![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(169.60000000000002, 24%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EWM%3C/text%3E%3C/svg%3E)
Windows 11
A Microsoft operating system designed for productivity, creativity, and ease of use.
9,919 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 45%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAV%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 83%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENJ%3C/text%3E%3C/svg%3E)
Hi William McDonald ,
Thank you for posting in the Q&A Forums.
When revoking administrator privileges for users who are joining devices using Entra, if you wish to do so without manually accessing each device, you can indeed utilize the capabilities of Intune and Azure Active Directory (Azure AD) to achieve this goal. Here are some steps and recommendations to help you with this process:
- Evaluate the current configuration
First, you need to understand the current device configuration and user permission settings. This includes which user accounts have been given administrator privileges and how these privileges are assigned through Entra and Intune.
- Use Intune Policies to Manage Permissions
Intune provides a rich set of policy settings that can be used to control device permissions and behavior. You can restrict or revoke a user's administrator privileges by creating or modifying a device configuration policy.
Create or Edit a Device Configuration Policy: In Intune, you can create a new device configuration policy or edit an existing policy to include restrictions on administrator privileges. This typically involves configuring local user and group settings to disable or remove administrator privileges for specific user accounts.
Deploy Policy: Deploys the created or modified device configuration policy to the target device group. This way, all devices belonging to the group will receive and apply the new permission settings.
- Leveraging Azure AD Group Policy
If your organization uses Azure AD to manage users and devices, you can also leverage Azure AD's Group Policy feature to further control permissions.
Create or modify security groups: In Azure AD, you can create new security groups or modify existing groups to include user accounts that need to have administrator privileges revoked.
Assign roles and permissions: With Azure AD's role and permission management features, you can restrict the permissions of members of these security groups on the device. For example, you can remove these users from the global administrator role and assign them more limited roles
Best regards
NeuviJ
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.