Dear Community.

I want to do some brainstorming and get your Ideas.

I have an AD Forest as in the following picture

• Tree Root (Forest) connected to Azure Cloud Tenant and all users and devices from the Trees.
• demoorg.local and subdomains synced to the Azure Cloud Tenant.
• Users from xy.demoorg.local  & xz.demoorg.local is using the same upn (domain name to log in to E-Mail, Teams.
• All devices are Hybrid joined. (Conditional Access is not in use)
• Pass Hash Authentication is activated.
• E-Mail server is Exchange but the on-prem and e-mail server uses only users from xy.demoorg.local  & xz.demoorg.local
• There is no Cloud app or other cloud resources using the xy.demoorg.local  & xz.demoorg.local
• All Devices from xy.demoorg.local  & xz.demoorg.local  managed from local GPO.
• All users use only a password and username for a Windows Sign-In (There is no Windows Hello or Pin or Security Key in use)

Task:

• I want to create a new Azure Tenant (only one tenant) and connect all users and devices from my xy.demoorg.local  & xz.demoorg.local (demoorg.local tree)  to the new Tenant and disconnect the tree from the Tenant which is already connected now.
• As I know first I need to delete all synced devices and unregister my domain name (used for Teams and Outlook Sign-in) from the old tenant and register my domain in the new Tenant.
• Then I want to sync all devices and users to the new Tenant.

Question:

• Is It possible?
• If yes, which scenarios are available there, and which scenario do you prefer?
• If there will be downtime during the migration?
• Which other questions should I answer?
• Or maybe I should separate my own tree from the forest and then connect it to the new Tenant