Ensure Access for Users in contoso.com to Subscription1

To assign users in contoso.com access to the resources in Subscription1, you can use Azure AD Connect to synchronize the users from the on-premises Active Directory forest to the Azure AD tenant associated with Subscription1.

Here are the steps to achieve this:

1. Install Azure AD Connect on a server in your on-premises environment.
2. During the installation process, select the option to customize the synchronization settings.
3. On the Connect to Azure AD screen, enter the credentials for an account that has permissions to create and manage applications in the Azure AD tenant associated with Subscription1.
4. On the Connect your directories screen, select the option to Use custom settings to sync directory data.
5. On the Domain and OU filtering screen, select the option to Sync selected domains and OUs and select the contoso.com forest and the necessary domains and OUs that contain the users you want to synchronize.
6. On the Uniquely identifying your users screen, select the option to Use the objectGUID attribute as the source anchor.
7. On the Optional features screen, select the option to Password hash synchronization to synchronize the users' passwords to Azure AD.
8. Complete the remaining installation steps and let the initial synchronization complete.

Once the synchronization is complete, the users in contoso.com should be visible in the Azure AD tenant associated with Subscription1. You can then assign these users to the appropriate roles or groups in Subscription1 to grant them access to the necessary resources.