Hello,
I think these articles can help you achieve what you want :
- Windows Hello For Business Hybrid :
https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs - Afraid of Windows 10 with Azure AD Join
https://techcommunity.microsoft.com/t5/windows-blog-archive/afraid-of-windows-10-with-azure-ad-join-try-it-out-part-1/ba-p/706477
You don't need AD FS to allow access to M365 services when they login on their corporate computers, you have to configure seamless SSO :
https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso
This decision tree will help you choose the best method depending on what you want to achieve :
https://learn.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authn#decision-tree