Windows/Azure: Creating a Multi-forest integration with Azure with Azure AD Connect and custom UPN Suffix or Email attributes

Created: 8/30/20

Updated: 8/30/20

Wanted to touch-base on how to associate multi-forest domains connected via IPSEC Point-to-Point tunnel that can “peer” with each other and then associate all with a single Azure tenant. All that is required is one routable UPN suffix and then all of the other “custom” domain suffix’s can be non-routable, assuming the server with Azure AD Connect has complete access with Azure.

A few things to point out:

  • You’ll need a P2P tunnel between all sites, which enables “LAN Peering”
  • All sites must be able to ping the Azure AD Connect server in a centralized location
  • Create a custom service account with global administrator rights, in Azure, to be used as the account for Azure AD Connect
  • At-least one UPN Domain suffix needs to be routable, i.e you create this TXT/MX record in Azure AD under “custom domains” and then register it with your public registrar (wait a few hours then verify it)
  • The custom UPN suffix created and verified in Step 3 should be created under “Domain and Trusts” on your Windows Server as a custom UPN Suffix
  • Associate the UPN suffix created in “Domain and Trusts” with the user accounts in Active Directory, by default the attribute associates in Azure AD Connect is the UPN Suffix values defined in “Domain and Trusts” on your Windows Server
  • Alternatively, you can define the Azure AD Connect default attribute with the value called “mail” and then under the “email” field under the users “General” tab in Active Directory you can define email address you want associate with the user account that will be sync’d by Azure AD Connect into Azure. Example: [email protected] could have an email of [email protected] and then in Azure AD the user would show up as [email protected]; be aware you shouldn’t change this value after it’s been setup
  • Should note, since by default Azure AD Connect uses the UPN Suffix as a default value, if you wish you change it to “mail” you’d need to uninstall Azure AD Connect and reinstall it/reconnect it to Azure to define the “mail” attribute since the ms-Consistency grid is defined from the beginning (this locks in the attribute used to ‘sync’ accounts) and can only be reverted with a clean uninstall of Azure AD Connect
  • If you have a vpool.local default domain UPN suffix and you create a custom vpool.com suffix and you associate this vpool.com suffix with the user in Active Directory, the user will still log in with the same profile created during the vpool.local profile creation. The user will not have to create a new profile and lose profile-based settings or permissions
  • Once all forests are added to the domains in Azure AD Connect, you can then ‘sync’ all of them based on the attribute that is selected into Azure. Then from inside of Azure AD you can then associate the routable vpool.com domain, that is verified, as the domain used by O365 Exchange to link all of the “linked” forest domains under one routable email address. Meanwhile keeping all of the local forests as self-governing domains independent of each other

I’ll update this soon to provide step-by-step instructions on how to do this with pictures. 🙂