![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(160, 55.00000000000001%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVF%3C/text%3E%3C/svg%3E)
5,569 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(3.2, 86%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELD%3C/text%3E%3C/svg%3E)
Hi,@Vanier Francis
Just like what Jason said, definitely we can give local admin rights to a user or a group with Intune. And it is worth mentioning that we get a new Policy CSP (start from Windows 10, version 20H2)to manage Local Users and Groups with Microsoft Intune: LocalUsersAndGroups. With this new setting, we are able to add members to local administrators group.
Note: As the characters limitation of comment, I will reply it in Answer.
Below I will show an example of how the setting can be used to manage the Administrators group of an AAD joined device. In below example I use the Group action U (update) to add an user account and a group to the local Administrators group and don`t overwrite the existing members.
To add an Azure AD user account we can use the username, but we need to put AzureAD\ before the username like"AzureAD******@m365x137916.onmicrosoft.com"
For adding Azure AD groups using this policy, we must use the group SID. The SID of an Azure AD group can be easily found using the Graph Explorer. Query the group using the Object ID of the Group:
https://graph.microsoft.com/v1.0/groups/ObjectID. It should be noted that you can find the Object ID of the Group in Azure portal
Now it’s time to deploy the LocalUsersAndGroups policy to our devices using a Custom configuration profile with Microsoft Intune.
- Sign-in to the Endpoint Manager admin center-Devices –Configurations profiles-Create profile
2.Add an OMA-URL
OMA-URL: ./Device/Vendor/MSFT/Policy/Config/LocalUsersAndGroups/Configure
Value:
<GroupConfiguration>
<accessgroup desc = "Administrators">
<group action = "U" />
<add member = "AzureAD******@m365x137916.onmicrosoft.com"/>
<add member = "S-1-12-1-3293915145-1237716286-3547282111-4250706607"/>
</accessgroup>
</GroupConfiguration>
3.Assign the profile to your group
4.Click save and next to finish the deployment.
Hope it can help
