locked
Exchange integration with different Azure RMS connector servers under same AD to support for Multiple Tenants RRS feed

  • Question

  • Hi all,

    May I confirm if the following scenario will work and be supported by Microsoft? As far as I can see from the document, the RMS connector is just a simple proxy and not AD SCP related, the scenario should work.

    =======================================

    Say, I have one AD forest only. I have 2 sets of Exchange 2013 DAG (DAG01 and DAG02) under this AD. The users on DAG01 and DAG02 are using different Azure RMS tenants (tenantA and tenantB). Assume we don’t need to consider end user desktop and other applications, and the users of different DAGs don’t need to talk to each, can I do the following for Azure RMS and Exchange Integration?

    1. setup a pair of Azure RMS connector servers (RC01 and RC02, configured for tenantA), and configure all members of DAG01 to point to the common URL of RC01 and RC02 by editing the related registry keys.

    2. setup another pair of Azure RMS connector servers (RC03 and RC04, configured for tenantB), and configure all members of DAG02 to point to the common URL of RC03 and RC04.

    =======================================

    Thanks in advanced for your help.


    William Yang


    Monday, October 12, 2015 9:34 AM

All replies

  • This isn't a tested and supported scenario.  That doesn't mean it might not work, but you would also have to sync your AD accounts to both tenants.
    Wednesday, October 14, 2015 8:28 PM
  • Thanks for the reply.

    Yes, AADSync is done for both tenants.


    William Yang

    Thursday, October 15, 2015 6:25 AM
  • Hi. The problem is specifically with AADSync. The connector itself would have no problem in having two separate instances talking to different tenants, and neither would Exchange DAGs have a problem in talking to different connectors, but since one AD forest can only be sync'd to one tenant for a specific domain, and you can't use the connector without sync, you can't set up this environment and have users that are able to authenticate to their respective tenants from within the same forest.

    HTH

     

    Enrique Saggese - Sr. Program Manager - Information Protection - Microsoft Corporation

    Friday, October 23, 2015 6:20 PM
  • Hi Enrique,

    Thanks a lot for your reply. Let me explain.

    My clients have their own AD and AADSync to sync with their tenants. My company is hosting Exchange services for them and use FIM/MIM to sync necessary directory objects from their AD to the hosting AD. In this case, we are not sync with O365 directly and users will use their own AD credential for Azure RMS authentication. So is AADSync still a problem here?

    My next question is: what are the necessary AD attributes on user objects so that Exchange can requests licenses through connector to Azure RMS? for example, UPN, primary email address, and etc. Once we know that, we can fully control the flow in FIM to meet the requirement.

    Best Regards,

    William


    William Yang

    Saturday, October 24, 2015 2:19 AM