Apologies if this is already documented/answered anywhere - I haven't been able to find anything so far...
I'm currently deploying Azure AD DS for a new organisation. There is no existing on-prem infrastructure, and the aim is to avoid the need to deploy an on-prem server.
The organisation will use an Azure AD tenant as the identity provider used to sign on to M365, some organisation apps and I'd like them to sign on to their devices using the same set of credentials (and enable SSO)
On site, all devices are organisation managed and networked, so it makes sense to use the Azure S2S VPN to connect from the Router on site to the Azure network to enable sign-on to the managed domain from Azure AD DS.
As far as I can tell from documentation and examples, all devices attached to the corporate network will be connected to the Azure VPN, and hence receive an IP address from the pool assigned on Azure. However, I don't want this to be the case for all devices. For instance, things like VoIP phones don't need access to the Azure network.
How can I configure this? Essentially the router (on-prem) needs to use 2 subnets/VLANs to assign IP addresses - one to the VTI to azure, and the other to just have a regular "local-only" IP address.
The router in question is a Ubiquiti EdgeRouter 12 - I'm happy to redirect this question towards the Ubiquiti community, however thought it was worth asking here in case anyone has deployed a similar configuration.
Thanks in advance,