Configuring APM Access Policy with both SAML and AD authentication for different user groups

Think of an access policy like flowchart. Think about how your user's login proceeds through your existing access policy configuration, and think of the user experience that produces. You can add any kind of item basically anywhere in the flow to change the login user experience any way you want. So think less in terms of what configuration you need, and think more about what workflow you want to create for your users.

When you think about it in this way, how do you want your users to interact with the service you're making with APM? How should they choose between the existing AAD/Azure SAML auth (where APM is an SP, I suppose) and the (local AD?) AD configuration you want to add.