Azure AD Join Devices

Question

Azure AD Join Devices

Abdulhamid Elfsatwi 21

We have a branch located far from our main office. we need to join the devices to Azure Active directory. When the user takes the steps to join the device to Azure AD, he will become a member of the local administrator group.
According to company policy, the user cannot be a member of that group; only the helpdesk team is permitted to be a member of the local admin group.
What is the best solution to this problem?

Accepted answer

2 additional answers

Your answer

Answer 1

Manu Philip 20,206 MVP Volunteer Moderator

By default, Azure AD adds the user performing the Azure AD join to the administrator group on the device. If you want to prevent regular users from becoming local administrators, you have the following options:

Windows Autopilot - Windows Autopilot provides you with an option to prevent primary user performing the join from becoming a local administrator by creating an Autopilot profile.
Bulk enrollment - An Azure AD join that is performed in the context of a bulk enrollment happens in the context of an auto-created user. Users signing in after a device has been joined aren't added to the administrators group.

----------

--please don't forget to upvote and Accept as answer if the reply is helpful--

Abdulhamid Elfsatwi 21 Reputation points

2022-11-05T20:36:53.507+00:00

I appreciate your response and the link you offered. You asserted that the sole means of preventing common users from becoming local administrators is Autopilot.

Thank you,

Answer 2

Jason Sandys 31,406 Microsoft Employee Moderator

Another possible path is to use Intune to remove them from being a local admin: https://techcommunity.microsoft.com/t5/intune-customer-success/new-settings-available-to-configure-local-user-group-membership/ba-p/3093207

Abdulhamid Elfsatwi 21 Reputation points

2022-11-07T22:37:15.63+00:00

First of all, let me thank you for your response. Second, I need to learn more about this feature since my case is, I believe, a bit complicated.
Let's assume that all devices have already been enrolled by end users. Do you think this feature will let me replace them with a help desk team?
I must read more and gain more knowledge, however.
Again, thank you so much for your response.

Answer 3

Jason Sandys 31,406 Microsoft Employee Moderator

Do you think this feature will let me replace them with a help desk team?

I don't see why not.

Abdulhamid Elfsatwi 21 Reputation points

2022-11-08T17:16:45.617+00:00

Dear Sir
If you could provide me any docs or tutorials with complete explanations, I would be extremely thankful. This will present me with the chance to learn more.
Jason Sandys 31,406 Reputation points Microsoft Employee Moderator

2022-11-08T17:29:51.517+00:00

The blog I linked to above is the best doc that I know of.
Abdulhamid Elfsatwi 21 Reputation points

2022-11-08T17:34:12.73+00:00

I appreciate it very much.

Share via

Azure AD Join Devices

2 additional answers

Your answer