Your company operates a hybrid cloud infrastructure composed of an on-premises Active Directory Domain Services (AD DS) forest, a Microsoft 365 subscription, and an Azure subscription. Within the company's on-premises network, there are internal web applications that utilize Kerberos authentication and are currently accessible only from within the network. You also have remote users using personal devices running Windows 11. You need to propose a solution that will enable these remote users to access the internal web apps while meeting the following criteria:

1. Prevent the remote users from accessing any other resources on the network.
2. Support Azure Active Directory (Azure AD) Conditional Access.
3. Simplify the end-user experience.

What solution should you recommend?