This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(22.400000000000002, 78%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERS%3C/text%3E%3C/svg%3E)
Hi
We want to achieve admin access for our SDM team from Intune joined devices. Currently we are enrolling device using automatic enrollment without Autopilot. Which user become administrator of that device, to tackle this. We are using Account protection in Intune to replace the user or group with the group assigned to SDM team. It is doing its job well and replacing the group with the defined one.
is this enough to assign the admin access to SDM team or we need to assigned the role Azure AD joined Device local administrator to that groups too?
Just to inform, the admin account was created in on premises and sync with Azure AD. As we have hybrid environment too.
The 2 SIDs Azure GA and Azure Device local admin already get added on azure ad joined devices. What you are doing will add additional local admins which should be enough. However consider the ramifications of adding additional local admins. Maybe consider using PIM to add session controls.
Hi Rahul, thank you for your reply. We don't want to add additional local administrator. As mentioned users become administrator, once they enrolled into Azure ad. So, we are using the Account protection option to removing any users.
How we tackle this situation? shall we just use the account protection option in Intune to assign admin access, So it will remove any other user from local admin group and assigned the permission to designated group or users, without making any other adjustment.
Also, the account we want to assign admin permission to Azure ad joined devices, should have license too? if yes, which license is require.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@Ritesh Sharma. Thanks for posting in Q&A.
For Azure AD Joined Device Local Administrator role, any user with the role permissions will have Local Admin access on the Azure AD Joined devices in the environment. In General, When the privileged user logs in to the Azure AD joined computer, few Security Principals are getting added to the computer. They are the Azure AD Global Administrator and Device Local Administrator role and the user performing the Azure AD join. If you want to the SDM team to be local admin on all Azure AD joined device, you can assign this role.
For other scenario, we can use Account protection policy to update the local administrators group.
https://learn.microsoft.com/en-us/mem/intune/protect/endpoint-security-account-protection-policy
For license, if the user needs to deploy Intune policy. Please assign Intune license to the user.
Hope it can help.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
@Ritesh Sharma. hope things are going well. I am writing to see if the above information can help. If there's anything else we can help, feel free to let us know.