Best Practices for Azure AD-joined PCs and Global Admin accounts

security azure-active-directory

Am I correct in assuming that I should do the same with AAD - take away their Global Admin rights on their regular accounts?

You are absolutely correct. This isn't specific to Office 365. This is standard best practice. They (and you) should log onto your computers with "standard" Office 365/Azure AD user accounts (no Office 365 or Azure management roles), and you should use dedicated, named Global Admin accounts for tasks that require that role.

Are there safeguards in place? Only if you put them in place. One of which is using the Office 365 security defaults and also implementing multifactor authentication for all accounts that have Office 365 or Azure AD management roles. A Global Admin is a Global Admin and has all the rights, permissions, and abilities of a Global Admin. There's no protection mechanism to say "Oh, this Global Admin is logging in from an Azure AD joined machine so we'll restrict their Global Admin ability."

Related

Nginx -- disable aggressive caching for Wordpress admin areas
Dell R630 supported PCIe to NVMe (m.2) adapter and drive?
Bulk Phone number change - DSQUERY
Which is my SQL server name for connecting to the online database by SSMS?
Segmenting IPv6 networks using dnsmasq?
Mirror Linux Systems Running Game Servers And Payment Managing servers
How to stop apt-get using /tmp for install scripts
New virtual host on apache returns the default vhost, other times returns the normal content
docker-compose static ip does not work
checking and reading cookies with nginx
Server 2012 R2 in place upgrade to server 2016 or 2019 error after first reboot
Running kubectl commands as cronjobs in the Kubernetes cluster results in a connection refused error