Azure AD Conditional Access - Require Domain Joined Device

From looking at your post I would setup an Intune environment with the settings and policies you want for your Windows 10 devices. Setup conditional access so you can restrict access if the machine does not meet your requirements it does not access your resources. Once that is setup get a new build machine, i.e. off the shelf and just set it up off the domain with a local username and password, kind of like you would a home computer. Once you have got that done enrol the device into Intune, this should also Azure domain join/register (not sure on this week’s terminology) the device, your policies should apply, then you should be able to use your office 365 environment. Obviously this is very high level and you will need to do a lot of work to figure out the exact settings and obviously test it touchhole before rolling out to end users, also make sure you document as much as you can for the setup processes, so that your support team has minimal work and you have minimal escalations.