Azure - Device Administrator Assingments not working

mdmdmd3223 1 Reputation point
2020-10-21T09:22:55.587+00:00

Hi,
I have assigned a user to be the global device administrator. I have enrolled a windows 10 device with intune, but the account I gave rights to does not have admin rights when i log in with that account.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,292 questions
0 comments No comments
{count} votes

6 answers

Sort by: Most helpful
  1. JamesTran-MSFT 36,596 Reputation points Microsoft Employee
    2020-10-21T21:13:59.93+00:00

    @mdmdmd3223
    Thank you for the post!

    After you connect a Windows device with Azure AD using an Azure AD join, Azure AD adds the following security principals to the local administrators group on the device:

    • The Azure AD global administrator role
    • The Azure AD device administrator role
    • The user performing the Azure AD join

    By adding Azure AD roles to the local administrators group, you can update the users that can manage a device anytime in Azure AD without modifying anything on the device. Currently, you cannot assign groups to an administrator role. Azure AD also adds the Azure AD device administrator role to the local administrators group to support the principle of least privilege (PoLP).

    You can manually assign the role with an AzureAD Premium tenant.

    I hope this helps, if you have any other questions, please let me know.
    Thank you for your time and patience throughout this issue.

    ----------

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

    1 person found this answer helpful.
    0 comments No comments

  2. Jason Sandys 31,286 Reputation points Microsoft Employee
    2020-10-23T19:05:27.273+00:00

    Just some supplemental info that may (or may not) address the concerns or issue (real or perceived) here: https://www.jeffgilb.com/managing-local-administrators-with-azure-ad-and-intune/

    1 person found this answer helpful.
    0 comments No comments

  3. mdmdmd3223 1 Reputation point
    2020-10-22T06:11:33.767+00:00

    Hi,
    Thanks for reply. So I have assigned as user do be a device administrator though Azure AD, Devices, Device Settings. But this user when I log into the device does not have admin rights. Screen shot of the assigned user attached.

    We are using autopilot and have chosen to not to give the user enrolling the device administrative rights. But if we do an azure join without autopilot the user who enrols the device does get admin rights.

    Every time we enrol a device using autopilot, the user assigned in the attached screenshot does not have admin rights.
    34193-screenshot-2020-10-21-at-115741.png


  4. mdmdmd3223 1 Reputation point
    2020-10-23T06:35:53.917+00:00

    The assigned device admin doesn't get assigned during azure ad join either. Only via that method does the user who enrols the device get admin rights. We are currently trialing this which is due to expire soon so if we can't get this working we will need to write azure off as a solution that matches our needs as assiging this administrative rights centrally is essential criteria - to give you an idea of the amount of business this is, we are 5000+ devices globally looking for azure and 365!

    Thanks for your help

    0 comments No comments

  5. mdmdmd3223 1 Reputation point
    2020-10-23T19:09:43.267+00:00

    Yes I am aware of this, but this didn't actually work either, and being an evaluation for the moment, the assigning admins the other way will do the trick and will probably be what we want for the early stage should we choose azure. But we won't be able to select azure if this doesn't work.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.