Hello @Toru Nakanishi
Thank you for posting your query on Microsoft Q&A.
I understand that you have 2 OUs in your on-prem domain in which one OU users are having A.com email addresses and other with B.com email addresses. And in this one domain is federated with ADFS.
If you migrate to cloud authentication for federated domain, those users will be able to authenticate through Azure (PTA or PHS). You can set user's email address as source anchor instead of UPN.
A UPN must be unique among all security principal objects within a directory forest. Microsoft's recommended best practices are to match UPN
If the userPrincipalName attribute is nonroutable and can't be verified, then you can select another attribute. You can, for example, select email as the attribute that holds the sign-in ID. When you use an attribute other than userPrincipalName, it's known as an alternate ID.
The alternate ID attribute value must follow the RFC 822 standard. You can use an alternate ID with password hash sync, pass-through authentication, and federation. In Active Directory, the attribute can't be defined as multivalued, even if it has only a single value.
I suggest you refer the below documentation
I hope this information is helpful. Please feel free to reach out if you have any further questions.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Thanks,
Venkata Jagadeep.