AzureAD joined devices - device administration

Liam Fermoyle 41 Reputation points
2023-01-19T09:26:06.11+00:00

Good day, I have been looking to see if there is a way to remove the "Device Administrator" role.

I log into the device with my work microsoft account, naturally this will AzureAD join the device, and assigned my account as a "Device Administrator"

As a business we are currently doing the UK certification for Cyber Essentials. As part of that, everyday accounts should NOT be part of the administrator group, which in turn means that the microsoft account can't be a "Device Adminstrator".

Is there anyway we can remove that "Device Administrator" and prevent future accounts for AzureAD joined devices from having that role?

We have AzureAD Free, M365 and 5 intune licenses (which I will be using for testing).

I have created a local administrator account

Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
5,459 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,926 questions
{count} votes

Accepted answer
  1. !Daniel Bradley 1,066 Reputation points MVP
    2023-01-19T16:08:30.7266667+00:00

    Hi Liam,

    If the device is set to automatically enrol in Endpoint manager (which it likely will be) then you can configure account protection. Check out the options here > https://learn.microsoft.com/en-us/mem/intune/protect/endpoint-security-account-protection-policy

    No need to then go an install the company portal app if the device is enrolled in Intune.

    Let me know if this helps!

    Cheers

    Dan

    https://ourcloudnetwork.com

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. Crystal-MSFT 51,051 Reputation points Microsoft Vendor
    2023-01-20T02:30:45.1166667+00:00

    @Liam Fermoyle, Thanks for posting in Q&A.

    In fact, when the device is configured automatic enrollment and go to Access work or school to do Azure AD join, the device will be enrolled into Intune automatically. And the enrolled user will be added into local administrators group by default.

    To remove it, you can refer to the link in Daniel Bradley's reply to modify the local administrators membership to only keep the users you want.

    Fo the device enrolled in the future; you can choose Autopilot enrollment which has the option to choose the user's account type as a standard user when configure autopilot enrollment profile. For more details, you can read the following link:

    https://learn.microsoft.com/en-us/mem/autopilot/profiles

    Hope it can help.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.