No support for Protected Users in Microsoft Entra Domain Services?

I have been loooking into mapping best practices about configuring hardening / tiering model from on-premises Active Directory to Microsoft Entra Domain Services (MEDS). 

I'm well aware that MEDS is NOT a replacemenet for AD DS and have many restrictions and missing features, but that does not stop me from wanting to make it as secure as possible for member servers to be joined to. 

Since MEDS is a PaaS in Azure, deployed from within Azure and managed in another way than Active Directory, of course there are different ways of implementering a good tiering model. 

In my study I wanted to see if I could enable Protected Users feature (join users to Protected Users Group). However I find this group to be present but not possible to add members to (feature greyed out). 

I have a member server in the MEDS instance and have installed AD DS Tools. My user is member of AD DDS Administrators group.

I would like to know if anyone have some knowledge on the subject to share?