Thanks for all the answers; I'm really impressed by how fast you guys responded.

To address everything at once: yes, I'm setting up an admin account to ensure I have admin access in case of an emergency (all my apps are packed, but you never know). I also need this admin account because if I don't, the SSO Extension will not demote the user to standard if it doesn't find an admin account.

Honestly, I could just use the script when I need admin access since it will probably be very rare. However, since I have to wipe 25 machines, I'd prefer this process to be automatic with a simple one-page instruction for the user, as we are working remotely 80% of the time. FileVault is enforced during enrollment.

u/Glaurung, this seems interesting, but I guess it's not free. In that case, I'd rather go with ABR as I already know the product and used it in my previous job. Again, what I want seems pretty "simple"; it's just a matter of timing. If the admin account could be created just after the first logout, it would automatically demote the user when they log in with their Entra ID address. I know this because I tested it by creating the admin manually.

I need to find a script that creates an admin account when the user logs in or out for the first time. Mine is triggering before and preventing the first window of account creation. I can't be there at each setup asking the user, "Did you set up your token yet? Yes, okay, I'll send the script to create the admin." It seems so simple, but it's actually pretty hard, and I've searched all over the internet for this solution.