Multiple forests with no trust between - organisations merge - sync to single Azure AD tenant

A220000 1 Reputation point
2019-12-04T11:49:48.48+00:00

Hello folks,

We have a situation where there are multiple on-premises forests without forest trust between them from different organisations. Then we have one single Azure AD tenant/ AD Connect (already in place with an Exchange Hybrid hybrid) where we would like to sync the users from those multiple forests. I have already managed to add one of those organisations to the AD Connect and syncronised all their users by implementing a two way domain trust.

Due to security concerns around implementing a two way trust between all the organisations i.e Company A gets hacked and gets access to all the other trusted organisations. I am being asked if a one way trust would suffice to bring.sync all users accross to the main Azure AD tenant? Is there an alternative?

The goal is really to bring all user identities from all orgs and sync them into the existing O365. We know that with a two way trust it works but not sure with a one way trust would work

The total amount of users authenticating to O365 after the merge is completed will be around 1200 or more; do we need to deploy ADFS? is there an alternative if that was the case?

I look forward to hearing from you soon

Cheers

A

Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,644 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Lukas Beran 176 Reputation points
    2019-12-04T12:43:40.643+00:00

    Hi A.

    Check this supported scenario for multiple forests https://learn.microsoft.com/bs-latn-ba/Azure/active-directory/hybrid/plan-connect-topologies#multiple-forests-single-azure-ad-tenant

    You don't need ADFS. There is no limitation for number of accounts, so you can have as many accounts as you need and still use PTA (Pass-Through Authentication) / PHS (Password Hash Sync).

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.