question

SeanBulger avatar image
0 Votes"
SeanBulger asked michev answered

All AAD Devices have admin role s assigned

Hello,

I was working with a client today. They noticed that all of their Azure registered devices showed two Azure roles assigned. All of the devices show bot the Attribute assignment administrator and reader roles. I then checked in my tenant and confirmed the same behavior. I also confirmed that all of my hybrid and azure joined devices show the same thing.

Is there a reason these roles are showing up on all devices? If so, is it documented? I can see this raising a lot of red flags among security teams. If the roles need to be there, that's fine - I will just need to provide documentation as to why it is required.

184673-image.png


azure-active-directoryazure-rbac
image.png (64.2 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

michev avatar image
1 Vote"
michev answered

Those are not roles assigned to the device. Those are roles that grant the assigned user/group access to read or configure Custom Security attributes on the device object. Read more about it here: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/custom-security-attributes-overview

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.