Users must be a local admin to join a domain (any kind of domain including AAD) and must also be local admins to enroll in MDM management. If this were not the case, anyone could take over your devices, i.e., it would be really, really, really ... really bad security wise.
Are the devices currently joined to an on-prem AD domain? Are they currently managed in any way?