Client VPN - Best way to authenticate users via AAD or ADDS?
Just prepping a proposal for a client and had a few queries on Authenticating Users and what best practice is these days. Hoping someone is kind enough to spare a few minutes to help me understand what's out there at the moment. Happy to do research myself so even some high level options would be beneficial as not sure I know what I don't know if that makes sense :)
Client has on premise infrastructure with full Windows ADDS implementation. They also have an Azure AD Tenancy as well with users sync'd using Azure AD Connect.
In the past I'd just create a Radius Server on prem and hook Fortigate into that but feels a bit... old fashioned. Is this still the best practice way of doing things or is there an easier way that doesn't require spinning up Radius Servers?
Ideally we want users to be able to authenticate using their domain account and the ability to easily restrict access via AD Security Group. We're also want to ensure the VPN is protected via MFA as well so currently looking at the Fortigate Fortitoken solution for this but this isn't confirmed route we want to go .
As an aside potentially also want to restrict only to "trusted devices" (so domain joined devices - with the ability to easily remove a device easily as well). This isn't a confirmed requirement yet but would be good to understand how this would work and options available on this front as well.