Hi @Sebring · Thank you for reaching out.
The recommendation is to sync the identities from On-premises AD to Azure AD first. Even for federation between AAD & local AD to work, identities must be synchronized.
For payroll system, you need to first check which authentication protocols it support. If it supports modern authentication protocols, such as SAML, OAuth/OIDC etc., it can directly be federated and get authenticated with Azure AD. If it supports only the legacy authentication protocols, such as Kerberos or NTLM, you need to either keep local AD in place or choose to go with Azure AD Domain Services, which will consume the amount from your Azure Subscription.
-----------------------------------------------------------------------------------------------------------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.