We are a small company using Azure AD. The vast majority of our employees are remote and we need them to be able to install/update apps on their PC's without requiring an Admin login every single time, since that requires us to remotely control their PC over Teams and that does not allow for input of admin credentials without input from the remote user - meaning the admin credentials must be reset on a near daily basis.
You can control which users are granted local admin rights on a machine that has been Azure AD domain joined. You can find details on how to do this here