We have an on premises AD with local PKI we use mostly use for user and device certificate based authentication for various things such as wifi, VPN and to create SSL certificates for some intranet websites.
If we completely move to Azure AD (not hybrid AD), I don't understand how we would generate computer and user authentication certificates. I suppose we could purchase web server certificates from a public CA for the intranet, but web server certificates are tiny percentage of the total certificates our PKI produces.
What solution is available other than keeping an hybrid AD instead of full native AAD?