AzureAD Joined Device: Do not automatically add Global Admin to LocalAdmin Groups
Whenever a Client Joins AzureAD, All Global Admins are automatically added as LocalAdmin on the Client joined AzuerAD. This is the default behavior of AzureAD Join – and cannot be altered currently.
From my Point of view Global Admins are similar sensitive for the AzureAD like Domain Admins are on-premises in ADDS. On-premises a lot of effort has been taken to separate Endpoint Admins from ADDS Admins -> PtH Mitigation and other security best practices. Now AzureAD mixes up highly privileged Identity (Global Admins) and Endpoint Admins.
Therefore we need a Switch in AzureAD to change AzureADs Default behavior and prevent Global Admins of being added to the LocalAdmins Group. Why not add another AzureAD Role for that? Or let AzureAD Admin choose a Group (not a List of Users like AzureAD Premium does) to be LocalAdmin on AzureAD Joined Devices.
Ralf Gomeringer commented
One comment to this idea would be to allow to also add a group, not singular users, as admins on endpoints. Had this question at a customer
Gary Henderson commented
Thanks for the feedback. We completely agree there should be more controls in how administrators are added to AAD joined devices. We have improvements in this area in our planning.