A company has three disconnected Active Directory forests acquired through mergers, each managed by a separate IT team, and wants to synchronise all of them to one Microsoft Entra tenant. The architecture team requires a lightweight, Microsoft-managed provisioning service that avoids deploying a full synchronisation server per forest. Which synchronisation technology meets this requirement?
- ADeploy Microsoft Entra Cloud Sync with a lightweight provisioning agent in each forest, because the service is Microsoft-managed and supports disconnected multi-forest topologies. Correct
- BDeploy Microsoft Entra Connect Sync on a server in each forest, because only the full sync engine can read objects from multiple disconnected Active Directory forests.
- CDeploy a single Microsoft Entra Connect Sync server with a custom rule set that reaches across all three disconnected forests over the public internet.
- DDeploy Microsoft Entra Connect Health agents in each forest, because the health service can provision identities from disconnected forests into the tenant.
Why A is correct: Cloud Sync uses lightweight agents that report to a Microsoft-managed cloud service and natively supports disconnected forests, matching the lightweight multi-forest requirement exactly.
Why B is wrong: Connect Sync can serve multiple forests, but it requires a full synchronisation server and is not the lightweight Microsoft-managed agent service the architecture team asked for.
Why C is wrong: Disconnected forests have no shared trust path for one Connect Sync server to reach them, and reaching across forests over the internet is not a supported synchronisation design.
Why D is wrong: Connect Health only monitors the health and performance of identity synchronisation; it does not provision or synchronise any directory objects into the tenant.