You manage an Azure Active Directory (Azure AD) tenant that is synchronized with an on-premises Active Directory Domain Services (AD DS) domain. The client computers in this environment run on Windows and are hybrid-joined to Azure AD. As part of your responsibilities, you are tasked with designing a strategy to protect these endpoints from ransomware attacks. Adhering to Microsoft Security Best Practices, one key aspect of your strategy is to remove all domain accounts from the Administrators groups on the Windows computers, thereby enhancing security. You need to recommend a solution that will allow users to gain administrative access to these Windows computers but only when it is absolutely necessary. The chosen solution should also aim to minimize the risk of ransomware spreading laterally if an administrator account on one of the computers is compromised. What solution would you recommend to achieve this goal?