I think the bigger picture here needs to be put into perspective: Microsoft is doing everything that they can do to prevent small business from having any on-site servers or services. This includes breaking most file server functions for office, in favor of one-drive, etc. Hybrid AD deployments are a disaster for SMB - Why have an AD server on-site that does nothing but remote accounts locally when inTune does as much or more than ADGP when it comes to SMB needs. With COVID and general WFH and BYOD fewer PCs than ever are physically connected to an AD and forcing VPN connectivity just for policy and password management updates is kind of insane when Office and everything else Microsoft is not communicating with O365. I find it almost imperative that the LOCAL firewall policy be able apply rules based on AzureAd membership - be it User-ID or some other SSO method. I can tell you that almost every one of my SMB customers is already, or will be completely server-less by the end of the year and all will be AzureAD/Intune managed. There has to be a better way to put 10-50 users into policy based filtering than hydribd-AD or forcing a VPN connection from the same office that the firewall resides in. That is just insane, especially seeing that often, another VPN is used by client PCs to connect to various SaaS endpoints or hosted services. This is the new SMB model and Palo Alto really needs to embrace it quickly.
... View more