As you may already know, it is not possible to synchronize more than one AD Forest with Microsoft Online Services (Office 365).

So what can you do if you have more than one AD Forest to synchronize with Office 365?

The answer is FIM, ForeFront Identity Manager 2010; but not only Smile

To implement synchronization between Office 365 and your all AD Forest, you have to implement a new AD Forest.

This AD Forest (let’s call it Office365Sync) will be a technical one which will be synchronized with your existing directories (where your user are located) thanks to FIM. Then Office365Sync forest will host the Directory Synchronization tool used for Office 365 synchronization.

image

Ok, the new forest is now implemented, let’s deploy FIM.

The first thing to think about is: what do I want to do with FIM in the Office 365 synchronization context?

Indeed, this question is important as it will help you to define AD attributes to synchronize, if you want to synchronize users passwords (in case of SSO implementation [reminder SSO with Office 365 is done using ADFS; we will talk about ADFS implementation later])…

The simplest scenario consist on synchronizing only user accounts, the more complex one is the full implementation (ie password synchronization).

I will only explain the simplest scenario. Password synchronization implementation requires a schema updates on existing AD forest and an agent deployment on every domain controllers, to catch password change.

To populate your new Office365Sync forest with your existing user accounts, you have to deploy FIM within existing AD Forest (you may also have to deploy it on AD Domain depending of the complexity of your directory infrastructure) and then to implement Management Agent to define connection between your directories and Office365Sync directory.

image

Then you can deploy the Directory Synchronization tool on Office365Sync domain (don’t forget, the current version of the directory synchronization tool must be deployed on a 32 bits operating system) for Office 365 user accounts provisioning.