locked
AD connect for multiple tenants RRS feed

  • Question

  • Hello guys,

    Our on-premise org currently has 1 forest with 1 domain and around 20 DCs. The requirement is to split this domain in 5 different tenants in Azure (because of business needs). My questions are:

    1. Can we use a single instance of AD Connect and to sync every on-prem OU to a different tenant in AzureAD?

    2. If the answer on question 1 is NO, what needs to be done in order to split the current AD to 5 Azure AD tenants? Do we need to re-organize/split first our on-premise AD, creating 5 different domains, prior to using AD Connect in order to sync with Azure AD?

    3. Is the splitting of our on-premise AD to 5 new domains the only option, if we want to achieve the above scenario?

    Regards,

    Damyan

    Monday, September 9, 2019 12:58 PM

Answers

  • The scenario you described is unsupported, if I understand correctly what you are asking.

    Unsupported topology for a single forest and multiple connectors
    Unsupported topology for a single forest and multiple tenants

    From supported topologies:

    "These tasks are unsupported:

    Sync the same user to multiple Azure AD tenants.
    Make a configuration change so that users in one Azure AD tenant appear as contacts in another Azure AD tenant.
    Modify Azure AD Connect sync to connect to multiple Azure AD tenants."

    If I understand your ask and you want to divide a single forest into five tenants, the only way to do this that I know of is to create five separate on-premises forests on separate servers and sync each separately to each tenant using a separate instance of AD Connect for each. https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-topologies


    Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!

    Monday, September 9, 2019 8:36 PM
    Owner