Hello, thanks for this and answering our questions!

I’m the primary Intune administrator for a healthcare non‑profit operating on a GCC tenant. We are currently transitioning our devices from AD/Entra hybrid‑joined to Entra‑joined. We are a remote‑first organization with very few users working onsite.

Today, our prior hybrid‑joined devices (connected to a domain through VPN) authenticate using RSA and our more recent Entra-joined devices use the Windows Hello for Business passwordless experience with Intune, as we are working toward moving to adopting the Cloud Kerberos Trust model.

Our challenge is administrative access and account management during this transition. Specifically:

• We still need to manage hybrid‑joined accounts via AD DS.

• We need to audit administrative escalations on devices, typically for single installations of software vs. full-blown Intune deployment or running Command Prompt/PowerShell as admin.

Because the Windows Hello for Business passwordless experience is enabled on our Entra‑joined devices, our IT users cannot sign in with a domain admin account to administrate anything. As an example, this prevents us from running say, Active Directory Users & Computers with elevated privileges as AD DS can't be used without logging in as an account with domain admin rights, which seems to make AD DS administration from Entra-joined devices impossible at this time.

Is there a supported way to enable these administrative tools locally or administrator credentials for other than just the local admin, while still using Windows Hello for Business passwordless authentication? At the moment, our current workaround for AD DS is to log into an on‑premises VM for AD DS management and we've just been using the local admin password for standard escalations for now, which is not ideal.

Thank you for the guidance!