Multi-forest and Multi-tenant scenarios with Office 365


I have had several questions around multi-forest and multi-tenant questions from my education customers.  Here is a FAQ I put together:

 

Can you have multiple forests with a single tenant?

Yes, with FIM Connector for Office 365 or with the upcoming AADirsync tool. You can grab the beta of AADirsync tool here.  Read more on AADirsync here.

 

Can you have one forest with multiple tenants?

Yes, this is now supported as of recently.  You either have to use the FIM Connector for Office 365 or you can now use multiple Dirsync servers syncing to each unique tenant. The key is you cannot sync the same objects into the different tenants. You must create dirsync filtering on each dirsync server.

 

Can I have a non-AD directory sync to a tenant?

Yes, with FIM Connector for Office 365.

 

Can I have one ADFS farm servicing multiple forests?

Yes, as long as forest trusts exist between the forests this will work. Each forest much have unique UPN login suffixes for this to work.

 

What if do not have trusts between the forests?

If no trusts exist between the forests than multiple ADFS farms are required.

 

Can I have multiple Exchange orgs connecting via Hybrid into a single tenant?

Yes, this is a new capability available in Exchange 2013 SP1. See here.

 

What if I have a resource forest for Exchange and an account forest for logins?

Setup dirsync against the resource forest and setup ADFS against the account forest. Eventually, collapse the resource forest data into the account forest and then change dirsync to work against the account forest.


Comments (45)

  1. markga says:

    Alex, there is some movement there so stay tuned to either our blog or the Exchange team blog in the future.

  2. markga says:

    YERF,

    One forest with multiple tenants would require multiple dirsync installations with domain/OU filtering enabled to avoid syncing the same objects to TWO different tenants.  For federation, you can use a single ADFS server but different UPN suffixes for each tenant required.  For a single Exchange Org, you can only connect that to ONE tenant or the other via Hybrid wizard. You cannot split one Exchange org amongst two tenants.

  3. stan82 says:

    Could you give more information about scenario “What if I have a resource forest for Exchange and an account forest for logins”? Even draft will work. Will Exchange Hybrid work in this case?

  4. markga says:

    Sandor,

    See here for info on how to collapse AD forests:

    technet.microsoft.com/…/cc974332(v=ws.10).aspx

  5. markga says:

    DavidG,

    I meant for this to be a quick FAQ not a full FIM deployment post however there is a link in the post to a Azure AD connector deployment guide which includes multiforest scenarios (reposted here:http://technet.microsoft.com/en-us/library/dn511002(v=ws.10).aspx ).

    If you need more specific FIM 2010 R2 deployment guidance you see these posts:http://technet.microsoft.com/en-us/library/jj134310(v=ws.10).aspx and this one: http://www.microsoft.com/en-us/download/details.aspx?id=29957.

  6. AndyDeDeckker says:

    Hi Mark,
    I am a little bit confused after your response to VERF.
    If I understand correctly, you are saying that it is possible to dirsync between 1 forest and multiple o365 tenants if you correctly use the domain/OU filtering or by UPN Suffix.
    But this isn’t possible for Exchange?
    Example:
    As a service provider we have one Forest, 1 exchange organization and different customers/groups with each group of users have their own UPN suffix, maildomain etc. Can I use Exchange Hybrid to connect to the multiple Tenants?
    Kind Regards

  7. markga says:

    @franciso – no, you can only have one SMTP/verified domain per tenant not split amongst two tenants.

  8. markga says:

    @DavidG – yes, this is supported as of Exchange 2013 Sp1 (i recommend Ru5+). We have customers running 5 Exchange Orgs to a single tenant in production. That scenario is using FIM + ADFS + two way forest trusts. There are also customers using AADsync +
    ADFS + two way forest trusts and the documentation is coming on that scenario to my knowledge. I can’t speak for our documentation team as to why there isn’t much on it however there are several partners and Microsoft Consulting Services (MCS) that have experience
    for numerous customers with multi-org to single tenant. Let me see what I can post/find – stay tuned to the blog.

  9. Anonymous says:

    Great FAQs, Mark. "Multiple-forest, no trust, one tenant": Can we achieve this with AADSync tool? I guess that as there’s no trust – we’ll need to setup ADFS farms. I’ll be glad if you could discuss this scenario on this blog. Thanks!

  10. markga says:

    @alex – ADF3 3.0 should support multi forest and multi UPN suffixes. The UPNs do have to be internet routable, registered domains in Office 365, and configured for federation with Office 365 on the ADFS server.

  11. Alex Gray - says:

    Hi Mark,

    Thanks for your prompt response. It is a relief to hear that this will work 🙂

    Do you know of any "how to" articles that cover adding the additional domains, preferably covering the configuration on both sides (ADFS and Office 365)?

    Thanks in advance,
    Alex

  12. Alex Gray - says:

    Hi Mark,

    If we have multi-forest (full trust), using different (alternative) UPNs for each forest, how does this work with ADFS (3.0)?

    For example, if we have:-

    The first forest configured with the UPN contoso.com,
    using ADFS as sts.contoso.com

    and we want to add the second forest configured with the UPN tailspin.com

    do we need to make any changes to ADFS or can we use the ADFS servers at sts.contoso.com for tailspin.com accounts?

    If we can continue to use sts.contoso.com for tailspin.com user accounts, do we need to make any changes to ADFS and/or Office 365 or is it simply a case registering tailspin.com as a domain in Office 365 and Exchange Online?

    Thanks in advance,
    Alex

  13. kkpaliwal says:

    Thanks for sharing this info…

    It would be great if you can share some technical documentation or links for following:

    • Office 365 Multi-Tenant (MT)

    • IaaS Exchange Hosting (Azure, etc)

    Thanks

    KK

  14. Gregory Dodge says:

    I connected three Exchange 2003 organizations to a single Office 365 tenant with Hybrid servers on all three.  This works just fine as long as you have a way to dirsync from all three forests uing something like OptimalIDM VIS or FIM Connect for Office365.  The trick is that only the firs hybrid wizard will complete, the you run he additional hybrid wizard which will fail to create the org relationship since it says it already exists.  You just need to create the org relationship via Powershell for the other two, and use the same coexistence namespace.  Contact me at greg.dodge@ec3rdpower.com for more details if you need them.

  15. Sandor says:

    Nice info. What do you mean with "Eventually, collapse the resource forest data into the account forest and then change dirsync to work against the account forest."?

    Which process is used for "collapsing" the resource forest data and what "data" are you referring to?

    I have a customer who wants to have a hybrid SharePoint with Federated search. SharePoint is however in a resource forest..

  16. YERF says:

    Thanks for the information

    Can you share more information about it, I have a one forest and some tenants and would Like to know how can implementing SSO and the Dirsync for this scenario. Is it posible federate Exchange with this scenario, i have only one organization of exchange

  17. Tadej says:

    Hi, Mark. When you talked about trust between forrest, can this be two-way selective (e.g. only ADFS service account can access both forests in trust)? Kind regards.

  18. Adi says:

    Hi Mark, can we use a single exchange org to hybrid with 2 office 365 tenant ?

  19. Adi says:

    Sorry, just read your comment, in the case of a single exchange org, can we deploy a new resource domain for exchange and then do a hybrid ?

  20. Alex Richardson says:

    Do we know if there is any movement from Microsoft on this question since the original post? Q: Can I have multiple Exchange orgs connecting via Hybrid into a single tenant? A: Not currently. It may be something in the future.

  21. Naresh Yadav says:

    Hi Mark. How to move Cross forest to office 365 in demerger scenario. Scenario is , company abc is seprating business from xyz. Requirment is to build new AD for ABC and move its mailboxes from XYZ to office 365 , Map these mailboxes to ABC AD.

  22. Davidg says:

    Hi Mark,

    This article is a little dangerous to have out on the internet without a procedure to show how this is done, in my opinion. Simply replying “yes” to office 365 with multiple forest and FIM without giving an explanation as to how is very vague and implies its an easy process. searching on this topic leads to here as the first hit through search engines, and as you can imagine, there would be many an IT administrator looking up how to do this right now as there is very little information out there.

    i’d love to see a step by step guide on how to configure FIM with multiple forests.

  23. Michael Gray says:

    Hi, just curious. If i have a single tenet but multiple forests. Eventually i want to consolidate the frosts into one, basically migrate a subsidiary into the main company. Is office 365 aware enough to recognize the migrated ad accounts and keep it relatively seamless for my end users? Or do i have to delete accounts and associate them? Any info would be helpful, thanks

  24. Davidg says:

    Hi Mark,

    Great, thank you for updating the blog post, it seems much clearer now.

  25. francisco says:

    Can i have two tenants and share a single smtp domain?

  26. francisco says:

    Can i has 2 OPEN contracts with for a single tenant and a single domain?

  27. hi MArk says:

    How can I deploy office 365 for Account only forest and there is no exchange available anywhere in on-premises?

  28. paul says:

    Hi Mark,
    Great post, from my understanding it is possible to have users on Exchange Online using DirSync and if they were looking to use another tenant for say SharePoint Online outside of their orginal tenant for a sub group of users it is possible to add a second
    DirSync server to create password sync for the second tenancy, is that right?

  29. alex says:

    Hello, I have 2 forest (1. account forest and 2. Resource Forest with a trust working, in forest 1 I have a suffix) with a FIM are syncing to 1 tenant, I have an Exchange 2013 hybrid deployment, I can migrate to Exchange Online with no problem, OWA for
    that account works via the portal of office 365, but I have a question, if I configure a profile in Outlook 2013 it prompt me credentials and the outlook cant be configured. can you helpme with this problem with outlook?

  30. Sajeel says:

    Hi, is it possible to deploy lync hybrid between one resource forest (on-prem) and multiple online tenants for enterprise voice capabilities?

  31. Faisal Masood says:

    Hi,

    Let me know if it is possible and how. Need some directions.

    CompanyA with Office 365 subscription and ADFS SSO configured working. CompanyB that is a client / customer wants to leverage the CompanyA’s Office 365 SharePoint Online to collaborate on shared projects. CompanyB wants single sign-on.

    Current CompanyA and CompanyB don’t have Active Directory trust relationship or federation.

    Faisal Masood
    http://www.FaisalMasood.com

  32. Smiliman says:

    Thanks for your post Mark. Question: We do have on single domain. I would like sync (AADsync) OU "A" to Office 365 Tenant "A" and OU "B" to Office 365 Tenant "B". This should be possible, right? But how? Thanks for your feedback.

  33. Andy Feetenby says:

    Smiliman, we have exactly the same problem with our design. Did you manage to make any progress, I have posted on the Office365 forum, but the consensus is it is not yet supported

  34. Davidg says:

    Hi again, just wondering if the multi org single tenant hybrid functionality is in production? While I can see it was shown at Mec2014 and there is a post on the linked technet, I do not see many step by step deployment guides and my own poc is proving
    this feature to not actually work as of yet…

  35. Mark says:

    hi
    is there anyway to share office365 between 2 orgs without trusting each other domains? i.e. – can I use ADFS or some other mechanism?

  36. Peter says:

    The Multi-Tenancy and Hosting Guidance for Exchange Server 2013 says the following:

    Establishing a hybrid relationship with Office 365 is not recommended if you have configured Exchange 2013 for multi-tenancy as it may expose data between tenants.

    The Hybrid Configuration Wizard and the configuration used to establish a Hybrid relationship with Office 365 was not designed to work with Exchange 2013 in a multi-tenant configuration.

    And this:
    It is not supported to configure or attempt to configure your Exchange 2013 organization to have a hybrid relationship with multiple Office 365 tenants.

    But you say that this works? Is it supported now?

  37. Zbynek says:

    Dear MarkGa, I have multiple Exchange 2013 forests connected to multiple Office 365. Now I need to setup single resource forest to support all Exchange 2013 organizations si I have possibilities to migrate mailboxes to Office 365 or resource forest. Is
    this described somewhere or is it even supported? Thanks a lot, please answer to zbynek.salon@salonovi.cz. Thanks a lot. With regards Zbynek

  38. David Sampson says:

    My scenario is we have currently deployed full FIM with the 365 connector and ADFS as we have multiple forests through acquisition and AADSync was not available when we first deployed this.

    We now have a new acquisition who we wish to setup in the same tenant but due to technical limitations cannot establish network connectivity between the two environments. This stops us from establishing a forest trust or utilising our existing FIM deployment
    to sync their accounts.

    The new acquisition can get by with password sync for the time being, can we just deploy AADSync in their forest pointing at the same tenant providing they are unique objects and using separate domains in 365 for both logon and email?

    There is some concern that establishing a separate instance of AADSync alongside our existing FIM + 365 connector deployment will overwrite or delete our existing synced objects somehow. I know we could replace FIM with AADSync but this isn’t possible in the
    project time frame.

    Thanks,
    David

  39. Jon Bryan says:

    Mark,

    Please can you clarify a previous comment:

    "One forest with multiple tenants would require multiple dirsync installations with domain/OU filtering enabled to avoid syncing the same objects to TWO different tenants. For federation, you can use a single ADFS server but different UPN suffixes for each
    tenant required."

    I have one forest, with user accounts from two separate organisations. I have ADFS setup for our own O365 tenancy and that is working fine. Now that other organisation wishes to use their own O365 tenancy.

    I understand the need to have two separate DirSync’s. What I’m wondering is – can my existing ADFS (Server 2012 R2) farm to provide federated access to that other tenancy? Can I just setup a new "MsolFederatedDomain" to achieve this without affecting my current
    users?

    Is there any documentation relating to this kind of scenario?

    Many thanks,

    Jon.

  40. Ruud Borst says:

    Have a look at the post below if you know your way around with PowerShell, searched for a multitenant solution myself and found a way to make it possible with the Azure PowerShell module. This solution allows you to onboard your multitenant AD environment
    to a multitenant Azure AD environment, provisioning multiple tenants with multiple federated domains across multiple subscriptions.

    http://www.ruudborst.nl/multi-tenant-azure-federation-without-dirsync-aadsync-aadconnect-fim/

  41. We are a very decentralized, operating in 50 countries each with their own forest. 9 with the same FQDN (xyz.local). 7 with different versions of Exchange. Currently using FIM in 15 countries (some with rich coexistence) to on-board to O365. Working to
    bring others countries on. My question is… can I have multiple sync engines (ideally 1/country) running against a single tenant? Would like to move away from FIM but don’t think its possible.

  42. David Sampson says:

    Are there any additional consideration around running a single tenancy with multiple ADFS farms on different versions. We have a single tenant, FIM doing sync and an existing ADFS 2.0 farm. We are planning on using the same FIM instance to sync a new forest
    but also deploy ADFS 3.0 in the new forest due to technical limitations preventing a forest trust.

    Any gothas to be aware of running the 2 different ADFS versions against one tenant?

  43. Donnie S says:

    Mark, Thanks for the article! I am looking for info on consolidating multiple forests/orgs into a single Office 365 tenant without using trusts. There are 100+ forests and no trusts in place currently, they are all separate. Can we setup an ADFS/Azure
    ADC instance for each forest connecting into the same O365 tenant or will we need to do forest trusts and have a single ADFS/Azure ADC instance?

  44. Rob says:

    Is it possible to have a single tenant, multi-org & shared primary smtp namespace?