We currently use Cloudpath to configure client EAP-TLS either using the local CloudPath CA or by requesting a cert from a local university PKI. Is there an appropriate "Shim" to allow CloudPath to pull a certificate from a Microsoft Azure environment?
I'll admit we haven't tried this, but I don't know why it wouldn't work straight away using the Microsoft CA template (Integration Module/IIS) that is currently used to talk to AD Certificate Services (Microsoft CA), assuming it's just an Azure-deployed 2016 Server VM. Not really different from what you're doing now, except the geography of the CA. You could always try using "Use custom external certificate authority" template option also..