@Joe Robinson Thanks for reaching out. if your machines are hybrid AAD join, the device must be line of sight of domain control in order to be able to login using on-prem account.
If you need to login with AAD account, the device needs to be AAD joined. For any on-prem synced account, the device still needs to be able to get to a DC.
You can use a VPN profile from a MDM like Intune to be able to allow the login.
-----------------------------------------------------------------------------------------------------------------
If the suggested response helped you resolve your issue, do click on "Mark as Answer" and "Up-Vote" for the answer that helped you for benefit of the community.