This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(236.8, 85%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJA%3C/text%3E%3C/svg%3E)
Hi,
I am working on adding administrators to Entra ID joined machines using the Microsoft Entra Joined Device Local Admin role. The administrators I have added are not working on the devices even after a PRT refresh.
Additionally it is my understanding that PRT are supposed to refresh every 4 hours on a device in constant use but they are refreshing every two weeks.
Not sure if there is some sort of sync issue on our end.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 45%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAV%3C/text%3E%3C/svg%3E)
@Juarez Administrator
Just checking to see if you had chance to look my ask. please do share additional information in comment section for further proceedings and let me know if you have any questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 57.00000000000001%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMB%3C/text%3E%3C/svg%3E)
To troubleshoot the Microsoft Entra Joined Device Local Admin role not working after a PRT refresh, ensure the assigned administrators are correctly configured, the device is still Entra joined, and that the PRT refresh process is completing successfully. Verify the PRT status, manage the local admin role through Device settings, and consider the impact of UAC on privilege elevation.
Hi
Thank you for your quick response. I have verified each of these considerations. The PRT status does show the updated time in which it was refreshed and is not throwing any errors.
I should add that on a newly enrolled device, the administrators are working but not on devices that were already enrolled.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 33%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJN%3C/text%3E%3C/svg%3E)
Hello,
Firstly, this is needed to figure out about type of account that you want to give local admin rights to, including:
Microsoft Entra ID accounts: this can be achieved by adding roles to the accounts or managing it on Microsoft Entra. More information about these type of accounts, please visit: https://learn.microsoft.com/en-us/entra/identity/devices/assign-local-admin
Or, Local account: You can check further information here Local Accounts | Microsoft Learn
Secondly, after checking your Account, you can consider to check on the way adding Administrator:
If you adds Global admin to one of the Microsoft Entra Account after AADJ, it wont work. In addition to using the Microsoft Entra join process, you can also manually elevate a regular user to become a local administrator on one specific device. For more information, please visit: How to manage local administrators on Microsoft Entra joined devices - Microsoft Entra ID | Microsoft Learn
Regarding to PRT refresh issue, the refresh of PRT for 4 hours is the PRT issued by Cloud AP plugin. This type of PRT is issued during windows sign in and is not related to sync feature. You will needs to ensure id the connectivity to the Internet.
Additionally, there is a note applied for Android Platform, which is A PRT is valid for 90 days and is continuously renewed as long as the device is in use.
However, it's only valid for 14 days if the device isn't in use.
Further information you can check here: Understanding Primary Refresh Token (PRT) in Microsoft Entra ID - Microsoft Entra ID | Microsoft Learn
If I have answered your question, please accept this as answer as a token of appreciation and don't forget to thumbs up for "Was it helpful"!
Best regards,
Hi @Juarez Administrator
may I know how you added administrators in Entra portal under Local administrator settings.
Have you selected the users using the option "Registering user is added as local administrator on the device during Microsoft Entra join"
Or
you have added the users under Manage Additional local administrators on all Microsoft Entra joined devices settings.
Post adding joining the device may I know what the issue is you have noticed.
have you check the administrator's profile is it shows Administrator as show in the below.
The other side about the PRT may I know where you noticed the PRT refresh time (4hrs)?
Once issued, a PRT is valid for 14 days and the CloudAP plugin renews the PRT every 4 hours during Windows sign in.
For more information, please read relevant document What is the lifetime of a PRT.
Also, please follow below troubleshoot guide No local administrator group privileges on Microsoft Entra joined device and see if the issue is fixed.
Hi @Juarez Administrator
Following up to see is my response was helpful. And, if you have any further query and questions, please do let us know