Remote Endpoints: AD or no?

Couple of schools of thought, don't love or hate most of them enough to try to sell just one of them. 1) Domainless with MDM or something like NoMAD You get the equivalent of group policy settings without GPO wonkieness and 90's era tools you get local accounts with passwords sync'd to an AD or Azure tennant Modern windows devices want to sign into O365/azure for everything anyway May make life easier for zero trust BUT You probably need a VPN anyway 2) Azure+-local AD + VPN Secure access to existing on premise services, inducing handy things like the office printer. Potentially less jarring user experience transitions when moving in and out of the office Watch your routing and DNS configs, and be aware of the impact that tunneling traffic will have and balance the tradeoffs of what to tunnel. It's harder than it looks at first glance. 3) The old school - All AD all of the time Remote in to a VM or terminal server onsite. Users home machines or work laptops via RDP client or Citrix You really still need a VPN or additional protection on those remote RDP connections. Work laptops will stop allowing logins to a domain account if they don't check in on the local network long enough. Roaming profiles are the devil and will betray you. Mandatory remote can happen without much warning and last a long time. In any case consider an overlay network like Cloudflare VPN which can simplify linking all those networks, also simplifies IPv6 and office side network link failovers, linking office networks, and ton of other hand stuff you will have to pay for.