You didn't post your sssd.conf, so I'm going to assume -- are you using id_provider=ad? If yes, then chances are quite high that it's the GPO access control preventing access. You can temporarily work around this by setting the GPO access control to permissive by setting:
ad_gpo_access_control = permissive
in sssd.conf's domain section. You can also add the mdm service to GPO.
But if all the above helps, what would be even better is to file a bug upstream to allow the mdm service by default if it's something Cinnamon or Mint use by default. Or at least make the default list configurable so that the Mint maintainer can add their preferred login manager to the default permitted list.