The Administering Windows Server Hybrid Core Infrastructure content notes that Microsoft Entra Connect cloud sync uses lightweight agents and supports synchronizing specific OUs from multiple forests into a single tenant. The guide highlights that cloud sync “is designed for multi-forest or cross-organization scenarios and allows scoping to selected OUs and groups,” enabling granular onboarding of just the identities you need. The requirement says “the users in the Marketing OU (in Fabrikam’s forest) must have access to storage1.” Granting access to Azure Files using Entra-based authorization requires that those users exist in the same Entra tenant. Cloud sync enables importing only the Fabrikam Marketing OU into A. Datum’s tenant without establishing full trust for all users. Azure AD Connect in active or staging mode would target the A. Datum forest and isn’t intended for selectively bringing in a separate partner forest OU; AD FS is a federation solution and does not create tenant objects for ACLs on Azure resources like Azure Files. Therefore, implement Microsoft Entra Connect cloud sync and scope it to the Marketing OU to meet the requirement.