Microsoft Entra Domain Services: Two-way forest trusts

Microsoft Entra Domain Services will soon support two-way forest trusts, allowing bidirectional access between Entra Domain Services and on-premises AD DS environments. The rollout begins late June 2025 and completes by mid-July 2025. Three trust directions will be available: one-way outbound, one-way inbound, and two-way. An Enterprise or Premium license is required.

Coming soon for Microsoft Entra Domain Services: Two-way forest trusts will be generally available. This capability allows organizations to create forest trusts between Entra Domain Services and on-premises Active Directory Domain Services (AD DS) environments in one or both directions. We are also adding a new one-way forest trust with this release. After this rollout, security admins can choose from three possible directions when creating a forest trust, depending on how users need to access resources.

Trusts require an Enterprise or Premium license for Entra Domain Services.

[When this will happen:]

General Availability (Worldwide, GCC, GCC High, DoD): We will begin rolling out late June 2025 and expect to complete by mid-July 2025.

[How this will affect your organization:]

Before this rollout, Microsoft Entra Domain Services only supports forest trusts in one direction: Out-bound from a managed domain to any customer on-premises domains or forests. This configuration allows users in an on-premises domain to access resources in a managed domain but does not allow the reverse.

After this rollout, Microsoft Entra Domain Services will support these three trust direction options:

• One-way outbound: Allows users in an on-premises domain to access resources in a managed domain (currently supported).
• One-way inbound: Allows users in a managed domain to access resources in an on-premises domain (new).
• Two-way: A bidirectional trust that allows users in a managed domain and in an on-premises domain to access resources in both domains (new).

To access the Trust settings in Entra Domain Services, you must first have an existing Entra Domain Services instance. Go to Microsoft Entra admin center > Home > Search for Domain services at the top of the screen > Select Microsoft Entra Domain Services > Select the desired Entra Domain Service instance from the Name column > select Trusts.

Watch a short video about accessing Trust settings and creating a new Trust (23 seconds, no audio)

To create a new Trust in Entra Domain Services, select the + Add button.

In the Add Trust pop-up, enter the details and select the preferred trust direction > Select OK:

[What you need to do to prepare:]

The new feature will rollout automatically with no admin action required before the rollout. You may want to notify your admins about this change and update your relevant documentation.

Learn more: How trusts work for Microsoft Entra Domain Services (Preview) - Microsoft Entra ID | Microsoft Learn