Hi,
We're a new startup with all staff working remotely and our infrastructure is 100% Azure with no on-premise infrastructure. Our company laptops are all Azure AD Joined and managed from Intune. This also deploys a P2S VPN which allows connectivity into Azure infrastructure.
We have a core application our staff use which is hosted on an app server in Azure. The thick client is installed on a users desktop and connects to the app server. Authentication is via AD so the server is domain joined. At present we have VMs in Azure that are also domain joined. The staff RDP onto these and can then use SSO to log into the application.
Instead of staff having to RDP to use an application, the client should be installed on their laptop. While we have connectivity over the P2S VPN, there is no trust as the laptops are not on the domain and SSO doesn't work either. It's possible to domain join a laptop so the application works, but then it's impossible to Azure AD Join the laptop so it's managed via InTune. Also, Azure licences such as the M365 E3 don't work and don't upgrade Windows to Enterprise along with other limitations.
It's also possible to configure the application to use an authentication server utilising LDAP, but I understand this is not supported in Azure AD either. Why should LDAP even be needed when the laptop is already authenticated by Azure AD.
This seems to be a huge hole in Microsoft's Cloud approach for the modern workplace as it appears to be impossible to use SSO with a thick client, or LDAP which is also used by thousands of cloud apps out there that need an LDAP connection for authentication. At present, the only options appears to be to create an on-premise network to host a domain controller and hybrid join them, completely defeating the idea of a cloud only infrastructure.
Is this really impossible, or am I missing something?
Regards,
Jason