@anyweb, amazing post, thank you. We are very similar to one of the posts above, currently on McAfee ePO but wanting to move to Azure AD based key escrow. I can see (also above) where you can set up MBAM with ConfigMgr and if you have On-Prem AD escrow it will also sync to the Azure AD (if you are using AD Connect).
Is there a way to skip the On-Prem escrow and go straight to Azure AD, if the devices are Hybrid Azure AD joined? Everything I see points to yes, but I cannot find anywhere to indicate it has been successful. Or are we resigned to use AD Connect until we are full Azure AD Joined only?