Hi - Hope you can help. I have a pretty unique problem in our business and I'd like to check whether we can solve it with the AD connector for FIM. We have multiple AD forests in our business with trusts between them (about 10 forests!). We also have FIM implemented with all objects in the 10 forests synchronised to a centralised directory  - with linked user objects.  We are looking at moving to Office 365 but we realise that the DirSync won't work with our 10 forests. So we would presumably need the AD connector for FIM combined with ADFS. Assuming that the AD connector can synchronise all the correct attributes to AD in Office 365, how does the authentication work? If a user logs in from their own forest, using their password in their local forest, what kind of ADFS architecture would one need? i.e. does the ADFS server look back to the source forest for that user? Can one ADFS server look back to every source forest if there are 10 of them? Does ADFS know that the user in the source forest is the same as the user in the unified directory that FIM updates? Hope this scenario makes sense. I guess my real question is whether I can have a hybrid solution with Office 365 and 10 forests where all the AD admin and password management is done in each source forest.  thanks in advance for any advice!

http://blogs.technet.com/b/educloud/archive/2013/08/02/multi-forest-and-multi-tenant-scenarios-with-office-365.aspx

Can you have multiple forests with a single tenant?

Yes, with FIM Connector for Office 365.

Can you have one forest with multiple tenants?

Yes, this is now supported as of recently.  You either have to use the FIM Connector for Office 365 or you can now use multiple Dirsync servers syncing to each unique tenant. The key is you cannot sync the same objects into the different tenants. You must create dirsync filtering on each dirsync server.

Can I have a non-AD directory sync to a tenant?

Yes, with FIM Connector for Office 365.

Can I have one ADFS farm servicing multiple forests?

Yes, as long as trusts exist between the forests this will work. Each forest much have unique UPN login suffixes for this to work.

What if do not have trusts between the forests?

If no trusts exist between the forests than multiple ADFS farms are required.

Can I have multiple Exchange orgs connecting via Hybrid into a single tenant?

Yes, this is a new capability available in Exchange 2013 SP1. See here. 

What if I have a resource forest for Exchange and an account forest for logins?

Setup dirsync against the resource forest and setup ADFS against the account forest. Eventually, collapse the resource forest data into the account forest and then change dirsync to work against the account forest.