Secure Environment (PAW) for IaC Coders or Azure Management with minimum compromise on security

Hi All,

I followed the Guidelines from Microsoft on how to create a PAW with Intune for extremely exposed Accounts e.g., working on Tier 0 etc.  Talking Hybrid now. Issues we currently see are in the following Areas:

PAW itself is very locked down, using the Privilege Scripts and Profiles for Intune provided by Microsoft on Github (2020) which is by design. No Admin rights mean even if you deploy for e.g., VS Code via Intune as System installer (could not deploy user installer successfully via Company Portal) no one using it can actually run Program Updates etc. Also installing add-ins e.g., Bicep will be an issue. Same goes for PowerShell if you need additional Modules to install. In addition, App Locker and Controlled Folder Access makes it near impossible to use PowerShell efficiently.

Now my Questions: 

1. What is a good Option for Admins that need to manage System and Services with PowerShell and IaC ? do we need to deploy Enterprise or Specialized hardenings and forget about delivering them Physical PAWs hardened like MS does?  Is LAPS an option to overcome the no-admin gap for the Issues mentioned above?  Would you suggest using the Locked Down PAW only as Jump host not working on it at all? if so, how can you secure the Jump Server as much to keep the End-to-end security high for T0? I think if somebody can change and update code for a whole Landing Zone in Azure this should be categorized as T0 don't you think? 

I verified a lot of Community Projects and MVP Blogs but the Topics above i feel lack a bit of explanation. Would be great if somebody could give me some Ideas about how to do this for the necessary Admin Profiles to have some form of productivity experience while keep a highest security baseline as possible.

BR Ueli