> publish all your internal apps through a load balancer / API gateway with a static IP address, put it behind a VPN and call it a day.

Or just use Cognito. It can wrap up all the ugly Microsoft authentication into it's basic OAuth and API Gateway can use and verify Cognito tokens for you transparently. It's as close to the Zero Trust model in a Small Developer Shop we could get.