Create an another tennant and associate a new subscription in a new Management group make sure role inherence doesn't take into affect

This is everytime s big discussion;)
From my perspective a test tenant is needed, when you will evaluate services at Azure AD level.
It make sense to create a isolate AD domain in the same way like the production system and also use a domain name and use the same account sync solution.
When you start with a separate test tenant, please be aware of the additional management overhead and handle it like the same way as the prod system.
Define the scope and the goal for the rest tenant and who is responsible for it.

For testing Azure services they running inside subscriptions it can be a better way to use different subscriptions and group this with management groups and associate Azure policies.

Another option, especially if it features testing you need to test is the M365 Developer program: https://developer.microsoft.com/en-us/microsoft-365/dev-program, you get a fully-fledged and licensed M365 environment with pre-staged users, for about 90 days but can be extended if you are continuously using it.

Yes, having a separate test tenant can be useful for testing changes and new features before deploying them to production. To create a test tenant that is similar to your production tenant, you will need to set up a separate Azure AD tenant and configure it to match your production tenant as closely as possible. Here are some recommended steps to create a test tenant:

Create a separate Azure AD tenant: To create a separate Azure AD tenant, go to the Azure Portal and select the "Azure Active Directory" section. From there, you can create a new tenant by selecting "Create a tenant" and following the prompts to create a new tenant.

Configure the test tenant to match the production tenant: To make the test tenant similar to your production tenant, you will need to configure it with the same settings, policies, and permissions. This includes creating the same users and groups and configuring the same Azure AD Connect settings to sync the same users from your on-premises Active Directory. You can use Azure AD PowerShell or Azure AD Graph API to automate the creation of users, groups, and policies in the test tenant.

Here are some recommended steps to configure the test tenant:

Create the same users and groups: You can use Azure AD PowerShell or Azure AD Graph API to create the same users and groups in the test tenant as you have in your production tenant. This will ensure that the test tenant has the same user base as the production tenant.

Configure the same Azure AD Connect settings: You will need to configure Azure AD Connect to sync the same users from your on-premises Active Directory to the test tenant. This will ensure that the test tenant has the same user data as the production tenant. You can use the Azure AD Connect Configuration Wizard to configure the same settings in the test tenant.

Configure the same policies: You will need to configure the same policies in the test tenant as you have in your production tenant. This includes policies for password settings, device management, and access control. You can use Azure AD PowerShell or Azure AD Graph API to automate the creation of policies in the test tenant.

Test changes and new features in the test tenant: Once you have set up the test tenant, you can test changes and new features in the test tenant before deploying them to production. You can use the test tenant to perform functional testing, security testing, and load testing to ensure that the changes and new features work as expected.

Deploy changes and new features to production: After testing changes and new features in the test tenant, you can deploy them to production. It's important to note that any changes or new features that are deployed to production will not be reflected in the test tenant unless you manually configure them.

Keep the test tenant up-to-date: To ensure that the test tenant remains a reliable representation of the production tenant, you will need to keep it up-to-date with any changes or new features that are deployed to production. You can automate this process using Azure AD PowerShell or Azure AD Graph API to sync the changes from production to the test tenant.

Keep in mind that having a separate test tenant will incur additional costs, so you should plan and budget accordingly. Additionally, you should follow best practices for managing your test tenant, such as keeping it secure and up-to-date, to ensure that it remains an effective tool for testing changes and new features.

Hi, I know it's been a while since you first asked this question... We recently released a training module that provides guidance on test tenants in Azure AD: https://learn.microsoft.com/training/modules/create-azure-active-directory-test-environment/
It discusses when you should use a separated tenant or a production tenant, creating test users, and creating policies to match your production environment.
Hope that helps.

@NicolasHon 

In terms of test, would suggest creating a sandbox that is isolated enviroment with separate Domain