Multi-forest and Multi-tenant scenarios with Office 365

I have had several questions around multi-forest and multi-tenant questions from my education customers.  Here is a FAQ I put together:

 

Can you have multiple forests with a single tenant?

Yes, with FIM Connector for Office 365 or with the upcoming AADirsync tool. You can grab the beta of AADirsync tool here.  Read more on AADirsync here.

 

Can you have one forest with multiple tenants?

Yes, this is now supported as of recently.  You either have to use the FIM Connector for Office 365 or you can now use multiple Dirsync servers syncing to each unique tenant. The key is you cannot sync the same objects into the different tenants. You must create dirsync filtering on each dirsync server.

 

Can I have a non-AD directory sync to a tenant?

Yes, with FIM Connector for Office 365.

 

Can I have one ADFS farm servicing multiple forests?

Yes, as long as forest trusts exist between the forests this will work. Each forest much have unique UPN login suffixes for this to work.

 

What if do not have trusts between the forests?

If no trusts exist between the forests than multiple ADFS farms are required.

 

Can I have multiple Exchange orgs connecting via Hybrid into a single tenant?

Yes, this is a new capability available in Exchange 2013 SP1. See here.

 

What if I have a resource forest for Exchange and an account forest for logins?

Setup dirsync against the resource forest and setup ADFS against the account forest. Eventually, collapse the resource forest data into the account forest and then change dirsync to work against the account forest.