Client authentication certificate: Depending upon your environment and CMG design, you can use PKI certificates for client authentication. This authentication method doesn't support user-centric scenarios, but supports devices running Windows 8.1 or Windows 10. For more information, see Configure client authentication for CMG: PKI certificate.
2010 will address this by prompting the user for their AAD identity.
Side question: Why aren't you at least hybrid AAD joining the systems?