Thank you for your reply Bourne.
I would like to stop federation with forest A but I also would like to minimize downtime for the users. So I want to setup AD FS in Forest B but not use it for the forest A users yet, It will give me time to test that portion of the setup before cutting over the users to use SSO in forest B.
From this blog my understanding is you can have one tenant with multiple forests but you can't use dirsync but the FIM connector so does this mean I can just setup AD FS but not DirSync from Forest B at the same time as SSO is setup in Forest A?
Then stop federation services in Forest A, setup DirSync and then use the SMTP match to convert them to dirsync users?
blogs.technet.com/.../multi-forest-and-multi-tenant-scenarios-with-office-365.aspx
Also can you use the password synchronization tool (once federation has been stopped in Forest A) as an interim measure to keep passwords in sync for users, whilst setting up AD FS in forest B to the same tenant?
Thanks, I don't want to complicate the cut-over but need a way to reduce impact to users and mitigate risk during the migration weekend.