I have had several questions around multi-forest and multi-tenant questions from my education customers. Here is a FAQ I put together:
Can you have multiple forests with a single tenant?
Yes, with FIM Connector for Office 365 or with the upcoming AADirsync tool. You can grab the beta of AADirsync tool here. Read more on AADirsync here.
Can you have one forest with multiple tenants?
Yes, this is now supported as of recently. You either have to use the FIM Connector for Office 365 or you can now use multiple Dirsync servers syncing to each unique tenant. The key is you cannot sync the same objects into the different tenants. You must create dirsync filtering on each dirsync server.
Can I have a non-AD directory sync to a tenant?
Yes, with FIM Connector for Office 365.
Can I have one ADFS farm servicing multiple forests?
Yes, as long as trusts exist between the forests this will work. Each forest much have unique UPN login suffixes for this to work.
What if do not have trusts between the forests?
If no trusts exist between the forests than multiple ADFS farms are required.
Can I have multiple Exchange orgs connecting via Hybrid into a single tenant?
Yes, this is a new capability available in Exchange 2013 SP1. See here.
What if I have a resource forest for Exchange and an account forest for logins?
Setup dirsync against the resource forest and setup ADFS against the account forest. Eventually, collapse the resource forest data into the account forest and then change dirsync to work against the account forest.
Thanks for sharing this info...
It would be great if you can share some technical documentation or links for following:
• Office 365 Multi-Tenant (MT)
• IaaS Exchange Hosting (Azure, etc)
I connected three Exchange 2003 organizations to a single Office 365 tenant with Hybrid servers on all three. This works just fine as long as you have a way to dirsync from all three forests uing something like OptimalIDM VIS or FIM Connect for Office365. The trick is that only the firs hybrid wizard will complete, the you run he additional hybrid wizard which will fail to create the org relationship since it says it already exists. You just need to create the org relationship via Powershell for the other two, and use the same coexistence namespace. Contact me at firstname.lastname@example.org for more details if you need them.
Nice info. What do you mean with "Eventually, collapse the resource forest data into the account forest and then change dirsync to work against the account forest."?
Which process is used for "collapsing" the resource forest data and what "data" are you referring to?
I have a customer who wants to have a hybrid SharePoint with Federated search. SharePoint is however in a resource forest..
See here for info on how to collapse AD forests:
Thanks for the information
Can you share more information about it, I have a one forest and some tenants and would Like to know how can implementing SSO and the Dirsync for this scenario. Is it posible federate Exchange with this scenario, i have only one organization of exchange
One forest with multiple tenants would require multiple dirsync installations with domain/OU filtering enabled to avoid syncing the same objects to TWO different tenants. For federation, you can use a single ADFS server but different UPN suffixes for each tenant required. For a single Exchange Org, you can only connect that to ONE tenant or the other via Hybrid wizard. You cannot split one Exchange org amongst two tenants.
I am a little bit confused after your response to VERF.
If I understand correctly, you are saying that it is possible to dirsync between 1 forest and multiple o365 tenants if you correctly use the domain/OU filtering or by UPN Suffix.
But this isn’t possible for Exchange?
As a service provider we have one Forest, 1 exchange organization and different customers/groups with each group of users have their own UPN suffix, maildomain etc. Can I use Exchange Hybrid to connect to the multiple Tenants?
Hi, Mark. When you talked about trust between forrest, can this be two-way selective (e.g. only ADFS service account can access both forests in trust)? Kind regards.
Hi Mark, can we use a single exchange org to hybrid with 2 office 365 tenant ?
Sorry, just read your comment, in the case of a single exchange org, can we deploy a new resource domain for exchange and then do a hybrid ?
Do we know if there is any movement from Microsoft on this question since the original post? Q: Can I have multiple Exchange orgs connecting via Hybrid into a single tenant? A: Not currently. It may be something in the future.
Alex, there is some movement there so stay tuned to either our blog or the Exchange team blog in the future.
Hi Mark. How to move Cross forest to office 365 in demerger scenario. Scenario is , company abc is seprating business from xyz. Requirment is to build new AD for ABC and move its mailboxes from XYZ to office 365 , Map these mailboxes to ABC AD.
Hi Mark, This article is a little dangerous to have out on the internet without a procedure to show how this is done, in my opinion. Simply replying "yes" to office 365 with multiple forest and FIM without giving an explanation as to how is very vague and implies its an easy process. searching on this topic leads to here as the first hit through search engines, and as you can imagine, there would be many an IT administrator looking up how to do this right now as there is very little information out there. i'd love to see a step by step guide on how to configure FIM with multiple forests.
DavidG,I meant for this to be a quick FAQ not a full FIM deployment post however there is a link in the post to a Azure AD connector deployment guide which includes multiforest scenarios (reposted here:http://technet.microsoft.com/en-us/library/dn511002(v=ws.10).aspx ).If you need more specific FIM 2010 R2 deployment guidance you see these posts:http://technet.microsoft.com/en-us/library/jj134310(v=ws.10).aspx and this one: http://www.microsoft.com/en-us/download/details.aspx?id=29957.