“Azure AD joined device local administrator” role to grant an Azure AD user with local admin rights

Question

Hello, can I use the “Azure AD joined device local administrator” role to grant an Azure AD user with local admin rights? would this work if the device "Join type" is either Azure AD joined / Azure AD registered?

The purpose is to allow the user to install any apps in the device.

then, we can revoke the access from the Azure console.

Thanks in advance.

Answer 1

@Leandro Garcia

Users assigned to this role are added to the local administrators group on Azure AD-joined devices.

This role is available for assignment only as an additional local administrator in Device settings. Users with this role become local machine administrators on all Windows 10 devices that are joined to Azure Active Directory. They do not have the ability to manage devices objects in Azure Active Directory.

Once the user is added to local admin group in Azure AD join device, they will be able ot install any apps in the device.

This role will work only for devices with join type "Azure AD joined" devices.

It will not work for devices with join type "Azure AD registered".

For reference, you can check below article,

https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#azure-ad-joined-device-local-administrator

Let me know if you have any further questions.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.