Jaa


Multi-forest and Multi-tenant scenarios with Office 365

I have had several questions around multi-forest and multi-tenant questions from my education customers.  Here is a FAQ I put together:

 

Can you have multiple forests with a single tenant?

Yes, with FIM Connector for Office 365 or with the upcoming AADirsync tool. You can grab the beta of AADirsync tool here.  Read more on AADirsync here.

 

Can you have one forest with multiple tenants?

Yes, this is now supported as of recently.  You either have to use the FIM Connector for Office 365 or you can now use multiple Dirsync servers syncing to each unique tenant. The key is you cannot sync the same objects into the different tenants. You must create dirsync filtering on each dirsync server.

 

Can I have a non-AD directory sync to a tenant?

Yes, with FIM Connector for Office 365.

 

Can I have one ADFS farm servicing multiple forests?

Yes, as long as forest trusts exist between the forests this will work. Each forest much have unique UPN login suffixes for this to work.

 

What if do not have trusts between the forests?

If no trusts exist between the forests than multiple ADFS farms are required.

 

Can I have multiple Exchange orgs connecting via Hybrid into a single tenant?

Yes, this is a new capability available in Exchange 2013 SP1. See here.

 

What if I have a resource forest for Exchange and an account forest for logins?

Setup dirsync against the resource forest and setup ADFS against the account forest. Eventually, collapse the resource forest data into the account forest and then change dirsync to work against the account forest.

Comments

  • Anonymous
    January 01, 2003
    Alex, there is some movement there so stay tuned to either our blog or the Exchange team blog in the future.

  • Anonymous
    January 01, 2003
    YERF, One forest with multiple tenants would require multiple dirsync installations with domain/OU filtering enabled to avoid syncing the same objects to TWO different tenants.  For federation, you can use a single ADFS server but different UPN suffixes for each tenant required.  For a single Exchange Org, you can only connect that to ONE tenant or the other via Hybrid wizard. You cannot split one Exchange org amongst two tenants.

  • Anonymous
    January 01, 2003
    Could you give more information about scenario "What if I have a resource forest for Exchange and an account forest for logins"? Even draft will work. Will Exchange Hybrid work in this case?

  • Anonymous
    January 01, 2003
    Sandor, See here for info on how to collapse AD forests: technet.microsoft.com/.../cc974332(v=ws.10).aspx

  • Anonymous
    January 01, 2003
    DavidG,

    I meant for this to be a quick FAQ not a full FIM deployment post however there is a link in the post to a Azure AD connector deployment guide which includes multiforest scenarios (reposted here:http://technet.microsoft.com/en-us/library/dn511002(v=ws.10).aspx ).

    If you need more specific FIM 2010 R2 deployment guidance you see these posts:http://technet.microsoft.com/en-us/library/jj134310(v=ws.10).aspx and this one: http://www.microsoft.com/en-us/download/details.aspx?id=29957.

  • Anonymous
    January 01, 2003
    Hi Mark,I am a little bit confused after your response to VERF.If I understand correctly, you are saying that it is possible to dirsync between 1 forest and multiple o365 tenants if you correctly use the domain/OU filtering or by UPN Suffix.But this isn’t possible for Exchange?Example:As a service provider we have one Forest, 1 exchange organization and different customers/groups with each group of users have their own UPN suffix, maildomain etc. Can I use Exchange Hybrid to connect to the multiple Tenants?Kind Regards

  • Anonymous
    January 01, 2003
    @franciso - no, you can only have one SMTP/verified domain per tenant not split amongst two tenants.

  • Anonymous
    January 01, 2003
    @DavidG - yes, this is supported as of Exchange 2013 Sp1 (i recommend Ru5+). We have customers running 5 Exchange Orgs to a single tenant in production. That scenario is using FIM + ADFS + two way forest trusts. There are also customers using AADsync + ADFS + two way forest trusts and the documentation is coming on that scenario to my knowledge. I can't speak for our documentation team as to why there isn't much on it however there are several partners and Microsoft Consulting Services (MCS) that have experience for numerous customers with multi-org to single tenant. Let me see what I can post/find - stay tuned to the blog.

  • Anonymous
    January 01, 2003
    Great FAQs, Mark. "Multiple-forest, no trust, one tenant": Can we achieve this with AADSync tool? I guess that as there's no trust - we'll need to setup ADFS farms. I'll be glad if you could discuss this scenario on this blog. Thanks!

  • Anonymous
    January 01, 2003
    @alex - ADF3 3.0 should support multi forest and multi UPN suffixes. The UPNs do have to be internet routable, registered domains in Office 365, and configured for federation with Office 365 on the ADFS server.

  • Anonymous
    January 01, 2003
    Hi Mark,

    Thanks for your prompt response. It is a relief to hear that this will work :)

    Do you know of any "how to" articles that cover adding the additional domains, preferably covering the configuration on both sides (ADFS and Office 365)?

    Thanks in advance,
    Alex

  • Anonymous
    January 01, 2003
    Hi Mark,

    If we have multi-forest (full trust), using different (alternative) UPNs for each forest, how does this work with ADFS (3.0)?

    For example, if we have:-

    The first forest configured with the UPN contoso.com,
    using ADFS as sts.contoso.com


    and we want to add the second forest configured with the UPN tailspin.com

    do we need to make any changes to ADFS or can we use the ADFS servers at sts.contoso.com for tailspin.com accounts?

    If we can continue to use sts.contoso.com for tailspin.com user accounts, do we need to make any changes to ADFS and/or Office 365 or is it simply a case registering tailspin.com as a domain in Office 365 and Exchange Online?

    Thanks in advance,
    Alex

  • Anonymous
    August 12, 2013
    Thanks for sharing this info... It would be great if you can share some technical documentation or links for following: • Office 365 Multi-Tenant (MT) • IaaS Exchange Hosting (Azure, etc) Thanks KK

  • Anonymous
    September 12, 2013
    I connected three Exchange 2003 organizations to a single Office 365 tenant with Hybrid servers on all three.  This works just fine as long as you have a way to dirsync from all three forests uing something like OptimalIDM VIS or FIM Connect for Office365.  The trick is that only the firs hybrid wizard will complete, the you run he additional hybrid wizard which will fail to create the org relationship since it says it already exists.  You just need to create the org relationship via Powershell for the other two, and use the same coexistence namespace.  Contact me at greg.dodge@ec3rdpower.com for more details if you need them.

  • Anonymous
    September 13, 2013
    Nice info. What do you mean with "Eventually, collapse the resource forest data into the account forest and then change dirsync to work against the account forest."? Which process is used for "collapsing" the resource forest data and what "data" are you referring to? I have a customer who wants to have a hybrid SharePoint with Federated search. SharePoint is however in a resource forest..

  • Anonymous
    September 18, 2013
    Thanks for the information Can you share more information about it, I have a one forest and some tenants and would Like to know how can implementing SSO and the Dirsync for this scenario. Is it posible federate Exchange with this scenario, i have only one organization of exchange

  • Anonymous
    February 05, 2014
    Hi, Mark. When you talked about trust between forrest, can this be two-way selective (e.g. only ADFS service account can access both forests in trust)? Kind regards.

  • Anonymous
    February 12, 2014
    Hi Mark, can we use a single exchange org to hybrid with 2 office 365 tenant ?

  • Anonymous
    February 12, 2014
    Sorry, just read your comment, in the case of a single exchange org, can we deploy a new resource domain for exchange and then do a hybrid ?

  • Anonymous
    February 18, 2014
    Do we know if there is any movement from Microsoft on this question since the original post? Q: Can I have multiple Exchange orgs connecting via Hybrid into a single tenant? A: Not currently. It may be something in the future.

  • Anonymous
    March 05, 2014
    Hi Mark. How to move Cross forest to office 365 in demerger scenario. Scenario is , company abc is seprating business from xyz. Requirment is to build new AD for ABC and move its mailboxes from XYZ to office 365 , Map these mailboxes to ABC AD.

  • Anonymous
    March 30, 2014
    Hi Mark,

    This article is a little dangerous to have out on the internet without a procedure to show how this is done, in my opinion. Simply replying "yes" to office 365 with multiple forest and FIM without giving an explanation as to how is very vague and implies its an easy process. searching on this topic leads to here as the first hit through search engines, and as you can imagine, there would be many an IT administrator looking up how to do this right now as there is very little information out there.

    i'd love to see a step by step guide on how to configure FIM with multiple forests.

  • Anonymous
    April 01, 2014
    Hi, just curious. If i have a single tenet but multiple forests. Eventually i want to consolidate the frosts into one, basically migrate a subsidiary into the main company. Is office 365 aware enough to recognize the migrated ad accounts and keep it relatively seamless for my end users? Or do i have to delete accounts and associate them? Any info would be helpful, thanks

  • Anonymous
    April 06, 2014
    Hi Mark,

    Great, thank you for updating the blog post, it seems much clearer now.

  • Anonymous
    April 28, 2014
    Can i have two tenants and share a single smtp domain?

  • Anonymous
    April 28, 2014
    Can i has 2 OPEN contracts with for a single tenant and a single domain?

  • Anonymous
    May 08, 2014
    How can I deploy office 365 for Account only forest and there is no exchange available anywhere in on-premises?

  • Anonymous
    August 28, 2014
    Hi Mark,
    Great post, from my understanding it is possible to have users on Exchange Online using DirSync and if they were looking to use another tenant for say SharePoint Online outside of their orginal tenant for a sub group of users it is possible to add a second DirSync server to create password sync for the second tenancy, is that right?

  • Anonymous
    October 13, 2014
    The comment has been removed

  • Anonymous
    November 17, 2014
    Hi, is it possible to deploy lync hybrid between one resource forest (on-prem) and multiple online tenants for enterprise voice capabilities?

  • Anonymous
    December 04, 2014
    Hi,

    Let me know if it is possible and how. Need some directions.

    CompanyA with Office 365 subscription and ADFS SSO configured working. CompanyB that is a client / customer wants to leverage the CompanyA's Office 365 SharePoint Online to collaborate on shared projects. CompanyB wants single sign-on.

    Current CompanyA and CompanyB don't have Active Directory trust relationship or federation.

    Faisal Masood
    http://www.FaisalMasood.com

  • Anonymous
    December 31, 2014
    Thanks for your post Mark. Question: We do have on single domain. I would like sync (AADsync) OU "A" to Office 365 Tenant "A" and OU "B" to Office 365 Tenant "B". This should be possible, right? But how? Thanks for your feedback.

  • Anonymous
    January 24, 2015
    Smiliman, we have exactly the same problem with our design. Did you manage to make any progress, I have posted on the Office365 forum, but the consensus is it is not yet supported

  • Anonymous
    March 23, 2015
    Hi again, just wondering if the multi org single tenant hybrid functionality is in production? While I can see it was shown at Mec2014 and there is a post on the linked technet, I do not see many step by step deployment guides and my own poc is proving this feature to not actually work as of yet...

  • Anonymous
    March 23, 2015
    hi
    is there anyway to share office365 between 2 orgs without trusting each other domains? i.e. - can I use ADFS or some other mechanism?

  • Anonymous
    April 09, 2015
    The Multi-Tenancy and Hosting Guidance for Exchange Server 2013 says the following:

    Establishing a hybrid relationship with Office 365 is not recommended if you have configured Exchange 2013 for multi-tenancy as it may expose data between tenants.

    The Hybrid Configuration Wizard and the configuration used to establish a Hybrid relationship with Office 365 was not designed to work with Exchange 2013 in a multi-tenant configuration.

    And this:
    It is not supported to configure or attempt to configure your Exchange 2013 organization to have a hybrid relationship with multiple Office 365 tenants.

    But you say that this works? Is it supported now?

  • Anonymous
    April 27, 2015
    Dear MarkGa, I have multiple Exchange 2013 forests connected to multiple Office 365. Now I need to setup single resource forest to support all Exchange 2013 organizations si I have possibilities to migrate mailboxes to Office 365 or resource forest. Is this described somewhere or is it even supported? Thanks a lot, please answer to zbynek.salon@salonovi.cz. Thanks a lot. With regards Zbynek

  • Anonymous
    May 11, 2015
    Ballsup

  • Anonymous
    June 08, 2015
    My scenario is we have currently deployed full FIM with the 365 connector and ADFS as we have multiple forests through acquisition and AADSync was not available when we first deployed this.

    We now have a new acquisition who we wish to setup in the same tenant but due to technical limitations cannot establish network connectivity between the two environments. This stops us from establishing a forest trust or utilising our existing FIM deployment to sync their accounts.

    The new acquisition can get by with password sync for the time being, can we just deploy AADSync in their forest pointing at the same tenant providing they are unique objects and using separate domains in 365 for both logon and email?

    There is some concern that establishing a separate instance of AADSync alongside our existing FIM + 365 connector deployment will overwrite or delete our existing synced objects somehow. I know we could replace FIM with AADSync but this isn't possible in the project time frame.

    Thanks,
    David

  • Anonymous
    June 12, 2015
    Mark,

    Please can you clarify a previous comment:

    "One forest with multiple tenants would require multiple dirsync installations with domain/OU filtering enabled to avoid syncing the same objects to TWO different tenants. For federation, you can use a single ADFS server but different UPN suffixes for each tenant required."

    I have one forest, with user accounts from two separate organisations. I have ADFS setup for our own O365 tenancy and that is working fine. Now that other organisation wishes to use their own O365 tenancy.

    I understand the need to have two separate DirSync's. What I'm wondering is - can my existing ADFS (Server 2012 R2) farm to provide federated access to that other tenancy? Can I just setup a new "MsolFederatedDomain" to achieve this without affecting my current users?

    Is there any documentation relating to this kind of scenario?

    Many thanks,

    Jon.

  • Anonymous
    June 20, 2015
    Have a look at the post below if you know your way around with PowerShell, searched for a multitenant solution myself and found a way to make it possible with the Azure PowerShell module. This solution allows you to onboard your multitenant AD environment to a multitenant Azure AD environment, provisioning multiple tenants with multiple federated domains across multiple subscriptions.

    http://www.ruudborst.nl/multi-tenant-azure-federation-without-dirsync-aadsync-aadconnect-fim/

  • Anonymous
    June 25, 2015
    The comment has been removed

  • Anonymous
    July 23, 2015
    Are there any additional consideration around running a single tenancy with multiple ADFS farms on different versions. We have a single tenant, FIM doing sync and an existing ADFS 2.0 farm. We are planning on using the same FIM instance to sync a new forest but also deploy ADFS 3.0 in the new forest due to technical limitations preventing a forest trust.

    Any gothas to be aware of running the 2 different ADFS versions against one tenant?

  • Anonymous
    July 27, 2015
    Mark, Thanks for the article! I am looking for info on consolidating multiple forests/orgs into a single Office 365 tenant without using trusts. There are 100+ forests and no trusts in place currently, they are all separate. Can we setup an ADFS/Azure ADC instance for each forest connecting into the same O365 tenant or will we need to do forest trusts and have a single ADFS/Azure ADC instance?

  • Anonymous
    September 08, 2015
    Is it possible to have a single tenant, multi-org & shared primary smtp namespace?