Regarding SSSD side options. Maybe we should add a stronger mode for ad_gpo_implicit_deny to "only allow explicitly allowed" users/groups not only deny access if there are no applicable GPOs. I think such option would be good hardening option, but it would basically ignore all Deny rules on the server (OTOH if someone wants to allow only whitelisted users/groups they would not use deny rules, so that is actually not a problem). Will you file an RFE or should I? Feel free to copy paste this discussion to the ticket.
I've created what I hope counts as an RFE at https://pagure.io/SSSD/sssd/issue/4097, with our conversation included. Thanks!