30 days expiration date? wtf
Enable VPN SSO and enable MFA on M365 and disable password expiration. It isn’t best practice anymore.
Definitely change the password policy but also setup self service password reset so people can rest their password in 365 that syncs back to AD…
NIST guidance is to not expire passwords anymore. Make them longer &complex. Only change the if they’re compromised. Every 30 days is excessive.
Replace the watchguard with something that natively supports saml and everything links to azure and the mfa there.
Turn off password reset requirements or make it 180 days.
Setup SSPR so users can change passwords from the portal.
Moving servers to the cloud is rarely the option unless you’re redesigning how they work completely.
Microsoft Authenticator Passworless, conditional access enforcing that via authentication strength, reset all passwords to something super complex and set to never expire. Also you can use multiple avenues to auto-rotate passwords on a schedule if you want to be extra secure about it
EDIT: conditional access requires Entra P1 or P2 licensing…don’t quote me on which one bc Microsoft tends to change their shit up. Point is, not all tenants are automatically able to configure CA to enforce it. But you can at least require users to use MFA…IF you stay on top of it 
Pretty much everyone and their mother, including Microsoft themselves, recommend disabling password expiry. All it leads to is weak, predictable passwords. Also, if you have on-prem AD syncing then sure as hell better have business premium licensing with password writeback.
Password writeback + Self Service Password Reset + Disable password expiry should be a baseline for any hybrid joined domain.
Enable SSPR, ideally turn off password expiry. If you cannot turn off password expiry, use something ManageEngine ADSelfService (believe there is a free option) to email users before their password expires.
Why even expire the password after 30 days?
At least do it yearly and set better conditions for minimum password strength.
On-premises password writeback with self-service password reset - Microsoft Entra ID | Microsoft Learn Teach users how to reset their own password and force some kind of MFA with conditional access policies.
Very easy solution, all you have to do is go into GPO policy on AD server and turn off the password expiration and then enroll all of the users into MFA for M65. They can use their phones or microsoft authenticator app to log in and can do whatever they want with their password.
Set your VPN client to start and connect before logon, then you will have connectivity to AD at the time of logon and the credential can be forced to be changed. We do this with our SASE solution. We also use Secret Double Octopus for Passwordless MFA which handles the credential rotation automatically.
You are probably using SSLVPN with LDAP authentication, right?
You could look into setting up, I think it is IKE VPN. Costs a license, but creates a certificate based VPN of sorts and avoids LDAP authentication. Always on.
You could always create and maintain a VPN users list in the Watchguard “firebox user database” and make users log into the VPN with that. Not what I would call a good solution, but it is A solution.
Set up Self Service Password Reset in Office365. Users can unlock their own accounts.
Set up a group policy to remind users 14 days prior to a password change date. No one to blame but themselves if they fail. Assuming you actually need a 30 day change window, which is rather extreme. We have had success with this approach, but have much longer change windows and passwords.
You could look into some sort of SASE solution or maybe Conditional Access to grant users network connection. Ditch the VPN all together.
Forcing complex and frequent password changes is not really a best practice anymore. It generally teaches bad habits and results in weaker passwords. If you can avoid it, do so.
Good luck.
MFA. 12 month expiry. And Azure AD SSPR.