Adding local administrator to an Azure AD joined device

Upon enrolling a Windows 10 device with Intune, I encountered an issue where the user account that I provided access to did not have administrative rights upon logging in. Fortunately, Azure AD join adds several security principals to the local administrators group on the device, including the Azure AD global administrator role, Azure AD device administrator role, and the user performing the Azure AD join. This allows for easy modification of device management privileges in Azure AD without having to make any changes to the device itself. Furthermore, the Azure AD device administrator role is added to the local administrators group to adhere to the principle of least privilege.

Greetings,
I have designated an individual as the global device administrator. After enrolling a windows 10 device with intune, I noticed that the account I granted privileges to lacks administrative rights when logging in with it.

Expressing gratitude to @mdmdmd3223-9128 for their post.

Once you perform an Azure AD join to connect a Windows device, the local administrators group on the device is enhanced with additional security principals by Azure AD.

  • The role of a global administrator in Azure AD.

  • The role of device administrator in Azure AD.

  • The individual who carries out the Azure AD registration.

One way to modify device management permissions in Azure AD is by assigning Azure AD roles to the local administrators group. Doing so allows you to update user management access in Azure AD without changing anything on the device itself. It’s important to note that it is not currently possible to assign groups to an administrator role. Additionally, to adhere to the principle of least privilege (PoLP), Azure AD automatically includes the Azure AD device administrator role in the local administrators group.

With an AzureAD Premium tenant, you have the ability to assign the role manually.


If you have any further inquiries, please don’t hesitate to ask. I appreciate your time and patience in resolving this matter.


To assist others in the community who may encounter similar issues, kindly acknowledge the helpfulness of any answer/reply by “Accepting Answer”.


Hello,
Thank you for your response. I have been designated as a device administrator via Azure AD, Devices, and Device Settings. However, despite this assignment, I do not have administrative privileges when I log into the device. Please see the attached screenshot of the designated user.

Our current approach involves utilizing autopilot which excludes granting administrative privileges to the device enrollee. However, in the absence of autopilot, opting for an azure join would result in the user acquiring administrative rights upon enrolling the device.

Upon enrolling a device through autopilot, it has been observed that the user depicted in the provided image lacks administrative privileges.

Frequently Asked Questions

Posted in Uncategorized