How are you guys solving authentication and authorization when customers retire their local AD and going with AzureAD, but keeping a local CPPM server/farm?
Legacy authentication (EAP-PEAP) I understand is "dead" when going all cloud, so EAP-TLS I take is the way to go.
What would we authenticate against then, as in, what would accept or deny the certificate presented (CPPM yes, but source - just that certifcate is signed by a trusted CA?)?
How about authorization? Device attributes are ok, same with compliance state and device owner for example, via intune extesion, but what about AAD group membership?
Machine+User authentication is a challenge then as well, as a machine can be used by users which should have different access levels.
Any thoughts, ideas, solutions?