I think the bigger picture here needs to be put into perspective:
I find it almost imperative that the LOCAL firewall policy be able apply rules based on AzureAd membership - be it User-ID or some other SSO method. I can tell you that almost every one of my SMB customers is already, or will be completely server-less by the end of the year and all will be AzureAD/Intune managed.
There has to be a better way to put 10-50 users into policy based filtering than hydribd-AD or forcing a VPN connection from the same office that the firewall resides in. That is just insane, especially seeing that often, another VPN is used by client PCs to connect to various SaaS endpoints or hosted services.
This is the new SMB model and Palo Alto really needs to embrace it quickly.