We are working on a strategy to move from on-premises AD RMS to Azure IP; however, we have encountered a blocker in our migration strategy: Azure IP cannot authenticate a user not located in an Azure AD tenant. In this scenario, we have implemented AD RMS in a resource forest and account forest scenario. The resource forest contains AD RMS, the protected content, AD FS, and contact objects of the users in the account forest. The account forest contains the user objects and uses Ping to federate with the resource forest. These user accounts can use any email address suffix to register for an ID. They are hosted in the account forest AD, but could map to an email address @gmail or @contoso, etc. What we are proposing is that resource forest utilize Azure IP to protect content for the users in the account forest. However, we cannot authenticate these users. We have, internally, evaluated/tested the following different strategies without success:

-Federating the Azure AD tenant with an on-premises AD partner (preferred). This is not currently supported.
-Synchronize contact objects from the resource forest to Azure AD (or create net new contact objects in AAD). The result is that Azure IP cannot use a contact object to authenticate the user.
-Create New Guest User accounts in the resource AAD tenant. The result is that Azure IP cannot use a guest user to authenticate the user.
-Use social identities with Azure IP: Azure IP does not currently support social identities. This is also the reason we cannot synchronize user accounts from the account forest to a corresponding account tenant.