question

DaniyalRaza-1385 avatar image
0 Votes"
DaniyalRaza-1385 asked Jason-MSFT answered

Azure AD role assigned to user not reflected on Azure AD joined client machine

Hello All,

i have an Azure AD joined laptop on which i use to login with a normal user with no administrative rights. But now i want to manage user rights from Azure AD portal using Privileged identity management.
I then assigned a role "Azure AD joined device local administrator" to the normal user so he can do the administrative task on his local machine. i assigned this role with time bound limit so his role will expire after the end time i mentioned in the role assignment settings.

But the thing is these settings don't reflect on the user end and user don't get the access to perform the administrative task with in the specified time limit.

I have gone through multiple forums and seen a lot of videos regarding this.

Need help

Thanks in Advance

Daniyal

azure-ad-privileged-identity-managementazure-ad-device-management
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Jason-MSFT avatar image
1 Vote"
Jason-MSFT answered

Using PIM in Azure to control local admin permissions is not supported. It does more or less work, however, it's tied to the PRT refresh cycle which is every 4 hours so is also more or less unpredictable and of limited (at best) value,

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AURANGZEBBilalATMEDICSLTD-4737 avatar image
0 Votes"
AURANGZEBBilalATMEDICSLTD-4737 answered AURANGZEBBilalATMEDICSLTD-4737 commented

Hi Jason, thanks

I believe Microsoft is pretty laidback on this. Why to have a policy in there when it is of no use? Advertising it like J-I-T Just in Time access and then ditching the users that it's something unpredictable. No disrespect but I don't see any logic behind this.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Because PIM wasn't designed for this scenario. PIM was designed for admin activities within Azure (using the Azure portal or Graph API). It doesn't (and can't really with the way Windows currently works) account for how something outside the scope of its control behaves which in this case is the PRT refresh process in Windows which is what is actually dictating the behavior.

No commitments whatsoever and no timelines to share, but we are investigating a cloud/Azure based LAPS like solution that will integrate with Intune that would fill this gap.

0 Votes 0 ·

Again, why would one thing be advertised with Local Device Administrator Policies and applicable in some fashion ? If it wasn't designed in such a fashion, then why work intermittently ? I see bug turned as feature and now when reported, saying it's a bug/never designed this way. No offence but I find it very difficult to digest this truth.

0 Votes 0 ·
Jason-MSFT avatar image
0 Votes"
Jason-MSFT answered

Again, why would one thing be advertised with Local Device Administrator Policies

Not sure what you mean here. Nothing is "advertised" by Microsoft concerning this because we know it's not supported due to the issue I called out.

As far as why it's possible, it's because it works for the intended purpose: PIM for access to Azure admin functionality. The fact that it may have other affects is an unintended by-product and we can't explicitly turn it off for this one use case as that would break its actual intended purpose. This is reality.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.