@Matt Dillon, Thanks for posting in Q&A.
For your questions, here are my answers for your reference:
Q1: Do I need a direct connection to the domain either via VPN or in an office for this policy to work in a Hybrid Azure AD environment?
A1: After the Hybrid Azure AD joined devices enrolled into Intune, we can get some Intune policy via Intune. Some still needs the devices in office. Based on my test, for the account protection policy we added, if we added the account synced from AD to AAD, it will fail with the following error when we are not in the office network.
Q2: How often does the policy run? Can that be modified?
A2: For the policy refresh intervals, the refresh cycle can be 8 hours. We can do manual sync on the device to get the policy.
Q3: While the GPO would instantly correct the members of the Administrators group, I am not seeing that with this policy. What is the expectation using this policy as my guess at this point is things happen once and that is it or they happen when the policy has accounts added, but not deleted.
A3: Based as I know, when remove one user from the policy, the new policy will also be applied after I do a manual sync and restart the device. You can sync and restart the device to see if it works! If not, go to DeviceManagement-Enterprise-Diagnostic-Provider event log to see if any error related.
Hope it can help.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.