To grant on-premises users from a specific Organizational Unit (OU) access to Azure resources, their identities must be provisioned in Microsoft Entra ID. Microsoft Entra Connect cloud sync is a lightweight, modern solution designed for this purpose. It uses agents to synchronize users and groups directly from Active Directory Domain Services (AD DS) to Microsoft Entra ID. A key feature is its ability to be configured in the cloud to scope synchronization to specific OUs. This allows an administrator to precisely target only the users in the Marketing OU for synchronization, fulfilling the requirement in a streamlined and efficient manner.

B. Active Directory Federation Services (AD FS): AD FS is a federation service used for handling authentication requests (single sign-on), not for provisioning or synchronizing user identity objects into Microsoft Entra ID.

C. Microsoft Entra Connect in staging mode: A server in staging mode is a passive, standby server. It reads data for validation and testing but does not write or export any changes to Microsoft Entra ID.

D. Microsoft Entra Connect in active mode: While the classic Microsoft Entra Connect sync can also filter by OU, cloud sync is a more modern, lightweight, and cloud-managed solution better suited for targeted synchronization scenarios.

1. Microsoft Entra ID Documentation. (2023). What is Microsoft Entra Connect cloud sync? Microsoft Learn. Retrieved from https://learn.microsoft.com/en-us/entra/identity/hybrid/cloud-sync/what-is-cloud-sync.

Reference Details: Under the "Key benefits" section

it states

"Synchronize users in specific OUs: You can configure cloud sync to synchronize specific OUs. This allows you to synchronize only the users you need." This directly supports the use of cloud sync for OU-scoped synchronization.

2. Microsoft Entra ID Documentation. (2023). Microsoft Entra Connect: Staging server and disaster recovery. Microsoft Learn. Retrieved from https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-sync-staging-server.

Reference Details: The "Staging mode" section clarifies

"A server in staging mode...does not write anything back to these connected directories. It is in a read-only state when it comes to writing." This confirms why option C is incorrect.

3. Microsoft Entra ID Documentation. (2023). What is federation with Microsoft Entra ID? Microsoft Learn. Retrieved from https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/whatis-fed.

Reference Details: This document explains that federation is an authentication option

stating

"With federation

you can enable users to access Microsoft Entra ID-based services with their on-premises passwords." It does not provision the user objects themselves

which is the primary step needed. This supports why option B is incorrect.