Hello @Paul ,
We will go with the assumption that every user in the company will be provided a company device to access company apps and resources . The GPO will not apply for the user accessing azure AD via any HTTP client (like accessing any line of business application via a browser). Or even if the user will signin using a synced account connected to Windows via Windows Hello (if they are using Windows 10). Any GPO which has been once applied, when the user's device was connected to office network will remain in local cache of the machine / User's profile and will continue taking effect as its associated registry settings will be present . The application of GPO is a little tricky for remote users with company devices without using VPN. You will need to setup VPN connectivity on the devices in order to have it working . Always on VPN in windows 10 is one such feature which can help here.
When remote user will connect to the office network the GPO client needs a domain controller in its line of sight over the network in order to validate and apply the settings. By Default, the GPO refreshes every 90 minutes once. If the last GPO refresh has failed or GPO refresh cycle of 90 mins have elapsed , the GPO engine will try to do a background refresh over VPN in case its connected .There is no need to reboot or log off before connecting to the company network over a VPN. The group policy refresh will take care of the policy application.
We hope that you have all your windows clients updated to Windows 10 . You can implement Windows 10 always on VPN feature on your windows 10 clients and then the VPN will be connected and most of the GPO will apply because they will have a line-of-sight domain controller .
We believe if you have any Microsoft 365 license which includes Intune , it will suffice. Using Intune you can create VPN profiles and push the same to the devices via Intune if the user is totally remote. In case you have the device and you configure it first and then ship it to user then you can set it up for the first time and send it to user . There are many security settings that even Intune provides . While all the settings and capabilities provided by Intune many not be exactly at par with the Group policy capabilities but in most cases the capabilities are enough for a lot of organizations who practically have permanent remote workers. There is a Intune group policy analytics which can help in analyzing existing group policies that you have and show you what settings can be applied through Intune MDM .
It is very hard to say what will work for your organizations as it depends on specific security needs. For example a Bank have very different security control measures applied in their Active directory network as compared to a textile company . However if I would need to do it , I would start with analyzing my on-premise group policy which i want applied on all machines and compare what common settings are already available in Intune (Microsoft Endpoint Manager) as well . If I get all the capabilities here , I can just use Intune and VPN would not be needed if everything else is accessed over the internet using modern authentication where Azure AD auth is used . However If there is some setting which I require and Intune is unable to provide i will go the Always on VPN route as discussed above.
I have linked it to some articles and would request you to go through them. I hope this helps. If the information provided in this post is helpful , please do accept the post as an answer so that this helps other members of the community . In case you have further queries , please feel free to ask and we will be happy to help .
Thank you .
-----------------------------------------------------------------------------------------------------------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.