I am trying to come up with a solution too. I will tell you this thought. Our prior tech had set up Jamf with Google Authentication and STMP to import users into Jamf. It was constrained. Since then, I have set up Managed Apple ID between Azure and ASM. It has opened up many features, and assigning apps to a User versus a Device was much smoother. 

My problem is that from ASM to Jamf, the Azure Authentication seems to be limited. It assumes all users are Staff, and I haven't found a solution. Cannot use locally stored credentials. This restricts reporting and filtering to automate these processes as much as possible and especially making it easy for the end-user from having to log in to the device and each piece of software. 

The scenario I am attempting next:

Managed Apple ID will stay. But only between Azure to ASM. Users and information in ASM are solid currently. Students, Instructors, and Staff are syncing with their correct role, grade, ID number, homeroom teacher, and school.

Next, I am attempting LDAP Authentication via Microsoft AD (on-prem) and LDAP Synchronization. Hopefully, this will allow SSO (locally stored credentials), Groups, etc. 

I am depending on the Match settings (found under Organization > Settings > Sync Settings [ASM subsection] > Match settings) to "Try to match user in Jamf School by.... email to Managed Apple ID, Username and Full name all selected. 

Hopefully, someone else will find your post and give us additional advice.