Azure AD role assigned to user not reflected on Azure AD joined client machine

Daniyal Raza 21 Reputation points

Hello All,

i have an Azure AD joined laptop on which i use to login with a normal user with no administrative rights. But now i want to manage user rights from Azure AD portal using Privileged identity management.
I then assigned a role "Azure AD joined device local administrator" to the normal user so he can do the administrative task on his local machine. i assigned this role with time bound limit so his role will expire after the end time i mentioned in the role assignment settings.

But the thing is these settings don't reflect on the user end and user don't get the access to perform the administrative task with in the specified time limit.

I have gone through multiple forums and seen a lot of videos regarding this.

Need help

Thanks in Advance


Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,516 questions
{count} votes

Accepted answer
  1. Jason Sandys 31,186 Reputation points Microsoft Employee

    Using PIM in Azure to control local admin permissions is not supported. It does more or less work, however, it's tied to the PRT refresh cycle which is every 4 hours so is also more or less unpredictable and of limited (at best) value,

    1 person found this answer helpful.

2 additional answers

Sort by: Most helpful
  1. 2021-09-16T08:56:12.43+00:00

    Hi Jason, thanks

    I believe Microsoft is pretty laidback on this. Why to have a policy in there when it is of no use? Advertising it like J-I-T Just in Time access and then ditching the users that it's something unpredictable. No disrespect but I don't see any logic behind this.

  2. Jason Sandys 31,186 Reputation points Microsoft Employee

    Again, why would one thing be advertised with Local Device Administrator Policies

    Not sure what you mean here. Nothing is "advertised" by Microsoft concerning this because we know it's not supported due to the issue I called out.

    As far as why it's possible, it's because it works for the intended purpose: PIM for access to Azure admin functionality. The fact that it may have other affects is an unintended by-product and we can't explicitly turn it off for this one use case as that would break its actual intended purpose. This is reality.

    0 comments No comments