Laptop admin accounts and M365

Question

Hello,

Really hoping someone can help provide some insight into how I can apply some higher security on our company hardware.

Currently, every user is admin of their own laptop, and can therefore make any changes they want to the hardware. We're looking to change this in the future however, I'm struggling to see how this can be done with synced M365 accounts. I've tested a laptop which has been setup with an M365 work account attached to it, and have then added a local account which I have made the admin account. When I download anything, it's not requiring the admin credentials to install.

I assume the reason is something to do with the fact that the main user account is a 365 account? Is there a way to restrict device access in AAD or Intune?

Any help will be much appreciated!

Answer 1

If you use Autopilot with new devices, you can control if users are standard users or admin users. If the devices are enrolled in Intune, you can use the built-in Security Baselines and other device restrictions. https://learn.microsoft.com/en-us/mem/intune/protect/security-baselines

Answer 2

(+1) to @Nick Hogarth 's answer.

If the devices are already provisioned, there is no direct path, but you can use a script to remove admin permissions from existing users and deploy that script using Intune. A quick search of the web will net you multiple examples of this.

I've tested a laptop which has been setup with an M365 work account attached to it, and have then added a local account which I have made the admin account. When I download anything, it's not requiring the admin credentials to install.

I don't understand this statement though. If the local account is an admin, it shouldn't be prompted for credentials. Why are you expecting a local admin to get prompted? Are you referring to a UAC elevation prompt? Also, are you sure whatever you are installing requires elevation? Software that installs in a per-iuser context does not require elevation.