Eliminate SEPM admin accounts: Use AD Security Group membership & SSO

At present, SEPM's AD integration for admin accounts is to create SEPM admins with names matching AD usernames. All that saves us is having to set the passwords. Nice, but not enough.

I want to be able to create AD Security Groups for each SEPM role, such as "SEP System Administrators", "SEP Limtied Administrators", "SEP Report-Only Administrators", etc., and then assign AD user accounts to these groups. In SEPM, I'd assign various admin roles to these Groups. Then, when a user logs on to SEPM, SEPM would query AD for the Group membership to determine if access is allowed, and the level of access. I use other configurators like this; no reason SEPM couldn't do it, too.

Furthermore, a user shouldn't have to log on to SEPM at all. SEPM should use the credentials of the logged-on user (or Run As).