From looking at your post I would setup an Intune environment with the settings and policies you want for your Windows 10 devices. Setup conditional access so you can restrict access if the machine does not meet your requirements it does not access your resources. Once that is setup get a new build machine, i.e. off the shelf and just set it up off the domain with a local username and password, kind of like you would a home computer. Once you have got that done enrol the device into Intune, this should also Azure domain join/register (not sure on this week’s terminology) the device, your policies should apply, then you should be able to use your office 365 environment. Obviously this is very high level and you will need to do a lot of work to figure out the exact settings and obviously test it touchhole before rolling out to end users, also make sure you document as much as you can for the setup processes, so that your support team has minimal work and you have minimal escalations.
Firstly Azure AD is not the same as your on-premise AD. Microsoft offers Azure AD Domain Services to manage Azure AD and allows you to be able to join Azure VMs to Azure AD. Please note it does not allow you to join your on-premise servers and devices to join Azure AD. You may want to watch my you tube video for better understanding at,
Secondly you may join your Windows 10 Devices to Azure AD. You can accomplish it to your already domain joined devices. Therefore your devices can be joined to both Azure AD as well as on-premise AD. If you are using ADFS, it needs a Power Shell command to make necessary changes to your on-premise AD Schema.
As Azure AD is not replacing on-premise AD at least for now, you may want to keep your on-prem AD and but take advantages of Azure AD.
If you decide to go this route, then your questions around users' profile and administrators membership are no more a question?