What domain structure is best for two business units requiring different account policies?

Creating two separate domains is the most effective structure for allowing different account policies for two distinct business units. Each domain operates independently, which means that specific security settings, user policies, and permissions can be tailored to the unique operational needs of each business unit. This separation helps in enforcing distinct governance, maintaining compliance with different regulatory requirements, and ensuring that policies can be updated or changed independently without impacting the other unit.

Using a single domain would restrict the ability to customize policies separately, as all configurations would apply universally across both units. Similarly, while creating additional organizational units offers some flexibility, it may not provide enough separation for entirely different account policies. A mixed domain model, which incorporates aspects of both single and multiple domains, may also not serve the need for distinctly different policies effectively.

In summary, establishing two separate domains ensures that each business unit can have its own specific account policies without interference, leading to a better compliance and security posture tailored to each unit's needs.