How to setup Azure AD Connect Multi-Tenant Sync

  • Post author:
  • Post category:Main
  • Post last modified:August 7, 2023
  • Reading time:6 mins read

Azure AD Connect Multi-Tenant sync has just become globally available. This means you can now synchronise the same object in Active Directory to multiple Azure Active Directory tenants. In this post, we are going to talk about Azure AD Connect, the new multi-tenant sync features and some scenarios where you may want this implemented.

The new Azure AD Connect Multi-tenant sync features

Azure AD Connect Multi-Tenant Sync allows you to install multiple Azure AD Connect servers in the same on-premise Active Directory and sync your objects to Multiple Azure AD Tenants. 

Previously you have only been able to synchronise your on-premises Active Directory with a single Azure AD tenant. There are various other supported topologies including; single on-premises AD to Single Azure AD Tenant or Multiple on-premises AD to single Azure AD Tenant.

The new Azure AD Connect Multi-Tenant sync feature will allow you to synchronise the same object on your on-premise Active Directory to multiple Azure Active Directory tenants. If you set up your Azure AD Connect to connect to multiple tenants, you will only be able to create a two-way sync to your primary Azure AD Tenant. The subsequent Azure AD tenants will be a one-way sync.

Azure AD Connect Multi-tenant

Scenarios where Azure AD Connect Multi-tenant sync should be used

Scenario 1

You have a single on-premises Active Directory tenant that synchronises to an Azure Active Directory tenant via Azure AD Connect. The primary UPN of all synchronised users is ourcloudnetwork.com. You wish to create a new Azure AD tenant with the primary domain of ocndemo.com to demo a new 3rd party product to potential clients. You wish you manage all corporate and demo user accounts via the single Active Directory forest. 

In this scenario, you can purchase the new domain of ocndemo and add it to your local Active Directory. The Azure AD Connect Multi-tenant sync feature can then be used to synchronise these user accounts to your demo tenant.

Scenario 2

You have a single on-premises Active Directory tenant that synchronises to an Azure Active Directory tenant via Azure AD Connect. The primary UPN of all synchronised users is ourcloudnetwork.com. Your company has recently purchased another organisation named ocndemo.com. You have recently integrated all their on-premise devices to your Active Directory, each user from ocndemo.com has also been created a local user account in your Active Directory and been given the primary UPN of ocndemo.com. 

ocndemo.com has a well established Microsoft 365 and Azure Active Directory tenant that cannot be moved. You want to ensure all local users account passwords for ocndemo users synchronise with their existing Azure Active Directory tenant. Again in this scenario, you can use the Azure Active Directory Multi-tenant sync feature to pair and sync each users on-premises Active Directory account to their Azure Active Directory user account.

Implementing Azure AD Connect Multi-tenant sync

Things you should know!

  • If you are syncing the same object to multiple Azure AD Tenants then you can use the same source anchor to pair the object on-premise and object in Azure.
  • You can sync the same object to different Azure environments, such as Azure Commercial, Azure Government or Azure China.
  • You cannot use a single Azure AAD Connect Server to sync the same object to multiple tenants. A separate AAD Connect server will need to be used, within the same Active Directory. This means each AAD Connect server must be joined to the domain.
  • If you are syncing to different tenants you can choose different scopes and rules compared to your primary AD Connect server.
  • You cannot use the same custom domain in multiple Azure AD tenants. Refer back to the image at the top of this post where we show the same on-premises active directory with multiple domains or aliases.
  • You can use Password Hash Sync and Password Writeback when syncing the same object to multiple Azure AD tenants. By changing the password in one tenant, it will simply overwrite the other.
  • It is not supported to configure Seamless SSO and Hybrid Azure AD Join in more that one tenant.
  • You can synchronise device objects to multiple Azure tenants, however only one tenant and be configured to trust the device.
 
How to setup Azure AD Connect Multi-tenant sync

Firstly, you need to make sure you have Azure AD Connect configured with your single on-premise AD Sync Server and single Azure AD Tenant. If you are not familiar with installing and configuring Azure AD Sync, check out our post on Installing Azure AD Connect. Make sure you have the latest version of AAD Connect installed!

Once you have that in place, you are ready for the next steps, make sure you have the following in place:

  • Any additional custom domains added to your on-premise Active Directory
  • A second Azure Active Directory tenant with the required custom domains added
  • A second domain-joined member server
Install Azure AD Connect on your second domain-joined member server (You can use the same guide mentioned above for the deployment). Once you have done this follow the wizard as outlined in the linked posted above.

Summary

Azure AD Connect can be used to synchronise the same object in an on-premise AD Forest to multiple Azure Active Directory tenants. Currently, the feature is in public preview and it is not recommended to be used in production. However, the feature is useful in a variety of scenarios to help meet your hybrid identity requirements.

Daniel Bradley

My name is Daniel Bradley and I work with Microsoft 365 and Azure as an Engineer and Consultant. I enjoy writing technical content for you and engaging with the community. All opinions are my own.

This Post Has 2 Comments

  1. Yogesh

    Hello Deniel, thanks for providing details for multi tenant sync.

    I have question but little different. i have one tenante of AAD with xyz.com as primary domain and AD & AADconnect server.

    Now I am installaling ABC.com AD & wanted to sync users to same Azure tananet using AADConnect server. Please share the link if you already have blog or share your inputs. thanks

Leave a Reply