Thank you for posting your question in Microsoft Q&A.
As per you question you want to know what are the pre-requisites to login is to Azure AD joined device.
There is no VPN required for you to login to Azure AD joined devices.
If you have internet access to the device you can anytime login to the Azure AD joined device with your credentials from anywhere irrespective of the network which is available.
But there is an option for you to configure few conditions which should be satisfied for successful login to Azure AD joined device.
You can use Azure AD conditional access policies to define some conditions for login security to Azure AD joined devices. You can refer below article for the same,
https://learn.microsoft.com/en-us/mem/intune/protect/create-conditional-access-intune
Not only above article, there are multiple other options as well that you can configure in conditional access policy and filter the login's.
https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/overview
https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/
Let me know if you have any further questions on this.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.