Hi, this is possibly a pretty niche question, but I've not yet been able to find what I need (or successfully make work with my testing) so I came to the place that knows everything :-)
We have on-prem AD, hybrid synced to Azure AD for Microsoft 365 (and in the slow migration to all-cloud, potentially, but in the interim everything needs to work while we get there). At the moment we use a system where an AD 'localadmin' user sits disabled until someone needs elevation, at which point we run a Powershell script to enable, change password, and set to disable at the end of the day (or straight away once the user is finished).
This works fine internally, and on VPN-connected machines, but for performance reasons we're looking to change our VPN so it's not always on for all external devices. This means that the local admin user can't see AD...