Single forest two Azure tenants. Commercial GCC high

Skip Hofmann 341 Reputation points

We are about to setup an Azure GCC high tenant. We are in the initial stages of discussion around what is the best identity method to use? Currently we have one Active Directory forest. We sync objects from onprem to Azure Commercial, and we use ADFS for federation with the Azure commercial tenant. Devices in commercial tenant are either hybrid azure joined or azure ad joined. I know devices can only be a member of one Azure tenant, so my question is what is the best course of action regarding syncing users to the GCC high tenant? Should i stand up a new AD forest, migrate users from commercial forest to GCC high forest and then sync to Azure GCC high? or for the users that need to sync to GCC high should i disjoin there device from commercial, change the upn for these users , so they sync to GCC high azure? I want to try and avoid setting up an additional forest for this, but i'm trying to understand how this can work using one AD forest? I know i can do create transformation rules in Azure AD connect, that will rewrite the users upn so it can sync to GCC high tenant, but the users device is still joined to Azure commercial. So i'm trying to wrap my head around the best course of action here

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,817 questions
{count} votes