A logistics management business wants to consolidate its multi-tenant, multi-forest Office 365 environment. Expansion via acquisitions created a multi-tenant, multi-forest problem for the logistics company further complicated by additional challenges involving business productivity, managing users in AD and development of cross-forest trust. They also wanted SSO to reinforce secure access to applications and decrease time used by IT to manage end-user requests for password reset within their business. So what do you do? Decide to take the plunge and enter the crazy world of multi-forest sharepoint Catch-22s, or pull your hair out strand by strand to numb your brain and avoid dealing with it? For starters, you should know Microsoft does support different scenarios for implementing SSO. Two components needed are DirSync (directory synchronization) between the Azure AD detail used for the subscription to Office 365 and user credential authentication to the IdP. DirSync is the essential identity accessory while user credential authorization is the sharepoint federation aspect of a multi-forest Office 365 situation. But wait, there’s more… Because Microsoft does support user password synchronization — AKA “password hashes” — between Azure AD and your on-site Active Directory System, you don’t need to worry about federation because Azure AD represents the user authentication point. On-site AD systems act as the de facto system for user accounts and are not used to authenticate users of Office 365. This is a generally the preferred scenario of small- to mid-level companies that want to avoid managing a federation infrastructure with password hash synchronization.

FAQs About Possible Multi-Forest Sharepoint Situations

  Q: Is it possible to implement a sync to tenants with directories other than AD to sync? A: Yes, either with the AADirSync tool or with the FIM Connector specifically for Microsoft Office 365   Q: What about one Active Directory Federation Service for multiple forests? A: That works, as long as trust exists among forests. You’ll have to give each forest a UPN suffix to provide trust and allow this scenario to operate smoothly.   Q: We want multiple tenants but only one forest. Is this possible? A: You’ll have to implement multiple DirSync services synchronizing to each tenant or use Office 365’s FIM Connector. However, you can’t sync identical objects to different tenants. Instead, you’ll have to develop DirSync filtering on each server.   Q: What happens when we have one account forest for logins and an Exchange resource forest? A: In this case, you’ll need to establish DirSync and also set up ADFS against a resource forest. Ultimately, you can collapse data contained in the resource forest into the account forest. Then all you have to do is change DirSync to operate in contrast to the account forest.   When difficult scenarios arise in multi-forest Office 365 conditions, Optimal IdM’s Virtual Identity Server (VIS) offers solutions for 21st century companies searching for ways to simplify operations, maintain optimal security and reduce overhead expenditures. We can help streamline your multi-forest multi-tenant migration by offering cloud app access, password resets and facilitating end-user access to Microsoft Office 365.  Contact us today for immediate assistance.

Can’t wait? Get Optimal IdM IAM Services Now

Contact Us       Start Your Free Trial 



  • The database in which all of your organization’s sensitive identity data is stored.
  • A digital ledger in which digital transactions are recorded chronologically and publicly.
  • Securely managing customer identity and profile data, and controlling customer access to applications and services.
  • The means of linking a person's electronic identity and attributes, stored across multiple distinct identity management systems.
  • A legal framework that sets guidelines for the collection and processing of personal information of individuals within the EU.
  • The policy-based centralized orchestration of user identity management and access control.
  • An authentication infrastructure that is built, hosted and managed by a third-party service provider.
  • A security system that requires more than one method of authentication from independent categories of credentials to verify the user's identity for a login or other transaction.
  • A global provider of innovative and affordable identity access management solutions. 
  • Managing and auditing account and data access by privileged users.
  • Tools and technologies for controlling user access to critical information within an organization.
  • An authentication process that allows a user to access multiple applications with one set of login credentials.