New settings available to configure local user group membership in endpoint security

Hi,

I have a issue with Azure user being added to local Administrators group but it will not get local admin rights. The account I'm trying to add is not sync from AD however we are in hybrid environment. I'm adding it by selecting it from list of users in the Account protection configuration settings - Local Users and groups.

The targeted computer is only Azure joined and managed via Intune. 

The account seems to be added to Administrators group but only as domain\username (SID) which is strange since it's not associated with any local domain:

Yellow - one of our local domains, Green - rest of SID, Red - local administrator account sync from AD deployed by the same policy (which correctly works), Black - Azure roles

Is there something I'm missing? I'd like to deploy this to large number of computers which won't be able to elevate with domain\username way.

Thanks

PS. I tried to add Azure AD Joined Device Local Administrator role to this user but it will not get local admin rights.