Microsoft, please take this into account and deliver a working solution, please!
Hi, fellow colleagues.
I have a working solution using AzureAD + AADDS + NPS VM on Azure.
Implement Azure Directory Services, peer VNETS between AADDS and Virtual machines and domain join a VM to AD.
Install NPS and use a valid public certificate to identify NPS on PEAP.
Build a VPN from Azure VM VNET to on-prem.
Register radius clients, as usual, in NPS and configure policies.
There is no way to use digital certificates for auth, as a local CA cannot be registered in AD as AD Enterprise CA.
Use LEAP + MSCHAP v2.
I'm authenticating users on wireless, SSH for privileged access and firewall auth.