{"id":1615,"date":"2025-10-26T21:38:26","date_gmt":"2025-10-26T21:38:26","guid":{"rendered":"https:\/\/www.ultrexstaff.com\/?p=1615"},"modified":"2025-10-26T21:38:28","modified_gmt":"2025-10-26T21:38:28","slug":"enrolling-devices-in-entra-with-local-admin-privileges","status":"publish","type":"post","link":"https:\/\/www.ultrexstaff.com\/?p=1615","title":{"rendered":"Enrolling Devices in Entra with Local Admin Privileges"},"content":{"rendered":"\n<h1 class=\"wp-block-heading\"><strong>Enrolling Devices in Entra with Local Admin Privileges<\/strong><\/h1>\n\n\n\n<p><strong><u>Important Considerations&nbsp;<\/u><\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Security<\/strong><strong>: Ensure that only trusted users are added to the local\u00a0administrators\u00a0group to\u00a0maintain\u00a0device security.<\/strong><strong>\u00a0<\/strong><\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Audit<\/strong><strong>: Regularly audit the membership of the local\u00a0administrators\u00a0group to ensure compliance with your organization\u2019s policies.<\/strong><strong>\u00a0<\/strong><\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Documentation: Keep documentation of all changes made to user privileges for accountability and troubleshooting purposes.<\/strong><br>Common things that need Configured in Entra for Device Admin Privileges:\n<ol class=\"wp-block-list\">\n<li>You can specify if global admins are allowed to be local device admins AT ENROLLMENT ONLY.<br><\/li>\n\n\n\n<li>You can and should specify if permitted Entra users are added as local admin AT ENROLLMENT ONLY. Add selected users.<br><\/li>\n\n\n\n<li>You can and should also add those same users from previous step the the next line &#8211; &#8220;Manage Additional local administrators on all Microsoft Entra joined devices.&#8221; That&#8217;s the key one to achieve the goal of key users having device admin privileges whether or not they have been signed into the device already.<\/li>\n<\/ol>\n<\/li>\n<\/ul>\n\n\n\n<p><strong><u>Entra Admin:<\/u><\/strong><\/p>\n\n\n\n<p>To enroll a user as a local device admin&nbsp;<strong>upon device enrollment&nbsp;<\/strong>in Microsoft Entra (formerly Azure AD), follow these steps:<\/p>\n\n\n\n<p>1.&nbsp;&nbsp;&nbsp;&nbsp;<strong>Sign in to the Microsoft Entra Admin Center<\/strong>:<\/p>\n\n\n\n<p>a.&nbsp;&nbsp;&nbsp;&nbsp;Go to the Microsoft Entra Admin Center.<\/p>\n\n\n\n<p>b.&nbsp;&nbsp;&nbsp;&nbsp;Sign in with an account that has at least the Privileged Role Administrator role.<\/p>\n\n\n\n<p>2.&nbsp;&nbsp;&nbsp;&nbsp;<strong>Navigate to Device Settings<\/strong>:<\/p>\n\n\n\n<p>a.&nbsp;&nbsp;&nbsp;&nbsp;In the left-hand menu, select&nbsp;<strong>Identity<\/strong>&nbsp;<strong>&gt;&nbsp;<\/strong><strong>Devices<\/strong>&nbsp;<strong>&gt;&nbsp;<\/strong><strong>All devices &gt;<\/strong>&nbsp;<strong>Device settings<\/strong>.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/ticketingitemsstoreeu.blob.core.windows.net\/emailinlineimages\/a83cb31c-7581-4f6e-8500-2f85504188ec_id_35_638840007095335168.png\" alt=\"\"\/><\/figure>\n\n\n\n<p>3.&nbsp;&nbsp;&nbsp;&nbsp;<strong>Manage Additional Local Administrators<\/strong>:<\/p>\n\n\n\n<p>a.&nbsp;&nbsp;&nbsp;&nbsp;Under&nbsp;<strong>Manage Additional local administrators on all Microsoft Entra joined devices<\/strong>, click&nbsp;<strong>Add assignments<\/strong>.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/ticketingitemsstoreeu.blob.core.windows.net\/emailinlineimages\/d2e408f8-d940-456b-afdb-266c288a12e7_id_35_638840007106487030.png\" alt=\"\"\/><\/figure>\n\n\n\n<p>b.&nbsp;&nbsp;&nbsp;&nbsp;Select the users or groups you want to add as local administrators and click&nbsp;<strong>Add<\/strong>.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/ticketingitemsstoreeu.blob.core.windows.net\/emailinlineimages\/fc1be09f-b902-47ea-a2a0-9647ac8b9321_id_35_638840007109007713.png\" alt=\"\"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/ticketingitemsstoreeu.blob.core.windows.net\/emailinlineimages\/42d3f1fd-ec89-4a06-8b9a-bf4f5d57d7da_id_35_638840007110570353.png\" alt=\"\"\/><\/figure>\n\n\n\n<p>c. Tests that verified this (based on CFM #3292)<\/p>\n\n\n\n<p>&nbsp; &nbsp; I enrolled the laptop with an admin user (we&#8217;ll call this Admin 1; we&#8217;ll use ours for this often).<\/p>\n\n\n\n<p>&nbsp; &nbsp; Signed into the laptop as a separate profile from Admin user with another account (Admin 2), which also had full admin permissions on the device according to Entra.<\/p>\n\n\n\n<p>&nbsp; &nbsp; Signed into Non-Admin 1&#8217;s account which is NOT permitted admin rights over any PC, and could not perform admin level tasks.<\/p>\n\n\n\n<p>&nbsp; &nbsp; From Non-Admin 1&#8217;s profile, tried installing a program and permitted installation using Admin 2&#8217;s authority successfully.<\/p>\n\n\n\n<p>&nbsp; &nbsp;This one&#8217;s the kicker &#8211; without having signed into the PC with Admin 3&#8217;s account, but having given it local admin permissions for all devices through Entra as above without being a full Microsoft Global Admin like Ultrex&#8217;s user, I was able to permit removal of that same program from Non-Admin 1&#8217;s profile successfully.<\/p>\n\n\n\n<p>4.&nbsp;&nbsp;&nbsp;&nbsp;<strong>Use Intune for More Granular Control<\/strong>:<\/p>\n\n\n\n<p>a.&nbsp;&nbsp;&nbsp;&nbsp;If you need more granular control, you can use Intune to manage local admin rights.<\/p>\n\n\n\n<p>b.&nbsp;&nbsp;&nbsp;&nbsp;Sign in to the Intune Admin Center.<\/p>\n\n\n\n<p>c.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Go to&nbsp;<strong>Endpoint Security<\/strong>&nbsp;&gt;&nbsp;<strong>Account protection<\/strong>.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/ticketingitemsstoreeu.blob.core.windows.net\/emailinlineimages\/8ebc57d8-a1fa-47ff-8f51-72317830b2c2_id_35_638840034515619239.png\" alt=\"\"\/><\/figure>\n\n\n\n<p>d.&nbsp;&nbsp;&nbsp;&nbsp;Click&nbsp;<strong>Create Policy<\/strong>&nbsp;and select&nbsp;<strong>Platform: Windows 10 and later<\/strong>&nbsp;and&nbsp;<strong>Profile: Local user group membership<\/strong>.<\/p>\n\n\n\n<p>e.&nbsp;&nbsp;&nbsp;&nbsp;Configure the policy to add the desired users or groups to the local administrators group.<\/p>\n\n\n\n<p>5.&nbsp;&nbsp;&nbsp;&nbsp;<strong>Assign the Policy<\/strong>:<\/p>\n\n\n\n<p>a.&nbsp;&nbsp;&nbsp;&nbsp;Assign the policy to the relevant devices or user groups.<\/p>\n\n\n\n<p><strong><u>Important Notes for Assigning Policies:<\/u><\/strong><\/p>\n\n\n\n<p>In Microsoft Intune, policies are assigned to groups rather than directly to individual users or devices.&nbsp;However, you can achieve per-user or per-device targeting by creating a group that contains only the specific user or device you wish to target.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83c\udfaf Assigning a Policy to a Single User or Device<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Create a Group for the User or Device<\/strong>:\n<ul class=\"wp-block-list\">\n<li><strong>For a User<\/strong>:\n<ul class=\"wp-block-list\">\n<li>Navigate to the Microsoft Entra admin center.<\/li>\n\n\n\n<li>Go to\u00a0<strong>Groups<\/strong>\u00a0>\u00a0<strong>New group<\/strong>.<\/li>\n\n\n\n<li>Choose\u00a0<strong>Security<\/strong>\u00a0as the group type.<\/li>\n\n\n\n<li>Provide a name (e.g., &#8220;Single User Group&#8221;) and description.<\/li>\n\n\n\n<li>Add the specific user to this group.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>For a Device<\/strong>:\n<ul class=\"wp-block-list\">\n<li>Similarly, create a new security group.<\/li>\n\n\n\n<li>Add the specific device to this group.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Assign the Policy to the Group<\/strong>:\n<ul class=\"wp-block-list\">\n<li>In the Intune admin center, navigate to the policy you wish to assign.<\/li>\n\n\n\n<li>Go to the\u00a0<strong>Assignments<\/strong>\u00a0section and click &#8220;<strong>Edit<\/strong>&#8220;.<\/li>\n\n\n\n<li>Under\u00a0<strong>Included groups<\/strong>, add the group you created.<\/li>\n\n\n\n<li>Save the changes.<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n<p>By creating a group with only the desired user or device, the policy effectively targets just that entity.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83d\udd0d Additional Considerations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>User vs. Device Groups<\/strong>:\n<ul class=\"wp-block-list\">\n<li>Assign policies to\u00a0<strong>user groups<\/strong>\u00a0when settings should follow the user across multiple devices.<\/li>\n\n\n\n<li>Assign to\u00a0<strong>device groups<\/strong>\u00a0when settings should apply regardless of who is using the device.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Using Filters<\/strong>:\n<ul class=\"wp-block-list\">\n<li>Filters allow for more granular targeting within groups.\u00a0For example, you can apply a policy only to devices with a specific OS version or tag.<a href=\"https:\/\/learn.microsoft.com\/ja-jp\/mem\/intune\/protect\/endpoint-security-policy?utm_source=chatgpt.com\" target=\"_blank\" rel=\"noreferrer noopener\">Microsoft Learn+2Microsoft Learn+2Microsoft Learn+2<\/a><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Policy Sets<\/strong>:\n<ul class=\"wp-block-list\">\n<li>For deploying multiple policies and applications together, consider creating a\u00a0<strong>Policy Set<\/strong>.\u00a0This groups various configurations into a single assignment for streamlined deployment.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p><strong>Command Line<\/strong><\/p>\n\n\n\n<p><strong><u>Check Users currently listed in the local admin group<\/u><\/strong><\/p>\n\n\n\n<p><strong>Steps:&nbsp;<\/strong><\/p>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li><strong>Open Command Prompt as Administrator:\u00a0<\/strong><\/li>\n<\/ol>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li><strong>Right-click on the Start menu and select \u201cCommand Prompt (Admin)\u201d or \u201cWindows PowerShell (Admin)\u201d.\u00a0<\/strong><\/li>\n<\/ol>\n\n\n\n<ol start=\"2\" class=\"wp-block-list\">\n<li><strong>Run the Command:\u00a0<\/strong><\/li>\n<\/ol>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li><strong>Enter the following command<\/strong><\/li>\n<\/ol>\n\n\n\n<pre class=\"wp-block-preformatted\"><strong>net&nbsp;localgroup&nbsp;administrators<\/strong><\/pre>\n\n\n\n<p><\/p>\n\n\n\n<p><strong><u>Remove&nbsp;AzureAD&nbsp;User from Admin Group<\/u><\/strong><\/p>\n\n\n\n<p><strong>Steps:&nbsp;<\/strong><\/p>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li><strong>Open Command Prompt as Administrator:\u00a0<\/strong><\/li>\n<\/ol>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li><strong>Right-click on the Start menu and select \u201cCommand Prompt (Admin)\u201d or \u201cWindows PowerShell (Admin)\u201d.\u00a0<\/strong><\/li>\n<\/ol>\n\n\n\n<ol start=\"2\" class=\"wp-block-list\">\n<li><strong>Run the Command:\u00a0<\/strong><\/li>\n<\/ol>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li><strong>Enter the following command, replacing\u00a0<a target=\"_blank\" rel=\"noreferrer noopener\">user@domain.com<\/a>\u00a0with the actual email address of the\u00a0AzureAD\u00a0user:\u00a0<\/strong><\/li>\n<\/ol>\n\n\n\n<pre class=\"wp-block-preformatted\"><strong>net&nbsp;localgroup&nbsp;administrators \/delete&nbsp;\"AzureAD\\user@domain.com\"&nbsp;<\/strong><\/pre>\n\n\n\n<ol start=\"3\" class=\"wp-block-list\">\n<li><strong>Restart the Device:\u00a0<\/strong><\/li>\n<\/ol>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li><strong>Restart the device to apply the changes.\u00a0<\/strong><\/li>\n<\/ol>\n\n\n\n<p><strong><u>Add&nbsp;AzureAD&nbsp;User to Admin Group Through Command Line&nbsp;<\/u><\/strong><\/p>\n\n\n\n<p><strong>Steps:&nbsp;<\/strong><\/p>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li><strong>Open Command Prompt as Administrator:\u00a0<\/strong><\/li>\n<\/ol>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li><strong>Right-click on the Start menu and select \u201cCommand Prompt (Admin)\u201d or \u201cWindows PowerShell (Admin)\u201d.\u00a0<\/strong><\/li>\n<\/ol>\n\n\n\n<ol start=\"2\" class=\"wp-block-list\">\n<li><strong>Run the Command:\u00a0<\/strong><\/li>\n<\/ol>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li><strong>Enter the following command, replacing\u00a0<a target=\"_blank\" rel=\"noreferrer noopener\">user@domain.com<\/a>\u00a0with the actual email address of the\u00a0AzureAD\u00a0user:\u00a0<\/strong><\/li>\n<\/ol>\n\n\n\n<pre class=\"wp-block-preformatted\"><strong>net&nbsp;localgroup&nbsp;administrators \/add \"AzureAD\\user@domain.com\"&nbsp;<\/strong><\/pre>\n\n\n\n<ol start=\"3\" class=\"wp-block-list\">\n<li><strong>Restart the Device:\u00a0<\/strong><\/li>\n<\/ol>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li><strong>Restart the device to apply the changes.\u00a0<\/strong><\/li>\n<\/ol>\n\n\n\n<p><strong>Graphical Interface:<\/strong><\/p>\n\n\n\n<p>To remove an Azure AD user from the local administrators group on a Windows machine, follow these steps:<\/p>\n\n\n\n<p>1.&nbsp;&nbsp;&nbsp;&nbsp;<strong>Open Computer Management<\/strong>:<\/p>\n\n\n\n<p>a.&nbsp;&nbsp;&nbsp;&nbsp;Press&nbsp;Windows + X&nbsp;and select&nbsp;<strong>Computer Management<\/strong>.<\/p>\n\n\n\n<p>b.&nbsp;&nbsp;&nbsp;&nbsp;Alternatively, you can press&nbsp;Windows + R, type&nbsp;compmgmt.msc, and press Enter.<\/p>\n\n\n\n<p>2.&nbsp;&nbsp;&nbsp;&nbsp;<strong>Navigate to Local Users and Groups<\/strong>:<\/p>\n\n\n\n<p>a.&nbsp;&nbsp;&nbsp;&nbsp;In the Computer Management window, expand&nbsp;<strong>Local Users and Groups<\/strong>.<\/p>\n\n\n\n<p>b.&nbsp;&nbsp;&nbsp;&nbsp;Click on&nbsp;<strong>Groups<\/strong>.<\/p>\n\n\n\n<p>3.&nbsp;&nbsp;&nbsp;&nbsp;<strong>Open Administrators Group<\/strong>:<\/p>\n\n\n\n<p>a.&nbsp;&nbsp;&nbsp;&nbsp;Double-click on&nbsp;<strong>Administrators<\/strong>&nbsp;to open the group properties.<\/p>\n\n\n\n<p>4.&nbsp;&nbsp;&nbsp;&nbsp;<strong>Remove the Azure AD User<\/strong>:<\/p>\n\n\n\n<p>a.&nbsp;&nbsp;&nbsp;&nbsp;In the Administrators Properties window, you will see a list of members.<\/p>\n\n\n\n<p>b.&nbsp;&nbsp;&nbsp;&nbsp;Select the Azure AD user you want to remove and click&nbsp;<strong>Remove<\/strong>.<\/p>\n\n\n\n<p>c.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Confirm the removal if prompted.<\/p>\n\n\n\n<p>5.&nbsp;&nbsp;&nbsp;&nbsp;<strong>Restart the Computer<\/strong>&nbsp;(if necessary):<\/p>\n\n\n\n<p>a.&nbsp;&nbsp;&nbsp;&nbsp;Some changes might require a restart to take effect<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Enrolling Devices in Entra with Local Admin Privileges Important Considerations&nbsp; Entra Admin: To enroll a user as a local device admin&nbsp;upon device enrollment&nbsp;in Microsoft Entra (formerly Azure AD), follow these steps: 1.&nbsp;&nbsp;&nbsp;&nbsp;Sign in to the Microsoft Entra Admin Center: a.&nbsp;&nbsp;&nbsp;&nbsp;Go to the Microsoft Entra Admin Center. b.&nbsp;&nbsp;&nbsp;&nbsp;Sign in with an account that has at least [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[116],"tags":[],"class_list":["post-1615","post","type-post","status-publish","format-standard","hentry","category-intune-and-entra","post-preview"],"_links":{"self":[{"href":"https:\/\/www.ultrexstaff.com\/index.php?rest_route=\/wp\/v2\/posts\/1615","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ultrexstaff.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ultrexstaff.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ultrexstaff.com\/index.php?rest_route=\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ultrexstaff.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1615"}],"version-history":[{"count":1,"href":"https:\/\/www.ultrexstaff.com\/index.php?rest_route=\/wp\/v2\/posts\/1615\/revisions"}],"predecessor-version":[{"id":1616,"href":"https:\/\/www.ultrexstaff.com\/index.php?rest_route=\/wp\/v2\/posts\/1615\/revisions\/1616"}],"wp:attachment":[{"href":"https:\/\/www.ultrexstaff.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1615"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ultrexstaff.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1615"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ultrexstaff.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1615"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}