Azure AD Conditional Access - Require Domain Joined Device

Richard,

Firstly Azure AD is not the same as your on-premise AD. Microsoft offers Azure AD Domain Services to manage Azure AD and allows you to be able to join Azure VMs to Azure AD. Please note it does not allow you to join your on-premise servers and devices to join Azure AD. You may want to watch my you tube video for better understanding at,

https://www.youtube.com/watch?v=jpT1MxEkEzI

Secondly you may join your Windows 10 Devices to Azure AD. You can accomplish it to your already domain joined devices. Therefore your devices can be joined to both Azure AD as well as on-premise AD. If you are using ADFS, it needs a Power Shell command to make necessary changes to your on-premise AD Schema.

As Azure AD is not replacing on-premise AD at least for now, you may want to keep your on-prem AD and but take advantages of Azure AD.

If you decide to go this route, then your questions around users' profile and administrators membership are no more a question?