Published: Dec 20, 2023
Key Takeaways:
- Microsoft has announced that support for two-way trust relationships is now available in Entra Domain Services.
- The new feature gives organizations greater control over hybrid identity environment management.
- Microsoft encourages organizations to participate in the private preview program.
Microsoft has added support for two-way trust relationships in its Entra Domain Services solution. The new feature provides organizations with increased control over the management of hybrid identity environments.
Microsoft Entra Domain Services is a cloud-based solution that offers managed domain services, including group policy, domain joining, LDAP, and Kerberos/NTLM authentication. This service enables organizations to move legacy applications from an on-premises environment to a managed domain in the cloud without maintaining their own infrastructure. Customers can use trust relationships to integrate their cloud and on-premises resources.
In Microsoft Entra Domain Services, trust relationships provide secure access to resources across multiple domains or forests. Organizations might consider creating a trust relationship to address hybrid identity management or merger and acquisition scenarios.
Until now, Microsoft Entra Domain Services allowed organizations to create one-way outbound trusts from managed domains to on-premises forests or domains. This capability lets on-premises customers access resources in the managed domain, but not the other way around.
Microsoft explained that the new feature allows administrators to create trust with Domain Services in three directions: two-way, one-way outgoing, and one-way incoming. They can select the trust direction based on their organization’s collaboration, security, and migration needs.
Microsoft notes that support for two-way trust relationships is available in private preview for select commercial customers. The company encourages organizations to sign up for the public preview of the new feature on this page.
However, keep in mind that customers should have an on-premises AD DS domain/forest and a Domain Services instance to participate in the private preview program. They will also need a VPN or ExpressRoute connection between their Azure virtual network and on-premises network.