Account Protection for domain user

Mayday 45 Reputation points
2023-03-28T09:21:07.3433333+00:00

Hello experts,

I have a pretty weird case about RBAC and Account Protection. I want to test some roles to see if I could install applications on Windows 10 laptops, so I assigned Local Admin, Application Admin and Intune Admin to a test account but I kept getting the error "need elevated permissions".

When I used Account Protection to grant access to the test account, I can add on-premises users as admin, but couldn't use the Azure user account to specify domain user.

I don't get how it works. Can you please explain?

Thank you.

Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,996 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Crystal-MSFT 48,156 Reputation points Microsoft Vendor
    2023-03-29T01:22:13.0433333+00:00

    @Mayday, Thanks for posting in Q&A. From your description, it seems you have question with Azure AD roles and the account protection profile.

    In general, the local admin is an administrator on a local windows device. It will have permission to install application on this device. I notice you get error "need elevated permission". It seems the app needs more permission. In this situation, you need to choose "Run as administrator" to elevate the permission to higher. If we need to deploy the app to a batch device, you can try to deploy it via Intune. Here are some app types we can deploy via Intune for your reference:

    https://learn.microsoft.com/en-us/mem/intune/apps/apps-add

    Meanwhile, for the Application Administrator role, it is a role can create and manage all aspects of app registrations and enterprise apps. For Intune Administrator, it can manage all aspects of the Intune product in Intune portal. Here is a link with more details:

    https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference

    In addition, for account protection profile, when we choose user selection type as "Users", it selects the users and user groups from your Azure AD. And it only supports for Azure AD joined devices. For domain user, we use "Manual" to configure. Here is a link with more details:

    Hope it can help.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.