Hello

We are about to setup an Azure GCC high tenant. We are in the initial stages of discussion around what is the best identity model to use. Currently we have one Active Directory forest. We sync objects from onprem to Azure Commercial, and we use ADFS for federation with the Azure commercial tenant. Devices in commercial tenant are either hybrid azure join or azure ad joined. I know devices can only be a member of one Azure tenant, so my question is what is the best course of action regarding syncing users to the GCC high tenant?  Should i stand up a new AD forest, migrate users from commercial forest to GCC high forest and then sync to Azure GCC high? or for the users that need to sync to GCC high should i disjoin there device from commercial, change the upn for these users , so they sync to GCC high azure? I want to try and avoid setting up an additional forest for this, but i'm trying to understand how this can work using one AD forest?