With the introduction of tenant attach, there is a growing need to be able to grant ConfigMgr permissions to AAD objects.

In many environments ConfigMgr admins have following accounts:
- a normal user account which is synced to AAD
- an admin account which is not synced to AAD
- an AAD-only account for the cloud stuff

When you implement the tenant attach, you need an AD account that is synced to AAD & have permissions in ConfigMgr. None of those accounts is a perfect solution.
1) Don't want to grant any ConfigMgr rights to the normal user
2) Don't want to sync on-prem admin accounts to AAD
3) Cannot grant ConfigMgr rights to AAD users/groups

Thus, it would be useful to be able to grant ConfigMgr rights to AAD users/groups, so the admin wouldn't need any additional account for tenant attach operations.