How multiple Azure Active Directory organizations interact?
This tutorial will help you in understanding how multiple Azure Active Directory organizations interact. Each Azure Active Directory (Azure AD) organization is completely self-contained: it is a peer that is logically separate from the other Azure AD organizations you administer. Resource independence, administrative independence, and synchronization independence are all examples of organizational independence. Organizations do not have a parent-child connection.
Resource independence
- If you create or delete an Azure AD resource in one organization. It has no impact on any resource in another organization, with the partial exception of external users.
- If you register one of your domain names with one organization, it can’t be used by any other organization.
Administrative independence
If a non-administrative user of organization ‘Contoso’ creates a test organization ‘Test,’ then:
- By default, the user who creates a organization is added as an external user in that new organization, and assigned the global administrator role in that organization.
- Furthermore, The administrators of organization ‘Contoso’ have no direct administrative privileges to organization ‘Test’. And unless an administrator of ‘Test’ specifically grants them these privileges. However, administrators of ‘Contoso’ can control access to organization ‘Test’ if they control the user account that created ‘Test.’
- Also, If you add or remove an Azure AD role for a user in one organization, the change does not affect the roles that the user is assigned in any other Azure AD organization.
Synchronization independence
You can configure each Azure AD organization independently to interact and get data synchronized from a single instance of either:
- The Azure AD Connect tool, to synchronize data with a single AD forest.
- The Azure Active Directory Connector for Forefront Identity Manager. Also to synchronize data with one or more on-premises forests, and/or non-Azure AD data sources.
Add an Azure AD organization
Finally, To add an Azure AD organization in the Azure portal. Sign in to the Azure portal with an account that is an Azure AD global administrator, and select New.
Reference documentation – Understand how multiple Azure Active Directory organizations interact