How to manage the local administrators group on Azure AD joined devices

To manage a Windows device, you need to be a member of the local administrators group. As part of the Azure Active Directory (Azure AD) join process, Azure AD updates the membership of this group on a device. You can customize the membership update to satisfy your business requirements. A membership update is, for example, helpful if you want to enable your helpdesk staff to do tasks requiring administrator rights on a device.

This article explains how the local administrators membership update works and how you can customize it during an Azure AD Join. The content of this article doesn't apply to a hybrid Azure AD joined devices.

How it works

When you connect a Windows device with Azure AD using an Azure AD join, Azure AD adds the following security principals to the local administrators group on the device:

  • The Azure AD global administrator role
  • The Azure AD joined device local administrator role
  • The user performing the Azure AD join

By adding Azure AD roles to the local administrators group, you can update the users that can manage a device anytime in Azure AD without modifying anything on the device. Azure AD also adds the Azure AD joined device local administrator role to the local administrators group to support the principle of least privilege (PoLP). In addition to the global administrators, you can also enable users that have been only assigned the device administrator role to manage a device.

Manage the global administrators role

To view and update the membership of the global administrator role, see:

Manage the device administrator role

In the Azure portal, you can manage the device administrator role on the Devices page. To open the Devices page:

  1. Sign in to your Azure portal as a global administrator.
  2. Search for and select Azure Active Directory.
  3. In the Manage section, click Devices.
  4. On the Devices page, click Device settings.

To modify the device administrator role, configure Additional local administrators on Azure AD joined devices.

Additional local administrators

Note

This option requires an Azure AD Premium tenant.

Device administrators are assigned to all Azure AD joined devices. You cannot scope device administrators to a specific set of devices. Updating the device administrator role doesn't necessarily have an immediate impact on the affected users. On devices where a user is already signed into, the privilege elevation takes place when both the below actions happen:

  • Upto 4 hours have passed for Azure AD to issue a new Primary Refresh Token with the appropriate privileges.
  • User signs out and signs back in, not lock/unlock, to refresh their profile.
  • Users will not be listed in the local administrator group, the permissions are received through the Primary Refresh Token.

Note

The above actions are not applicable to users who have not signed in to the relevant device previously. In this case, the administrator privileges are applied immediately after their first sign-in to the device.

Manage administrator privileges using Azure AD groups (preview)

Starting with Windows 10 version 2004, you can use Azure AD groups to manage administrator privileges on Azure AD joined devices with the Restricted Groups MDM policy. This policy allows you to assign individual users or Azure AD groups to the local administrators group on an Azure AD joined device, providing you the granularity to configure distinct administrators for different groups of devices.

Note

Starting in the Windows 10 20H2 update, we recommend using Local Users and Groups policy instead of the Restricted Groups policy.

Currently, there's no UI in Intune to manage these policies and they need to be configured using Custom OMA-URI Settings. A few considerations for using either of these policies:

  • Adding Azure AD groups through the policy requires the group's SID that can be obtained by executing the Microsoft Graph API for Groups. The SID is defined by the property securityIdentifier in the API response.

  • When Restricted Groups policy is enforced, any current member of the group that is not on the Members list is removed. So enforcing this policy with new members or groups will remove the existing administrators namely user who joined the device, the Device administrator role and Global administrator role from the device. To avoid removing existing members, you need to configure them as part of the Members list in the Restricted Groups policy. This limitation is addressed if you use the Local Users and Groups policy that allows incremental updates to group membership

  • Administrator privileges using both policies are evaluated only for the following well-known groups on a Windows 10 device - Administrators, Users, Guests, Power Users, Remote Desktop Users and Remote Management Users.

  • Managing local administrators using Azure AD groups is not applicable to Hybrid Azure AD joined or Azure AD Registered devices.

  • While the Restricted Groups policy existed prior to Windows 10 version 2004, it did not support Azure AD groups as members of a device's local administrators group.

  • Azure AD groups deployed to a device with either of the two policies do not apply to remote desktop connections. To control remote desktop permissions for Azure AD joined devices, you need to add the individual user's SID to the appropriate group.

Important

Windows sign-in with Azure AD supports evaluation of up to 20 groups for administrator rights. We recommend having no more than 20 Azure AD groups on each device to ensure that administrator rights are correctly assigned. This limitation also applies to nested groups.

Manage regular users

By default, Azure AD adds the user performing the Azure AD join to the administrator group on the device. If you want to prevent regular users from becoming local administrators, you have the following options:

  • Windows Autopilot - Windows Autopilot provides you with an option to prevent primary user performing the join from becoming a local administrator. You can accomplish this by creating an Autopilot profile.
  • Bulk enrollment - An Azure AD join that is performed in the context of a bulk enrollment happens in the context of an auto-created user. Users signing in after a device has been joined are not added to the administrators group.

Manually elevate a user on a device

In addition to using the Azure AD join process, you can also manually elevate a regular user to become a local administrator on one specific device. This step requires you to already be a member of the local administrators group.

Starting with the Windows 10 1709 release, you can perform this task from Settings -> Accounts -> Other users. Select Add a work or school user, enter the user's UPN under User account and select Administrator under Account type

Additionally, you can also add users using the command prompt:

  • If your tenant users are synchronized from on-premises Active Directory, use net localgroup administrators /add "Contoso\username".
  • If your tenant users are created in Azure AD, use net localgroup administrators /add "AzureAD\UserUpn"

Considerations

You cannot assign groups to the device administrator role, only individual users are allowed.

Device administrators are assigned to all Azure AD Joined devices. They can't be scoped to a specific set of devices.

When you remove users from the device administrator role, they still have the local administrator privilege on a device as long as they are signed in to it. The privilege is revoked during their next sign-in when a new primary refresh token is issued. This revocation, similar to the privilege elevation, could take upto 4 hours.

Next steps