OK well in a Hybrid world, for example (think smaller not necessarily massive org with money and power) On-Prem servers have to be local machines and not Entra Joined. Any apps (especially legacy) might use UNC paths to shares, for example. Entra Signed in users on Entra Joined Devices cannot auth to those shares, cannot rdp or use other services with their entra credentials. If they use Hello for auth cloud works great, on-prem and legacy do not work at all. Sure there is Hello for Business, but that is a lot of overhead to set up and manage correctly especially for SMBs or orgs with just a few critical legacy systems. Some legacy stuff, might indeed be critical and only used by 1 dept or a few people, but not "big enough" or worth the cost of moving it to the cloud or retooling it even, but it IS important still. Those legacy systems like that hamper the ability to go cloud only. Windows Server Azure Edition works great and users can login with credentials from entra, audit logs match, great for compliance, yet this does not extend down to hybrid, complicating compliance as well. So, since those systems are in use (maybe dev, maybe qa, maybe internal use, etc) they have to be individually managed, their LAPS controlled differently, their Malware/endpoint protection managed separately, apps installed/updated also, managed separately. see what I mean? I tried to explain it in a way that would make sense, I hope it does.