This is a perfect opportunity to work on your Zero Trust initiative. One of the tenets of Zero Trust is micro-segmentation. I know a company who extended their local “safe” network to Azure (all protocols) and when malware hit, it got to the Epicor installation in Azure.
This is why Epicor SaaS will not let you set up a VPN to their service. There is absolutely no technical reason your Epicor installation needs to be on your Active Directory domain either. (“But how do we download the Client, Mark?” The same way that Epicor SaaS does, serve up the folder via https. Epicor uses Microsoft’s content delivery network but you can add the site to your own server.)
Use this opportunity to protect one of the company’s most valuable assets. And like Doug suggests, use Azure AD for authentication. With some upgrades to Azure AD, you can add additional features like conditional access to gain even more control.