![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(16, 42%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAN%3C/text%3E%3C/svg%3E)
25,161 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(70.4, 96%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFA%3C/text%3E%3C/svg%3E)
Thanks for reaching out to Microsoft Q&A.
Microsoft Entra Joined Device Local Administrators are assigned to all Microsoft Entra joined devices. You can't scope this role to a specific set of devices
You can manage the Microsoft Entra Joined Device Local Administrator role from Device settings.
- Sign in to the Microsoft Entra admin center as at least a Privileged Role Administrator.
- Browse to Identity > Devices > All devices > Device settings.
- Select Manage Additional local administrators on all Microsoft Entra joined devices.
- Select Add assignments then choose the other administrators you want to add and select Add.
To modify the Microsoft Entra Joined Device Local Administrator role, configure Additional local administrators on all Microsoft Entra joined devices.
Additionally, you can also remove users using Intune or another MDM solution or locally using the command prompt:
- If your tenant users are synchronized from on-premises Active Directory, use
net localgroup administrators /delete "Contoso\username". - If your tenant users are created in Microsoft Entra ID, use
net localgroup administrators /delete "AzureAD\UserUpn
Thanks,
Fabio