Introducing trust direction options for Microsoft Entra Domain Services

Monicah Wambugu

Microsoft Entra Domain Services is a cloud-based solution that provides a classic Active Directory domain in the cloud without the hassle of maintaining your own infrastructure. Using Domain Services, you can easily integrate your cloud and on-premises resources using trust relationships.

We’re now adding two-way trust relationships to Domain Services and we’d like to invite you to get an early look.

Why are trust relationships (trusts) important?

Trust relationships are important in Microsoft Entra Domain Services because they provide security across multiple domains or forests. A forest is a collection of domain trees with a common schema, configuration, and global catalog. Trust relationships allow users to access resources in domains outside their own forest by means of trust. They are a way of establishing a connection between two domains or forests, so that users and groups from one domain can access resources in another domain. Trusts can be configured in different directions, depending on your needs and preferences.

When might you want to create a trust?

  • Hybrid identity management: Your organization may have a hybrid identity management scenario where you have some resources on-premises and some in the cloud. In such a scenario, you might want to create a trust between the on-premises Active Directory Domain Services (AD DS) and Microsoft Entra managed domain to enable users to access resources in both environments using a single set of credentials.

  • Mergers and acquisitions: In a merger or acquisition scenario, two organizations may have their own separate directories and environments. If a merger results in a hybrid topology, you might want to create a two-way trust to enable users from both organizations to access resources in both environments using a single set of credentials.

What is changing?

Currently, Domain Services supports creating one-way, outbound trusts from a Domain Services managed domain to any customer on-premises domains or forests. This allows users in the on-premises domain to access resources in the managed domain, but not vice versa.

two-way trust relationship

We are introducing two-way trusts because we understand that customers have scenarios that require different options for trust direction. This new feature will allow for three possible directions when you create a trust with Domain Services:

  • Two-way: This is a bidirectional trust that allows users in both the managed domain and the on-premises domain to access resources in either domain.

  • One-way outgoing: This option allows users in the on-premises domain to access resources in the managed domain, but not vice versa.

  • One-way incoming: This option allows users in the managed domain to access resources in the on-premises domain. 

This feature will give you more control and flexibility over how you manage your hybrid identity environment with Domain Services. You can choose the trust direction that best suits your needs, whether it is for security, collaboration, migration, or any other purpose. 

Participate in the private preview program

We are actively looking for developers to participate in a private preview of this new feature, ahead of the broader public preview release. If you are interested, or you believe this would be valuable for your organization, we would be happy to collaborate with you. Simply click the link below to register!

Let’s stay connected

To learn more or test out features of the Microsoft Entra suite of solutions, visit our developer center. Sign up for email updates on the Identity blog to keep up with all things Identity. And, follow us on YouTube for video overviews, tutorials, and deep dives.

Join our community and receive exclusive Domain Services product updates, early access to new features, and the opportunity to participate in product surveys by clicking on the registration link below.


Discussion is closed.

Feedback usabilla icon