Make it possible to Azure AD join/synchronize device (computer) objects to multiple Azure AD tenants from a single forest AD.
Some companies hosts multiple sub-customers in a single forest Active Directory.
Each sub-customers users and machine objects are organized in their own OUs.
Present configuration would be one AAD Connect server per customer OU – which synchronize the user objects to their respective individual Azure Tenants and they license all their sub-customers AAD Users with M365 licenses.
Some would like to enable Automatic AAD Join (Hybrid Azure AD Join) for their sub-customers Windows 10 Enterprise devices via GPO.
They want to manage the sub-customers domain-joined devices with Intune, and use device-based conditional access.
AAD Device Registration (DRS) requires a Service Connection Point (SCP), which is a unique object in AD – and the SCP can only be associated with a single Azure AD tenant at a time.
The only solution to this scenario is to make the Local AD into a multi forest directory, and then re-organize all existing object into a new AD design – this would involve a lot of work, and make the ADDS-infrastructure more complex.
Request: Make it possible to Azure AD join/synchronize device (computer) objects to multiple Azure AD tenants from a single forest AD.
René Büdinger commented
We run the exact same Scenario and wanted to utilize the hybrid managemend of Systems. But because of the reason mentioned (the SCP is unique), we can´t use it or need to redesign the whole existing AD. If the SCP would also contain Information about something unique to the AAD (Domains?) or if we had a chance to use a GPO to point a system to the correct SCP (if it would be possible to create multiple of them), this might be a solution.
This inability to setup a SCP as Child domain is prevent us from using AAD /Intune CA (domain joined/compliant) We cannot move to the cloud completely until we can setup a SCP in a child domain.