Thanks for the additional detail. 969097 is difficult from an architecture standpoint. That 578545 issue was a request to evaluate 3rd party HTML5 clients like Guacamole and Hobsoft, but since Microsoft now have a native HTML webclient it's probably best to focus on theirs.
After looking at it for a while, it seems like the only L4-ish solution (because of 969097) is to use a data group to hold a list of SNAT selectors and an irule (or maybe an LTM policy), and probably an extra vip, which is a way overload of extra configuration.
An L7 solution *that does support SSO* might be to use SAML IDP-chaining with Azure or a local SAML SSO chained from whatever you currently logon with in the same way that CyberArk (no affiliation) provides a nice configuration guide on here:
https://docs.cyberark.com/identity/latest/en/Content/Applications/certified-apps/RDWeb_SSO.htm
NOTE: I just stumbled on that from a google search for something like "webclient html5 microsoft saml" and have not tested it at all. They do have an impressive number of nice generic-SAML-ish integration articles!
BIG-IP APM does support these SAML-SSO-intercept and IdP-Chaining use cases that should allow you to both behave as and offer SSO for your users.