Duo SSO with multiple forests

rdbrooks · ‎11-22-2022

Hi all,

I’m looking at setting up Duo SSO for a customer using AD connect to sync to Azure. In the steps for Duo SSO it says to set the sign on method to do not configure and to federate the domain.

But i wanted to know if the customer has multiple forests synced and i only want to federate one, and keep the others as Password sync for example, is that possible? of do i have to federate all domains synced by that AD connect server or give those others forests their own AD connect server and leave the federated one by itself with ots own AD connect.

DuoKristina · ‎11-23-2022

If the other forests are different custom domains in Azure they should be unaffected by federation you do with the custom domain and forest that you do want to federate.

Like if you have contoso.com and nwtraders.com as Azure custom domains, and they correspond to CONTOSO and NWTRADERS forests, you should be able convert contoso.com to federated while leaving nwtraders.com as managed.

Disclaimer: I work at Duo, not at Microsoft.

ETA: I don’t know the answer to your question about whether a single AAD Connect instance can take care of both. I think it can though.

Also I found this document that might help: Azure AD Connect Multiple Domains - Microsoft Entra | Microsoft Learn

Duo, not DUO.

rdbrooks · ‎11-23-2022

Thanks, DuoKristina, my main concern was that setting the Sign On method to do not configure would affect the managed domains, i posted over on the MS forums and they suggested moving the other domains to their own AD connect. Thankfully they want to federate all so i guess that solves that lol.