Solution for Password rotation for standard user accounts from intune MEM

Abdul Azeez 1 Reputation point
2022-10-14T12:42:45.28+00:00

Hi,
First of all, thank you for all the contributors supporting and helping.

We have a situation where all our users are not enrolled to Azure AD via autopilot. therefore, all the users have joined to Azure AD have the admin privilege by default. then we found a method of making the user account as standard by deploying a custom URI script from Intune. through this method, we were able to setup one azure AD account as a privilege admin account and users can use it when they need admin access.

But im sure that this will lead to a security risk as an attacker get the access to that account, it means he can control the entire system. and if we are to deploy one admin account per user, then I will have to create more than 50 policies in MEM and I don't think it's a feasible solution.

Is there any way of controlling admin account passwords using any password rotation method or any workaround that we can use to control admin account password or manage standard users accounts? looking for your best suggestions

Thank you in advance

Microsoft Intune Configuration
Microsoft Intune Configuration
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Configuration: The process of arranging or setting up computer systems, hardware, or software.
1,750 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,480 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Crystal-MSFT 44,411 Reputation points Microsoft Vendor
    2022-10-17T05:37:15.68+00:00

    @Abdul Azeez , From your description, it seems you have added an Azure AD account into the local administrators group to get local admin permission on the Azure AD joined devices. And you think it is not secure and want to control the Azure AD account which has local admin permission. If there's any misunderstanding, feel free to let us know.

    I notice you have run script to make the enrolled user as standard user on the device. In General, Intune Autopilot Profile can choose the user's account type as standard user for enrolled user. Next time, you can set the profile and enroll with Autopilot to make it easy.
    250981-image.png
    https://learn.microsoft.com/en-us/mem/autopilot/profiles

    Meanwhile, Azure AD account is managed by Azure AD. If you want to make the account secure, you can change the specific Azure AD account password frequently. To do this, you can use "reset Password" in the following link:
    https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-users-reset-password-azure-portal

    In addition, there are some policies can control AAD user account and password in AAD. You can read it to see if it can help you.
    https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy

    As we are not familiar with AAD account and password, if you have more questions about it, to find the right support, you can open a new thread and add "Azure-active-directory" to get more help.

    Thanks for your understanding.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  2. Jason Sandys 31,181 Reputation points Microsoft Employee
    2022-10-17T21:41:08.343+00:00

    Sharing an admin account like this is clearly not a good idea -- I think you know that so just stating the obvious.

    The first thing to do here is define why exactly the users require local admin permissions at all? In general, users should never (or rarely) require this.

    Next, assuming that at least a few may actually have a legitimate reason, then allowing them to create and use a separate local account that is a local admin is the best path today.

    Finally, last week at Ignite, we announced our Escalation Privilege Management solution that is targeted at this scenario exactly. Check out the various announcements from last week for more details. I know that doesn't help you today, but the solution's release isn't very far off to the best of my knowledge.

    0 comments No comments