I think that should be a valid option. But yes, in this case you'll definitely need to allow some sort of public internet access for SSO to work, as Azure will need to send the ID information to Retool in the redirect, which by definition is going to need to come through the network.
As far as the Workflows question goes, Joe will be a bigger help there than I will be. But I will say that "Retool-managed Temporal" does mean a cloud-hosted Temporal deploy, which will once again require public internet access. If you want this to be fully on-prem with no public IP at all, then you'll want to also deploy your own Temporal cluster. That's not something I personally have experience with so can't really help much, but hopefully that's clarifying.