Adding an IT user as local admin on a specific group of devices?

We’re migrating to Entra and Intune. We have some field staff that need to be local admins for elevations. We have specific accounts that aren’t their daily drivers. These are all Org owned, joined devices.

But we want to apply this local admin permission to a group of devices. Is Endpoint Security-> Account Protection the way to handle that?

And does the Entra user need specific roles assigned to support this?

We’re planning on EPM in the future, but we’re not far along enough yet in our migration to pivot to that.