as phoneboy said, you will need to setup SAML Authentication against Azure IDP for being able to do something there.
check out those videos - that helped me a lot in configuring something like that:
Basically your client check is than done by Azure within a conditional access ruleset. Gateway only receives a "OK" or "not OK" including some attributes (i.e. group memberships, maybe Machine attributes are possible too)
So there is nothing like an on prem AD on your site, where machine accounts are replicated to - so one could then go via ldap account unit...?