AAD Connect - Multiple Azure AD tenants (Public preview)
ADFS in Multi-tenant scenarios
A single high available AD FS farm can federate multiple forests if they have 2-way trust between them. These multiple forests may or may not correspond to the same Azure Active Directory.
Step 1: Establish a two-way trust
For AD FS in contoso.com to be able to authenticate users in fabrikam.com, a two-way trust is needed between contoso.com and fabrikam.com. Follow the guideline in this article to create the two-way trust.
Step 2: Modify contoso.com federation settings
The default issuer set for a single domain federated to AD FS is "http://ADFSServiceFQDN/adfs/services/trust", for example, http://fs.contoso.com/adfs/services/trust. Azure Active Directory requires unique issuer for each federated domain. Since the same AD FS is going to federate two domains, the issuer value needs to be modified so that it is unique for each domain AD FS federates with Azure Active Directory.
On the AD FS server, open Azure AD PowerShell (ensure that the MSOnline module is installed) and perform the following steps:
Connect to the Azure Active Directory that contains the domain contoso.com Connect-MsolService Update the federation settings for contoso.com Update-MsolFederatedDomain -DomainName contoso.com –SupportMultipleDomain
Issuer in the domain federation setting will be changed to "http://contoso.com/adfs/services/trust" and an issuance claim rule will be added for the Azure AD Relying Party Trust to issue the correct issuerId value based on the UPN suffix.
Step 3: Federate fabrikam.com with AD FS
In Azure AD PowerShell session perform the following steps: Connect to Azure Active Directory that contains the domain fabrikam.com
Connect-MsolService Convert-MsolDomainToFederated -DomainName fabrikam.com -Verbose -SupportMultipleDomain
Recommendations
Microsoft recommends having a single tenant in Azure AD for an organization and to use Administrative Units.
Administrative units in Azure Active Directory
As a Global Administrator or a Privileged Role Administrator, you can use the Azure portal to:
- Create administrative units
- Add users and groups members of administrative units
- Assign IT staff to administrative unit-scoped administrator roles.
Administrative units apply scope only to management permissions. They don't prevent members or administrators from using their default user permissions to browse other users, groups, or resources outside the administrative unit. In the Microsoft 365 admin center, users outside a scoped admin's administrative units are filtered out. But you can browse other users in the Azure portal, PowerShell, and other Microsoft services.
What is supported with Administrative Units?
Administrative unit management
| Permissions | Graph/PowerShell | Azure portal | Microsoft 365 admin center |
|---|---|---|---|
| Creating and deleting administrative units | Supported | Supported | Not supported |
| Adding and removing administrative unit members individually | Supported | Supported | Not supported |
| Adding and removing administrative unit members in bulk by using CSV files | Not supported | Supported | No plan to support |
| Assigning administrative unit-scoped administrators | Supported | Supported | Not supported |
| Adding and removing administrative unit members dynamically based on attributes | Not supported | Not supported | Not supported |
User management
| Permissions | Graph/PowerShell | Azure portal | Microsoft 365 admin center |
|---|---|---|---|
| Administrative unit-scoped management of user properties, passwords, and licenses | Supported | Supported | Supported |
| Administrative unit-scoped blocking and unblocking of user sign-ins | Supported | Supported | Supported |
| Administrative unit-scoped management of user multifactor authentication credentials | Supported | Supported | Not supported |
Group management
| Permissions | Graph/PowerShell | Azure portal | Microsoft 365 admin center |
|---|---|---|---|
| Administrative unit-scoped management of group properties and members | Supported | Supported | Not supported |
| Administrative unit-scoped management of group licensing | Supported | Supported | Not supported |
