I have an AD Connect running on one of my on prem VM', I don't run any cloud or hybrid vm's, my Retool is completely on prem on VMware. So do you mean expose it out but only allow for example Azure domains and IP's to see it access it to allow for SSO?
I'm also having a problem with workflows connecting and im starting to wonder if it's a similar issue? See post here: Help getting workflows running - #3 by rcanpolat
Retool can egress through 443 and 7233 although if it is related I don't think I can get a solid list of DNS names and/or IP addresses of Retool's own AWS temporal cloud machines so I would have to expose it out completely to the web or go on prem temporal?