I'm sure many of you have this issue:
Many security certifications (ISO 27001, Cyber Essentials etc) require separation of user and admin accounts, and it's generally good practice anyway. Unfortunately the technical tests for these preclude the use of UAC or other forms of elevating a single user account, and require a separate account to be used. This is fine on-prem but is hard to manage over MDM.
There are several guides out there to managing this for laptops etc joined to AAD/InTune, and the technical aspect isn't hard to implement. The general approach appears to be a) create a second user account, b) add it to Device Admins in InTune. This syncs down and becomes a local admin you can elevate with.
However the approach of adding users to Device Admins becomes questionable when you scale up. For an estate of say 1,000 devices, where...