Share via

Local administrator settings - Entra

Marcos Correa 10 Reputation points
2025-05-21T19:06:36.7933333+00:00

Are there any Microsoft documentation that explains these settings within Entra? There is this article, however it does not explain these preview items.User's image

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Moosa Khan 595 Reputation points Microsoft External Staff Moderator
    2025-05-22T01:09:13.33+00:00

    Hello Marcos,
    Two new settings have been introduced in the Microsoft Entra device settings portal, enhancing control over which users are added to the local administrators group during the Microsoft Entra registration phase when joining a device. These settings are:

    1. **Global Administrator Role as Local Administrator-:**This setting determines whether the Microsoft Entra Global Administrator role is automatically added to the local administrators group when devices are joined to Microsoft Entra. Disabling this setting is recommended to adhere to the principle of least privilege.
    2. **Registering User as Local Administrator-:**This setting controls whether the user who registers the device is automatically added to the local administrators group during the Microsoft Entra join process. Disabling this setting allows for more granular control over which users are granted local administrator privileges during device registration.

    By configuring these settings appropriately, organizations can better manage local administrator access and enhance security during the device enrolment process.

    This option requires Microsoft Entra ID P1 or P2 licenses.

    How to manage local administrators on Microsoft Entra joined devices - Microsoft Entra ID | Microsoft Learn

  2. Megan Truong 720 Reputation points Independent Advisor
    2025-05-23T03:22:25.04+00:00

    Hello @Marcos Correa

    Thank you for contacting the Q&A Forum. For your question, both Global Administrator Role as Local Administrator and Registering User as Local Administrator are covered in the link that you provided. It’s in the “How it work” part. You could learn more if you put your mouse on the information icon here:

    {AF88057A-AAD7-4AB1-A926-EF4FA73B04D3}

    But if you need a more clarified explanation:

    • Global Administrator Role as Local Administrator

    Description: This setting determines whether the Microsoft Entra Global Administrator role is automatically added to the local administrators group when devices are joined to Microsoft Entra. Disabling this setting is recommended to adhere to the principle of least privilege. By default, the Global Administrator role is added to the local administrators group on a device when it is joined to Microsoft Entra ID.

    Purpose: This provides full device control to global admins, but disabling this setting is recommended to follow the principle of least privilege.

    Registering User as Local Administrator

    Description: This setting controls whether the user who registers the device is automatically added to the local administrators group during the Microsoft Entra join process. Disabling this setting allows for more granular control over which users are granted local administrator privileges during device registration. The user who performs the Microsoft Entra join is automatically added to the local administrators group on the device.

    Control: This behavior can be disabled in the Device Settings section of the Entra admin center to prevent regular users from gaining admin rights.

    To learn more about these roles, kindly visit these links:

    Please let me know if you have any further questions. If I have answered your question, please accept this as answer as a token of appreciation and don't forget to give a thumbs up for "Was it helpful"!

    Best regards,

    Megan.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.