Laptop admin accounts and M365

Holly Thacker 6 Reputation points
2021-08-20T14:12:41.46+00:00

Hello,

Really hoping someone can help provide some insight into how I can apply some higher security on our company hardware.

Currently, every user is admin of their own laptop, and can therefore make any changes they want to the hardware. We're looking to change this in the future however, I'm struggling to see how this can be done with synced M365 accounts. I've tested a laptop which has been setup with an M365 work account attached to it, and have then added a local account which I have made the admin account. When I download anything, it's not requiring the admin credentials to install.

I assume the reason is something to do with the fact that the main user account is a 365 account? Is there a way to restrict device access in AAD or Intune?

Any help will be much appreciated!

Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,476 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,848 questions
0 comments No comments
{count} vote

2 answers

Sort by: Most helpful
  1. Nick Hogarth 3,436 Reputation points
    2021-08-22T22:45:21.637+00:00

    If you use Autopilot with new devices, you can control if users are standard users or admin users. If the devices are enrolled in Intune, you can use the built-in Security Baselines and other device restrictions. https://learn.microsoft.com/en-us/mem/intune/protect/security-baselines

    1 person found this answer helpful.
    0 comments No comments

  2. Jason Sandys 31,181 Reputation points Microsoft Employee
    2021-08-23T18:07:50.44+00:00

    (+1) to @Nick Hogarth 's answer.

    If the devices are already provisioned, there is no direct path, but you can use a script to remove admin permissions from existing users and deploy that script using Intune. A quick search of the web will net you multiple examples of this.

    I've tested a laptop which has been setup with an M365 work account attached to it, and have then added a local account which I have made the admin account. When I download anything, it's not requiring the admin credentials to install.

    I don't understand this statement though. If the local account is an admin, it shouldn't be prompted for credentials. Why are you expecting a local admin to get prompted? Are you referring to a UAC elevation prompt? Also, are you sure whatever you are installing requires elevation? Software that installs in a per-iuser context does not require elevation.

    0 comments No comments