How do you give a group or a user Local admin rights to specific computer on Azure AD or intune joined PCs?
How do you give a group or a user Local admin rights to specific computer on Azure AD or intune joined PCs?
Hi @VanierFrancis-0097, i hope everything goes well with you.
Did our solution help you? please feel free to let us know if anything else we can help.
Hi,@VanierFrancis-0097
Just like what Jason said, definitely we can give local admin rights to a user or a group with Intune. And it is worth mentioning that we get a new Policy CSP (start from Windows 10, version 20H2)to manage Local Users and Groups with Microsoft Intune: LocalUsersAndGroups. With this new setting, we are able to add members to local administrators group.
Note: As the characters limitation of comment, I will reply it in Answer.
Below I will show an example of how the setting can be used to manage the Administrators group of an AAD joined device. In below example I use the Group action U (update) to add an user account and a group to the local Administrators group and don`t overwrite the existing members.
To add an Azure AD user account we can use the username, but we need to put AzureAD\ before the username like"AzureAD\Michael@m365x137916.onmicrosoft.com"
For adding Azure AD groups using this policy, we must use the group SID. The SID of an Azure AD group can be easily found using the Graph Explorer. Query the group using the Object ID of the Group:
https://graph.microsoft.com/v1.0/groups/ObjectID. It should be noted that you can find the Object ID of the Group in Azure portal

Now it’s time to deploy the LocalUsersAndGroups policy to our devices using a Custom configuration profile with Microsoft Intune.
1. Sign-in to the Endpoint Manager admin center-Devices –Configurations profiles-Create profile
2.Add an OMA-URL

OMA-URL: ./Device/Vendor/MSFT/Policy/Config/LocalUsersAndGroups/Configure
Value:
<GroupConfiguration>
<accessgroup desc = "Administrators">
<group action = "U" />
<add member = "AzureAD\Michael@m365x137916.onmicrosoft.com"/>
<add member = "S-1-12-1-3293915145-1237716286-3547282111-4250706607"/>
</accessgroup>
</GroupConfiguration>
3.Assign the profile to your group
4.Click save and next to finish the deployment.
Hope it can help
There's no way to give users admin rights on a single system in Azure AD -- it's all or nothing with Azure AD.
With Intune, this is possible though. Here's a great blog that discusses this: https://www.jeffgilb.com/managing-local-administrators-with-azure-ad-and-intune/
5 people are following this question.