• Home
  • BLOGS

Menu
  • Home
  • BLOGS
24 July 2019

One user identity and two tenant objects

Written by Ryan Wilson

This blog is to demonstrate how we can have one on-premise user synced with two different office 365 tenants, this was done for testing purposes only and is not supported.

The idea of this testing is to have one user account on a local active directory server but synced across two separate tenants using two AAD connect servers. Each of the AAD connect servers will be configured to use different source anchors from each other and also sync different attributes across the tenants so there should be no attribute writeback clash cross tenant. A transformation rule will be set on both AAD connects to sync a unique UPN which is relevant on the office 365

Two tenants used for testing:

@tsdemotest1.onmicrosoft.com

@tsdemotest2.onmicrosoft.com

Three user accounts have been created for sync testing:

AAD connect installed on syncserver1 with the following custom option

As expected the users are synced to office 365 with an onmicrosoft account due to vanity domain not available

On Active Directory the attribute is written back

AAD connect was now installed on syncserver2 with the source anchor changed to ms-ds-consistencyGUID

After the second AAD connect box has been configured and using a different source anchor we can see the same user account synced to both tenants

To test the sync works on both the display name for Synced User3 was modified and delta sync ran on both AAD connect servers

Each of the user accounts in active directory now have unique attributes

User account ‘Synced User1’ has been licenced on both tenants and the password has been reset on the local active directory, the user account can log into both email address through OWA as expected using the password changed on-premise

Password writeback has now been enabled on both of the syncservers to check the behaviour of changing the password in one tenant and if it reflexes across the second tenant

Before testing password writeback we need to add Azure P1 premium licence in both of the tenants

To use password writeback, you must have one of the following licenses assigned on your tenant:

  • Azure AD Premium P1
  • Azure AD Premium P2
  • Enterprise Mobility + Security E3 or A3
  • Enterprise Mobility + Security E5 or A5
  • Microsoft 365 E3 or A3
  • Microsoft 365 E5 or A5
  • Microsoft 365 F1
  • Microsoft 365 Business

The following was applied to the tenants

Licence has been applied to users and this is reflected in office 365

Password has been changed on OWA for ‘synced user1’ on tsdemotest1.onmicrosoft.com

Checking if password writeback works then syncs through to syncserver2 and the second tenant can log in using the same password changed in tenant one

After running a delta on syncserver1 the last password was modified, ran the delta sync on syncserver2 afterwards and it showed the same result

Password writeback was successful, the same password the able to used in both tenants

This test proves that we can have one source of identity split to two separate tenants using different source attributes and password writeback works across both tenants regardless where the password is changed. Based on this there should be no reason we can exclude certain attributes from one AAD connect and writeback the information which would cause no conflict with the second.

The next was to carry out is to add two new UPNs on the active directory and add a vanity domainĀ  on each tenant which matches the on-premise UPN then on each of the AAD connect set a sync rule to modify the UPN so the on-premise user account has two external email domains associated to one on-premise AD account.

Leave a Reply

Cancel reply

Recent Posts

  • MS Teams – export team owners
  • Deploy AppLocker in Intune- Block CMD and PowerShell
  • Autopilot Hybrid Joined device built outside the corporate network
  • Add a SharePoint site as a custom app within Teams
  • Query all MS Teams and Export list of guests added to each Team site
  • MS Flow – adding timestamp in the middle of a filename whilst retaining file extension
  • MS Flow to export outlook attachment into a Teams channel and notify users with an adaptive card
  • Unlicense Office suite using last 5 characters
  • Azure Information Protection – We were not able to find the Information Rights Management template.
  • Intune – Chrome homepage remediation failed Error: 0x87d1fde8

Recent Comments

  • Ged on MS Flow to export outlook attachment into a Teams channel and notify users with an adaptive card
  • film on Autopilot Hybrid Joined device built outside the corporate network
  • Ryan Wilson on Azure Information Protection – We were not able to find the Information Rights Management template.
  • BurtonMBrohl on Azure Information Protection – We were not able to find the Information Rights Management template.
  • Ryan Wilson on Azure Information Protection – We were not able to find the Information Rights Management template.
  • RayeXDuesing on Azure Information Protection – We were not able to find the Information Rights Management template.
  • TroyTHulette on Azure Information Protection – We were not able to find the Information Rights Management template.
  • NildaZAdamos on Azure Information Protection – We were not able to find the Information Rights Management template.
  • Ryan Wilson on Azure Information Protection – We were not able to find the Information Rights Management template.
  • NoahVSolak on Azure Information Protection – We were not able to find the Information Rights Management template.

Archives

  • December 2020
  • November 2020
  • October 2020
  • August 2020
  • June 2020
  • May 2020
  • February 2020
  • January 2020
  • December 2019
  • July 2019

Categories

  • IT Blogs (19)
© Copyright 2017. Theme by BloomPixel.