How can we improve Azure Active Directory?

AzureAD Joined Device: Do not automatically add Global Admin to LocalAdmin Groups

Whenever a Client Joins AzureAD, All Global Admins are automatically added as LocalAdmin on the Client joined AzuerAD. This is the default behavior of AzureAD Join – and cannot be altered currently.
From my Point of view Global Admins are similar sensitive for the AzureAD like Domain Admins are on-premises in ADDS. On-premises a lot of effort has been taken to separate Endpoint Admins from ADDS Admins -> PtH Mitigation and other security best practices. Now AzureAD mixes up highly privileged Identity (Global Admins) and Endpoint Admins.
Therefore we need a Switch in AzureAD to change AzureADs Default behavior and prevent Global Admins of being added to the LocalAdmins Group. Why not add another AzureAD Role for that? Or let AzureAD Admin choose a Group (not a List of Users like AzureAD Premium does) to be LocalAdmin on AzureAD Joined Devices.

35 votes
Sign in
(thinking…)
Sign in with: Microsoft
Signed in as (Sign out)

We’ll send you updates on this idea

Pirmin Felber shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

2 comments

Sign in
(thinking…)
Sign in with: Microsoft
Signed in as (Sign out)
Submitting...
  • Ralf Gomeringer commented  ·   ·  Flag as inappropriate

    One comment to this idea would be to allow to also add a group, not singular users, as admins on endpoints. Had this question at a customer

  • Gary Henderson commented  ·   ·  Flag as inappropriate

    Thanks for the feedback. We completely agree there should be more controls in how administrators are added to AAD joined devices. We have improvements in this area in our planning.

Feedback and Knowledge Base