question

Yannik-6890 avatar image
0 Votes"
Yannik-6890 asked MarileeTurscak-MSFT edited

Set Azure AD Users as local admins on their PCs

Hello,
i'm on my first day of an internship and also with Arzure and i got the task to set Azure Active Directory Users as local admins on their machines with Read/Write rights.
The Users already have the AD-Role "Azure AD joined device local administrator role" but that only comes with read rights as far as i know.

is there any way to change that built in Role? is there any alternatives or workarounds?

thanks in advance!

azure-ad-domain-services
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

MarileeTurscak-MSFT avatar image
0 Votes"
MarileeTurscak-MSFT answered MarileeTurscak-MSFT edited

Do they need to have read/write rights on-premises or just in Azure? If they have the local admin rights on their machines, they should have full control over the local devices.

If they need to write to the local Active Directory, then they also need to be members of the Domain Administrators group. Domain Administrators have elevated rights to administer and make changes to the Active Directory. (It is recommended not to give Domain Administrator rights to anyone except those directly responsible for AD admin tasks.)

If they need to be able to read and write to the Azure AD as well as the local AD, you can give them the Directory Writers role. https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#directory-writers



If this answer was helpful to you, please remember to "mark as answer" so that others in the community with similar questions can more easily find a solution.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.