Hi Alisson,
I would like to answer the questions one by one:
Q1: Which domain should I federate to O365 in order for users to logon to our ADFS service?
A1: In this case, only userdomain.com needs to be converted to a federated domain.
=============================================
Q2: If it is both, do I need a valid CA for both domains or can I use a Self Signed Certificate for my internal domain "usersdomain.com"?
A2: In this case, adding both domain names to the certificate is not necessary. Theoretically, a self-signed certificate can work with Lync in a Single Sign-On (SSO) environment. However, Outlook desktop applications cannot connect to Office 365 accounts if we use a self-signed certificate to deploy SSO.
=============================================
Q3: I'm also willing to confirm how should this regular user logon to Lync.
A3: In this case, the Office 365 users are synchronized from the local AD. If so, based on my test, if we don’t assign an SIP address for the local user, his Office 365 Lync sign-in address will be the same as his Office 365 primary email address.
In other words, in this case, the user’s Office 365 Lync sign-in address is John.Doe@emaildomain.com.
Thanks,
Claud