Recently I came across an issue which my customer was facing in granting local admin permissions to Azure AD joined machines after Autopilot. Due to the COVID19 situation most of the devices are sent to the user’s home so that they can launch the OOBE and complete the AAD join. Although, Autopilot helped in enabling the end users to be productive, it picked up an issue where the Field Services (local IT) teams were not able to have any admin permissions on those machines.
When you create an autopilot profile for OOBE, there is a setting “User’s account type” – Administrator or Standard user. The option you choose defines if the user joining the device becomes a local Administrator or a standard user. Most organizations will refrain from making all users as local administrators so by default the Standard option is chosen. Now the question arises as to how do we provide Admin access to the Field Services or Onsite support team for Azure AD joined devices that are deployed with user account type as standard ?
On the AAD device, if you look at local users and groups > Administrators, there will be an Administrator and few more account (SID’s) added there.
Azure AD adds the following security principles to the local administrators group on the device:
The Azure AD global administrator role
The Azure AD device administrator role
The user performing the Azure AD join
Since the Autopilot profile is configured with “standard” user account type, the user performing the Azure AD join will not be added to the administrators group. While you can add user to local admin group manually and using PowerShell the best way to do this is using the Azure AD Device Administrator role.
Device Administrator role
In the Azure portal, you can manage the device administrator role on the Devices page. To open the Devices page:
Sign in to your Azure portal as a global administrator.
Search for and select Azure Active Directory.
Click Devices.
On the Devices page, click Device settings.
Click Manage Additional local administrators on Azure AD joined devices (as shown below)
Note: The above option requires an Azure AD Premium tenant.
6. This will take you to the Device Administrator screen where you can add individual users or AAD groups (not AD groups) as local admins to all the AAD devices.
Adding an AAD group gives us the opportunity to add all members of Field Services team here. This option was not available earlier and Microsoft has now added this option recently.
Azure AD group for Device Admins
I would like to emphasize a bit on the creation of the AAD group here as its just not a normal security group but a group with an “isAssignableToRole=true” attribute. You cannot assign any AD synced group or a normal AAD group here. So when you create a group in AAD, remember to toggle the option “Azure AD roles can be assigned to the group (Preview)” as shown below and such a group can be used for Device Administrators role as well as managed via Privileged Identity Management (PIM).
Once the group is created, add all the required members to the group and assign it to the Device Administrator as mentioned above.
Important !!!
Enable Azure MFA (with code) for the users that you are adding into Device Administrators role.
Thats it!
Note: Device administrators are assigned to all Azure AD joined devices. You cannot scope device administrators to a specific set of devices. Updating the device administrator role doesn’t necessarily have an immediate impact on the affected users. On devices where a user is already signed into, the privilege elevation takes place when both the below actions happen:1. Upto 4 hours have passed for Azure AD to issue a new Primary Refresh Token with the appropriate privileges. 2. User signs out and signs back in, not lock/unlock, to refresh their profile.
Adding an Azure AD group to Local Administrators using Custom Policy
As per the Microsoft documentation: Starting from Windows 10, version 20H2, it is recommended to use the LocalUsersandGroups policy instead of the RestrictedGroups policy. Applying both the policies to the same device is unsupported and may yield unpredictable results.
With the release of Windows 10 20H2, we get a new Policy CSP to manage Local Users and Groups with Microsoft Intune: LocalUsersAndGroups. With this new setting, we are able to add members to a local group, which was not possible with the old RestrictedGroups policy. We can define a group action with 2 options: Update or Restrict. Update will add new members and Restrict will replace group membership with what you mention. You can use a policy definition XML for group configuration (example below)
<GroupConfiguration>
<accessgroup desc = "">
<group action = ""/>
<add member = ""/>
<remove member = ""/>
</accessgroup>
</GroupConfiguration>
Where:
<accessgroup desc>: Specifies the name or SID of the local group to configure. If you specify a SID, the LookupAccountSid API is used to translate the SID to a valid group name. If you specify a name, the LookupAccountName API is used to lookup the group and validate the name. If name/SID lookup fails, the group is skipped and the next group in the XML file is processed. If there are multiple errors, the last error is returned at the end of the policy processing. <group action>: Specifies the action to take on the local group, which can be Update and Restrict, represented by U and R: <add member>: Specifies the SID or name of the member to configure. <remove member>: Specifies the SID or name of the member to remove from the specified group.
The above setting can be used on both Azure AD joined and Hybrid AAD joined devices. For adding or removing Azure AD groups using this policy, we must use the group SID.
The SID of an Azure AD group can be easily found using the Graph Explorer. Query the group using the Object ID of the Group: https://graph.microsoft.com/v1.0/groups/<ObjectID>
While we can use a PowerShell script as mentioned in the blog here (well written by Dakhama Mehdi), in below example I am going to use the OMA-URI method with the Group action U (update) to add a test user and a group to the local Administrators group without overwriting the existing members. We have to do this using a Custom configuration profile with Intune. So let`s create one.
Sign-in to the Endpoint Manager admin center
Browse to Devices – Windows
On the Configurations profiles tab click + Create profile
Choose Windows 10 and later as Platform
Choose Templates as Profile type
In the list choose Custom
Click Create
Give the configuration profile a Name
Enter a Description (optional)
Click Next
Click Add to add a new Row.
Enter below information to the Row where you can choose your own name and optionally can enter a description. Name: Local Administrators OMA-URI: ./Device/Vendor/MSFT/Policy/Config/LocalUsersAndGroups/Configure Data Type: String Value:
<GroupConfiguration>
<accessgroup desc = "Administrators">
<group action = "U"/>
<add member = "AzureAD\testuser@company.com"/>
<add member = "S-1-12-1-3293531080-1078674397-111521436-3834162110"/>
<remove member = ""/>
</accessgroup>
</GroupConfiguration>
For adding Local Admins for Hybrid Join devices see the below XML sample Name: Local Administrators OMA-URI: ./Device/Vendor/MSFT/Policy/Config/LocalUsersAndGroups/Configure Data Type: String Value:
<GroupConfiguration>
<accessgroup desc = "Administrators">
<group action = "U"/>
<add member = "solutionsit\testuser02"/>
<add member = "solutionsit\Device_Admins"/>
<remove member = "Peter"/>
</accessgroup>
</GroupConfiguration>
Click Save
Click Next and finish.
Assign the policy to the required groups with targeted devices.
Troubleshooting
Not able to see “Manage Additional Local Administrators…” option under Device Settings in Azure AD? This functionality is Premium functionality and only available in Azure AD tenants with at least one Azure AD Premium P1 and/or Azure AD Premium P2 subscription license (or a license suite that includes either of these licenses). In non-Premium Azure AD tenants, the Additional local administrators on Azure AD joined devices option is not available.
I hope this article solves your issues with local admins for AAD devices, if yes, please do comment. Thanks all!
#OOBE #workorschoolaccount #howtoaddalocaladminafterautopilot #otherusers #HowtoadduserstolocaladministratorsgrouponAzureADjoineddevices #autopilot #AddDeviceAdminsforAADjoineddevices #localadminsforazureadjoineddevices #ManageLocalUsersandGroupswithMicrosoftIntune #adduserstoadminonAADjoineddevices #AADonlydeviceadmins #AzureAD #useraccounttype #accounts