Multiple forests with no trust between - organisations merge - sync to single Azure AD tenant

Question

Hello folks,

We have a situation where there are multiple on-premises forests without forest trust between them from different organisations. Then we have one single Azure AD tenant/ AD Connect (already in place with an Exchange Hybrid hybrid) where we would like to sync the users from those multiple forests. I have already managed to add one of those organisations to the AD Connect and syncronised all their users by implementing a two way domain trust.

Due to security concerns around implementing a two way trust between all the organisations i.e Company A gets hacked and gets access to all the other trusted organisations. I am being asked if a one way trust would suffice to bring.sync all users accross to the main Azure AD tenant? Is there an alternative?

The goal is really to bring all user identities from all orgs and sync them into the existing O365. We know that with a two way trust it works but not sure with a one way trust would work

The total amount of users authenticating to O365 after the merge is completed will be around 1200 or more; do we need to deploy ADFS? is there an alternative if that was the case?

I look forward to hearing from you soon

Cheers

A

Answer 1

Hi A.

Check this supported scenario for multiple forests https://learn.microsoft.com/bs-latn-ba/Azure/active-directory/hybrid/plan-connect-topologies#multiple-forests-single-azure-ad-tenant

You don't need ADFS. There is no limitation for number of accounts, so you can have as many accounts as you need and still use PTA (Pass-Through Authentication) / PHS (Password Hash Sync).