We have a client that has a single on-prem AD domain with 2 companies in it used to be one company - now its one big and one small one. Users from both companies need to access the same file server. Only the CEO has mailboxes in both companies.

Each company has their own 365 tenant. They currently have Microsoft Standard licensing and we want to migrate them to Premium to provide Intune and MDE.

I aware that single AD to multiple AAD tenants is a supported configuration, but it has a lot of caveats and complexity. The main one is loosing Seamless SSO. If I understood correctly, that means that users will need to authenticated again if they want to access 365 resources from their hybrid-joined AAD PCs.

1. Has anyone implemented single AD to multiple forests before and can share their experience?
2. Is there a better solution then single AD to multiple AAD tenants sync here? Something like upgrading the main company's licensing and using the AD as a base tenant. Then downgrading changing the smaller companies' licensing to EOP1 Defender for Office. Now only the smaller companies' employees will loose SSO.

EDIT:

Will probably just tell them they need a new DC and file server for the smaller company. Then we can treat them as a separate company all together relative to Entra Connect sync and licensing.