Sunday, 14 May 2023

Managing local admins on Azure AD Joined devices

We've been able to do this for quite some time. We've been able to add individual users as local administrators on Azure AD joined devices. More recently this has become a lot easier. We can now use Azure AD groups to manage this. With Azure AD Premium P1 or P2, you can create a role-assignable group and assign the Device Administrator roles to the group.

There are some additional considerations. Firstly, you can only configure a group to be role-assignable when you create the group. You cannot change this afterwards.


I've created a group called "Local admins test 1". See the configuration "Azure roles can be assigned to the group". I've toggled this to yes.


We're told that we cannot change this setting after the group is created.


Next I've created a group called "Local admins test 2". This time I didn't select that Azure roles can be assigned to the group.


You can see that this setting cannot be turned off after the group has been created.


It can't be turned on either.


Now when I add an assignment to the Device Administrators role, only "Local admins test 1" is available for selection.

Note that you must be a Privileged Role Administrators or Global Administrator to create the group in the first place. 


If you are not then the 
"Azure roles can be assigned to the group" option is not available (you can't even see it).

Finally this option is only supported for Assigned groups.


Just for kicks I've selected Dynamic User.


However it automatically changes to Assigned and greyed out, once I toggle the option to Yes. 

I hope this helps. Until next time.......