Syncing multiple AD domains to a single Azure AD?

Dev11 21

Hello,

If I integrate with the Azure AD using the Password Hash Sync model, is it possible to run a separate instance of the Sync tool on each customer’s domain? Basically, I would like to allow company A and company B to use my app, provided that they install the Sync tool on their domains.

Thank you!

Accepted answer

AmanpreetSingh-MSFT 56,761 Reputation points

2019-12-14T06:03:31.133+00:00

@Dev1-4239 Having more than one Azure AD Connect sync server connected to a single Azure AD tenant is not supported. Refer to multiple-forests-multiple-sync-servers-to-one-azure-ad-tenant for more details.

-----------------------------------------------------------------------------------------------------------

Please "mark as answer" or "vote as helpful" wherever the information provided helps you to help others in the community.
Please sign in to rate this answer.

4 people found this answer helpful.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

2 additional answers

Oleg K 136 Reputation points

2019-12-15T10:41:56.337+00:00

Maybe this will work https://learn.microsoft.com/en-us/azure/active-directory/cloud-provisioning/what-is-cloud-provisioning
Please sign in to rate this answer.
AmanpreetSingh-MSFT 56,761 Reputation points

2019-12-17T03:12:56.137+00:00

Yes, this would help in your case.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Andreas Helland 76 Reputation points

2019-12-18T22:12:08.617+00:00
As stated above it is possible to sync multiple domains to a single AAD tenant, but when your use case is providing an app to multiple customers I'm struggling to see the architecture you're planning.

Is this single AAD tenant one owned/controlled by you, and the customers are non-related separate entities? If so it's a terrible idea to sync them into a common AAD. If "customers" are different companies in the same corporate structure it's something else.

The generic "offer a SaaS app to multiple customers" setup would usually be:

SaaS provider has an AAD tenant

Each customer has an AAD tenant

SaaS provider creates a multi-tenant app and let users sign in based on other AAD tenants.
Please sign in to rate this answer.
Dev11 21 Reputation points

2019-12-19T03:51:31.707+00:00

@Andreas Helland It’s not you, it’s my lack of understanding about how AAD works.

Can you expand a bit more about the “SaaS app to multiple customers” option?

“- SaaS provider has an AAD tenant”  so I create an AAD in my subscription. Check

“- Each customer has an AAD tenant”  on their own Azure subscription, separately from my own subscription? Would they be using the AD Sync Tool and setup AD sync to Azure in their environment? I’m not clear on this.

“- SaaS provider creates a multi-tenant app and let users sign in based on other AAD tenants.” -> I can search documentation on how to create a multi-tenant app. When users sign in based on their AAD, is it be possible to retrieve AD groups for them as part of the authentication?

Andreas Helland 76 Reputation points

2019-12-19T16:49:56.933+00:00

Well, AAD does take more than five minutes to learn that's true :)

Each customer would sign up for an AAD tenant if they don't already have one. If you have an Azure subscription you will have Azure AD, but it's also possible to create an AAD tenant without a sub. (Basic SSO features are free.)

It is up to the customer if they want to sync an on-prem AD with AAD Connect or just have "pure cloud". For the sake of developing a SaaS app with AAD integration it doesn't matter - whether the users are synced and the details of logging is taken care of. You just point to the right AAD endpoint.

When registering a multi-tenant app you specify which permissions it needs in the customer tenants and the admin of the customer will need to consent to directory level permissions (things like groups) whereas the user contents for things you might do on behalf of them (send mail and the like).

It's recommended to check specific groups rather than pull down all groups to avoid "token bloat".

Dev11 21 Reputation points

2019-12-21T06:08:36.38+00:00

Very helpful. Thank you!

How/when does the admin of the customer knows to consent permissions?

Andreas Helland 76 Reputation points

2019-12-23T10:16:41.127+00:00

There are a couple of different paths to consent. If the admin if the first user signing into the app they will get a dialog box asking for consent. If a non-admin user tries to sign in they'll get the option to notify the admin.

And it's also possible to create the consent url outside the app and mail it for the admin to approve.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Syncing multiple AD domains to a single Azure AD?

2 additional answers

Your answer