I had our VMware vSphere dev environment connected to AzureAD SSO using OpenID Connect. It was working perfectly, I can see in the header it's getting VSPHERE-USERNAME populated with the samaccountname value. VMware is configured with LDAPS to our domain, and the roles are populated with AD groups. ADConnect is pushing the same data from on-prem in to AzureAD so I'm scratching my head a bit as to why this is stopped working.
I'm loathe to deploy ADFS for this, as MS is at the very least de-emphasizing ADFS if not deprecating it out right, and pushing customers to PTH or PTA and using Azure Federation instead.. I would rather use our Azure App Proxy with IWA/Kerberos Constrained Delegation before I do ADFS.