Entra ID only accounts with Entra Domain Services, and RDS - what CAL?

I need a Server 2022 computer set up with RDS - a small system, can do all on one computer methinks.  There is no Active Directory, only Entra ID (Azure AD).  I deployed the Enterprise sku of Entra Domain Services and have a Windows 2022 server joined to AADDS.Contoso.com.  (assume contoso is our domain).


Details suggest from https://www.beckmann.ch/blog/2024/02/01/azure-virtual-desktop-windows-server-2022-and-microsoft-entr... that RDS user CAL not supported by RDS due to no two way trust.  But, this page https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/remote-deskt... says the web client needs user cal only


Are there any good write-ups on RDS with an Entra ID env? Do I instead need to create a vpn with access to the server?


