@mdmdmd3223
Thank you for the post!
After you connect a Windows device with Azure AD using an Azure AD join, Azure AD adds the following security principals to the local administrators group on the device:
- The Azure AD global administrator role
- The Azure AD device administrator role
- The user performing the Azure AD join
By adding Azure AD roles to the local administrators group, you can update the users that can manage a device anytime in Azure AD without modifying anything on the device. Currently, you cannot assign groups to an administrator role. Azure AD also adds the Azure AD device administrator role to the local administrators group to support the principle of least privilege (PoLP).
You can manually assign the role with an AzureAD Premium tenant.
I hope this helps, if you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.
----------
Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.