multiple Azure AD Tenants

    Question

  • Hello,
    I have a question about syncing multiple Azure AD tenants.

    Considering this Microsoft article Topologies for Azure AD Connect => Multiple Azure AD tenants => Each object only once in an Azure AD tenant.

    Assuming domain.local as tree and forest root with some childs.domain.local, AAD Connect was installed into server member of domain.local and configured to sync objects from domain.local and childs.domain.local (filtered) with one Azure AD tenant. I have to sync anotherdomain.local (same forest domain.local) with another Azure AD tenant. Should I install AAD Connect in new server, member of anotherdomain.local or domain.local ?

    Thank you a lot.

    Regards,
    Luca Fabbri


    Disclaimer: This posting is provided AS IS with no warranties or guarantees, and confers no rights. Whenever you see a helpful reply, click on [Vote As Help] and click on [Mark As Answer] if a post answers your question.

    • Edited by Luca Fabbri Wednesday, May 03, 2017 8:34 AM
    Wednesday, May 03, 2017 8:32 AM

Answers

All replies

  • Any domain should do, as long as you are able to read the data from anotherdomain.local. Remember that per the article, you can only sync an object to one Azure AD tenant, if the users from anotherdomain.local have already been synced, you will be in unsupported configuration. Which is not to say that it's not possible :)
    • Marked as answer by Luca Fabbri Thursday, May 04, 2017 10:01 AM
    Wednesday, May 03, 2017 6:22 PM
  • Hello Vasil,
    so I can place AAD Connect in a server member of any domain only if I can read data from there.

    Yes, it was already clear that I can only sync an object to one Azure AD tenant. ;-)

    Objects I'm going to sync are related to domain never synced with any Azure AD tenant. This domain belongs to forest with domains already synced with another Azure AD tenant.

    Any advice while configuring new AAD Connect ? I'm thinking: after AAD Connect is installed, make sure synchronization task is disabled (maybe AAD Connect asks to end user if you want to enable it during setup), make sure domains already synced are unselected from filter and leave anotherdomain.local selected. That's all...?

    Thank you to clarify my little doubt.

    Bye,
    Luca


    Disclaimer: This posting is provided AS IS with no warranties or guarantees, and confers no rights. Whenever you see a helpful reply, click on [Vote As Help] and click on [Mark As Answer] if a post answers your question.

    Wednesday, May 03, 2017 9:19 PM
  • You can place the Connect server in any domain regardless from where it syncs. It can even be a stand-alone server and not joined to any domain at all.

    When you install Connect, there is one page in the wizard where you are asked about domains to sync and not to sync:
    https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-get-started-custom#domain-and-ou-filtering
    It is easiest to do it already during initial installation.

    It can also be done after you've installed Connect and is then documented here:
    https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-configure-filtering#domain-based-filtering

    • Marked as answer by Luca Fabbri Thursday, May 04, 2017 10:01 AM
    Thursday, May 04, 2017 6:03 AM