How to manage the local administrators group on Azure AD joined devices

See some ongoing confusion when the customers are trying to follow the recommendations in the following official documentation – How to manage the local administrators group on Azure AD joined devices.

The administrators are expecting to see the user account they have added in the Azure AD device administrator role by enabling “Additional local Administrators on Azure AD joined devices” option in Azure AD portal and assigning users to it

AADportalDeviceSettings

to show up as a separate item in the local Administrators Properties on Azure AD joined device.

But all they see is something like this screenshot.

AADJlocalAdmin

Per mentioned documentation:

When you connect a Windows device with Azure AD using an Azure AD join, Azure AD adds the following security principles to the local administrators group on the device:

  • The Azure AD global administrator role
  • The Azure AD device administrator role
  • The user performing the Azure AD join

So there will be no separate entry for the user who was added to Azure AD device administrators role since he is part of the role. As you can see on the screenshot of the local Administrators Properties, there is an entry for the user who performed Azure AD join and two more SIDs – one is for Azure AD Global Admin role, other for Azure AD device administrator role (keep in mind the SIDs will be different for each tenant).

The SIDs are so called Cloud SIDs and not on premises Active Directory SIDs. There is currently no way to query Azure AD for these values.

As a workaround you might want to try following command to query the local Administrators security group membership to possibly see the membership and the SIDs in case the PrincipalSource is listed as AzureAD (it worked for me in some environments and failed in others).

Get-LocalGroupMember -group "Administrators"

or as a signed in user run following after the AAD PRT was refreshed

whoami /groups

User should be a member of “BUILTIN\Administrators” group.

You can also check the User Device Registration Admin logs at the time of Azure AD Join to see the Events 242 stating that the user performing Azure AD join, Global Admin role and Device Admin role Azure AD SIDs were added to local Administrators group.

Other important thing to highlight –

Updating the device administrator role doesn’t necessarily have an immediate impact on the affected users. On devices where a user is already signed into, the privilege update takes place when both the below actions happen:

4 hours have passed for Azure AD to issue a new Primary Refresh Token with the appropriate privileges.

User signs out and signs back in, not lock/unlock, to refresh their profile

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s