Imagine that a large company that has a number of subsidiaries. A shared IT company manages the Active Directory (and almost all other IT services) centrally for all subsidiaries. There also currently exists an Azure tenant which is connected to the On Premises Active Directory, however for issues surrounding who controls/owns which resources employees cannot use this Azure tenant.
One of the subsidiaries decides it wants to create it's own Azure tenant so it can progress it's development work. However that company is told that "Only a single federation to an Azure tenant is currently supported per Active Directory Domain".
I found this document. Would it be reasonable to presume that if the company consisted of the Contoso implementation that it would still be possible to federate 2 azure tenants to that single On Premises Active Directory. Are there any reasons why one implementation of On Premises Active Directory would be capable of this functionality and another not.
Yes, you can do this but you can only have one AD Connect instance per tenant as there is a 1:1 relationship between an Azure AD Connect Sync server and an Azure AD tenant. So you need to register three separate UPN suffixes for each tenant with the on-premises Active Directory and use three separate sync servers (one for each tenant). You need to apply filtering while syncing AD users for each tenant.
https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-single-adfs-multitenant-federation
Related
I'm trying to setup a user lifecycle flow that will allow me to create an Azure Active Directory user (Member, not Guest) when an employee is created in our HRIS tool (HiBob). There is a pre-existing integration which is enabled and allows us to get basic information (name, location, etc.).
In the HRIS system we also store some more unique data that I would like to be added to the users AAD profile (maybe an emergency contact for example) that we can then use to provision other applications (like Slack).
My issue is trying to create these custom property fields. I have read about Azure B2C as well as directory schema, custom security extensions and using MS Graph. None of these seem to be totally relevant to my situation.
FYI we are fully cloud, so Azure AD Connect is also not an option.
To store custom data in Azure AD objects such as users you can leverage Azure AD Directory Extensions in tandem with Azure AD Provisioning trough SCIM.
If users once synced with Azure AD Connect Cloud Provisioning can be moved to synchronization via Forest trust without having to remove and re-add the users?
Cloud provisioning can be used to sync from multiple Active Directory forests. In the multi-forest environment, all the references (example, manager) need to be within the domain. Users and groups must be represented only once across all forests.
Kindly check the document for Azure AD connect cloud provisioning supported topologies to get detailed information about this
My problem is that we have 2 On-Premises Active Directory domains:
mycompany.com
mycompany-dev.com
Some people are present in both of these AD-s. I want to sync them with Azure Active Directory so that they are all represented once, and all have the #mycompany.com suffix (instead of #mycompany.onmicrosoft.com). I also don't want some users to have #mycompany-dev.com in their azure AD account login name, so I want to do some sort of mapping I guess.
Is this possible with Azure AD Connect, or do I have to implement a synchronization method manually?
You can sync multiple on-premises domain to Azure AD. Kindly check the link and you will get a detailed information about different topologies supported
I am using Redgate Data Platform Studio to transfer data from on-premise SQL Server to Azure-hosted SQL Server. This web-based application has the ability to use an Azure Storage account (for data transfer purpose) simply by logging into my company's ADFS. The web application can successfully see storage accounts inside a subscription (let's call it Subscription A) owned by my ADFS user, when I log in to my company's active directory (via ADFS). Let's call my company's AD Directory A.
I also have subscription B owned by a Microsoft account NOT related to my company's Active Directory. This subscription B is managed by another Azure AD Tenant B, with that Microsoft account as the Service Administrator & Owner. To link the two directories, I used B2B State 3 configuration described here. So in Directory B, my Directory A user shows up as Guest User with the Source=External Azure Active Directory.
For the storage accounts in Directory B, I grant the built-in role "Storage Blob Data Contributor" and "Storage Account Contributor" to the Guest User (source=external AAD Directory A). Therefore, in both Microsoft Azure Storage Explorer as well as in portal.azure.com I can see storage accounts inside Subscription B.
BUT if I log in to the Redgate application using Directory A credential (via my company's ADFS), only storage account inside Subscription A shows up in the Redgate application. I already tried giving the guest user in Directory B the following roles to the user, even at the highest Subscription B level, but no luck:
As Co-Administrator
As Contributor
As Storage Account Contributor
As Storage Blob Data Owner
My question: is this the application's limitation of not being able to access subscription in another directory (B), or is there some configuration either in directory A/B and/or subscription A/B that I need to set?
Is this the application's limitation of not being able to access subscription in another directory?
As per my official document and my understanding you cannot assign your subscription among many directory.
As said on official document "Multiple subscriptions can trust the
same Azure AD directory, but each subscription can only trust a single directory".
See the below screen shot and refer here
Note: When you associate a subscription to a different directory, users that have roles assigned using role-based access control (RBAC)
will lose their access. Classic subscription administrators
(Service Administrator and Co-Administrators) will also lose
access. Please check the Important Note here
If you want to know more details please refer this docs
When RBAC was introduced in Azure Active directory, roles can be granted to users or collection of users (groups).We followed this blog post and added that functionality for our apps when it first got introduced. But now, we have to go for active directory premium to assign roles to groups and get roles in bearer token.Going with Azure Active directory is not a feasible solution for us as premium is gonna cost us $6 user/ month and we have lot of groups and each group has lot of users. Looking at the costs our IT team is not willing to go for this package. I was just wondering if there an alternative approach for mapping roles to groups. Or this is only doable using premium.
Using Azure Active Directory (Azure AD) with an Azure AD Premium or Azure AD Basic license, you can use groups to assign access to a SaaS application that's integrated with Azure AD( refer here about detail).
So if you want to manage the roles using the group, we need at least the Azure AD Basic license. If you were using the free edition, we can only assign the roles to the users one by one.
Instead using the role manage the access for the application, we can also use the group which also supports for the Azure AD free edition. You can check the code sample about authorization in a web app using Azure AD groups & group claims from here.