Utilize AAD Security Groups for Device "Additional Local Administrators" support

Emulating the Intune Roles method with Assignments, Members and Scopes would be ideal. Also the ability to disable Global Admin access (limit to groups/scopes added).

162 votes

Jeremy McLaughlin shared this idea · October 17, 2017 · Flag idea as inappropriate… · Admin →

started ·

AdminAzure AD Team (Product Manager, Microsoft Azure) responded · November 18, 2019

We’re currently working on this capability and will provide an update when it’s done.

However, instead of expanding the “Additional Local administrators” setting, we will support adding AAD groups to Windows 10 local groups (.e.g Administrators, Remote Desktop Users) via MDM policy and elevate user privileges on logon. This will provide greater flexibility to assign different groups to different devices

—
Ravi

Show previous admin responses (1)

13 comments

An error occurred while saving the comment

Anonymous commented · August 19, 2020 05:38 · Flag as inappropriate

still not working in 2004

Submitting...
Andrey Brenner commented · May 17, 2020 00:28 · Flag as inappropriate

Hi @Azure AD Team.

Any updated regarding this? Still not working in 2004

Submitting...
Peter commented · April 19, 2020 00:22 · Flag as inappropriate

Seems the functinality is added in Windows 10 2004 https://www.inthecloud247.com/add-an-azure-ad-group-to-the-local-administrators-group-with-microsoft-intune/

Submitting...
Jelle commented · February 13, 2020 09:53 · Flag as inappropriate

Is there an update available for this feature?

Submitting...
lol_microsoft commented · September 03, 2019 18:09 · Flag as inappropriate

Nearly 2 years and nothing has changed. What is the point of these feedbacks really?

Submitting...
Michael Mardahl commented · February 05, 2019 03:42 · Flag as inappropriate

Try this one on for size. It might just be good enough for now ...

https://www.iphase.dk/local-administrators-on-aad-joined-devices/

Submitting...
Michael Mardahl commented · January 22, 2019 22:35 · Flag as inappropriate

Here is some relevant information that some might have missed:
https://docs.microsoft.com/en-us/azure/active-directory/devices/assign-local-admin

and here: http://www.scconfigmgr.com/2018/08/30/configure-restricted-groups-with-intune-policy-csp/

Submitting...
Michael Mardahl commented · November 05, 2018 10:30 · Flag as inappropriate

If you want a user to be local admin on a machine, this can be accomplished through intune powershell extensions quite easily, even with checks agains an AAD group. Hit me up on twitter is this is something I should blog about, and please specify some scenario that I should target. @michael_mardahl

Submitting...
Anonymous commented · July 25, 2018 15:11 · Flag as inappropriate

Agreed, please resolve this issue

Submitting...
Anonymous commented · July 20, 2018 00:29 · Flag as inappropriate

Agree with Martin... please add the ability to specify which groups of devices the users have admin rights on. Giving the users admin rights on all AAD joined devices in the tenant is not viable for us.

Submitting...
Bill Gates commented · May 31, 2018 11:34 · Flag as inappropriate

yes, it is dumb to have to manually add each individual user to Azure local admins, let us use security groups please

Submitting...
Martin Wüthrich commented · April 27, 2018 01:42 · Flag as inappropriate

and thus there are huge organization, and they only want to have a reasonable amount of admin per device:
Please make the group assignment more finegrained, so that I can add only the Asia IT on the ASIA Devices. Maybe connect it with:
Administrative Units?
https://docs.microsoft.com/en-us/azure/active-directory/active-directory-administrative-units-management

Submitting...
Mark Rusbridge commented · April 23, 2018 17:50 · Flag as inappropriate

Could we expand this to adding Azure AD groups to any local group on the device?

Submitting...