Can O365 and Azure AD use the same domain

Question

Assume there exists and O365 instance where user identities are managed in the cloud - see the Cloud Identity section here: https://support.office.com/en-us/article/Understanding-Office-365-identity-and-Azure-Active-Directory-06a189e7-5ec6-4af2-94bf-a22ea225a7a9

Assume there also exists a separate Azure subscription that maintains it's own Active Directory, as well as an assortment of other resources such as SQL Databases, VMs, Virtual Networks, etc...

Can the two (the O365 instance and the Azure AD) use the same domain? Given it seems like Office 365 uses an Azure AD under the covers, my question is really just asking if two Azure Active Directories can use the same domain. Unfortunately, I can't find much online with regards to answers for this and I can't yet test it.

Answer 1

If you had two Active Directory tenants using the same example.com domain, and you logged into the portal with bob@example.com How would the portal know which tenant was responsible for bob?

An Azure Active Directory tenant much be authorative over the domains that are associated with it.

What you can do is associate the Office 365 Active Directory with an Azure subscription (or as many Azure Subscriptions as you have) and then you will have SSO across all of your subscriptions and Office 365.

This is probably the simplest guide on how to achieve that - it is for RemoteApp, but the underlying concept is the same.

Answer 2

Two Azure Active Directories cannot have same domain.

Technically O365 instance with a tenant name (.onmicrosoft.com) is an Azure AD. Office 365 is just a SaaS application attached to every Azure AD. Basically for Office 365, Identity Management backend is Azure AD. Basically if we have a domain abc.com added/verified in tenant A , it means that we can create users in tenant A with user@abc.com. If we were able to add the same domain in tenant B, which is not possible practically but if we consider theoretically, there would be a user user@abc.com in tenant B too! Hence its impossible to have same domain with two Azure AD.

If you have a domain abc.com under a tenant - contoso.onmicrosoft.com (does not matter whether its in Office 365). If we want to view this directory in azure portal (classic) and if you know the global administrator of this directory, we can add it to the Azure Classic portal (use custom directory) option (comes up for live account service admin).

https://azure.microsoft.com/en-us/documentation/articles/active-directory-how-subscriptions-associated-directory/#manage-the-directory-for-your-office-365-subscription-in-azure

Also, Office 365 subscription gives you benefit of free "Access to Azure Active Directory" subscription to all office 365 Global administrators. This is given to effectively manage the users in office 365 via Azure AD as well (SSPR, MFA settings- which is not available via O365 portal). https://support.office.com/en-us/article/Register-your-free-Azure-Active-Directory-subscription-d104fb44-1c42-4541-89a6-1f67be22e4ad