Azure AD Connect (AAD Connect) is the recommended tool for the job. AAD Connect is a more robust tool than Azure AD Cloud Sync, and it has additional features that are useful for managing multiple forests.

To synchronize multiple forests with AAD Connect, you'll need to install it on a server in each of your forests. You'll also need to configure each instance of AAD Connect to sync with the same Azure AD tenant. Once this is set up, AAD Connect will synchronize the directories in each of your forests with Azure AD, allowing you to manage user accounts and other directory objects across all your forests from a single location.

Some things to keep in mind when using AAD Connect for multi-forest synchronization:

You'll need to configure each instance of AAD Connect with its own set of synchronization rules. This will allow you to customize the sync process for each forest as needed.
You'll also need to configure each instance of AAD Connect with its own set of credentials for connecting to the forest. These credentials should have the necessary permissions to read the directory and synchronize objects to Azure AD.
If you're using AAD Connect to synchronize multiple forests, it's important to keep the forests separate. Don't create cross-forest trusts or merge the forests in any way, as this can cause issues with the sync process.

https://learn.microsoft.com/en-us/azure/architecture/example-scenario/wvd/multi-forest

Hello DK,

I completely agree with Tushar Kumar's response. Azure AD Connect is the recommended tool for synchronizing multiple forests with Azure AD. It is more robust than Azure AD Cloud Sync and provides additional features for managing multiple forests.

To synchronize multiple forests with Azure AD Connect, you'll need to install it on a server in each of your forests and configure each instance of Azure AD Connect to sync with the same Azure AD tenant. You'll also need to configure each instance with its own set of synchronization rules and credentials for connecting to the forest.

It's important to keep the forests separate and not create cross-forest trusts or merge the forests in any way, as this can cause issues with the sync process.

I hope this helps. Let me know if you have any further questions.

Kind regards,

Luke Madden

@DK 

 

The above is reasonable advice, but there is an important correction to be made depending on what it is you're looking to achieve.

 

Your final question appears to be: "can the two on-premise directories (original. and dev.com) be consolidated into a single tenant ("Azure AD first")?

 

While the answer remains "yes", the correction to the above advice is that you cannot (it is not supported outside of something called staging mode, which isn't going to help you) run multiple Azure AD Connect instances pointing to the same tenant.

 

Instead, you will have a single Azure AD Connect installation that points to both original.com and dev.com on the Active Directory side, and "Azure AD first" on the Azure Active Directory side.

 

As some of the comments above imply, this needs careful planning but all I wanted to address here was the possibly-incorrect assertions from above that you would run AAD Connect installations in each Active Directory forest, as if I've understood the final questions correctly, that is untrue.

 

What you do want to do:

 

• Azure AD Connect: Supported topologies - Microsoft Entra | Microsoft Learn

 

What you don't want to do (i.e. separate AAD Connect installations per forest to a single tenant):

 

• Azure AD Connect: Supported topologies - Microsoft Entra | Microsoft Learn

 

Cheers,

Lain