Over the last few years I have worked with Microsoft Intune, and AzureAD. I always get the request; “We can do this on-premise, why doesn’t it work now in the cloud”. Most of the time it is just a mindset change. Once you understand how cloud native solutions work. One issue that has appeared over and over again is local administrators on workstations that are AzureAD joined only. On-premise we would use LAPS to control administrator accounts, for AzureAD joined devices it’s different, we don’t have a domain or group policy.