Utilize AAD Security Groups for Device "Additional Local Administrators" support
Emulating the Intune Roles method with Assignments, Members and Scopes would be ideal. Also the ability to disable Global Admin access (limit to groups/scopes added).

We’re currently working on this capability and will provide an update when it’s done.
However, instead of expanding the “Additional Local administrators” setting, we will support adding AAD groups to Windows 10 local groups (.e.g Administrators, Remote Desktop Users) via MDM policy and elevate user privileges on logon. This will provide greater flexibility to assign different groups to different devices
—
Ravi
9 comments
-
lol_microsoft commented
Nearly 2 years and nothing has changed. What is the point of these feedbacks really?
-
Michael Mardahl commented
Try this one on for size. It might just be good enough for now ...
https://www.iphase.dk/local-administrators-on-aad-joined-devices/
-
Michael Mardahl commented
Here is some relevant information that some might have missed:
https://docs.microsoft.com/en-us/azure/active-directory/devices/assign-local-adminand here: http://www.scconfigmgr.com/2018/08/30/configure-restricted-groups-with-intune-policy-csp/
-
Michael Mardahl commented
If you want a user to be local admin on a machine, this can be accomplished through intune powershell extensions quite easily, even with checks agains an AAD group. Hit me up on twitter is this is something I should blog about, and please specify some scenario that I should target. @michael_mardahl
-
Anonymous commented
Agreed, please resolve this issue
-
Anonymous commented
Agree with Martin... please add the ability to specify which groups of devices the users have admin rights on. Giving the users admin rights on all AAD joined devices in the tenant is not viable for us.
-
Bill Gates commented
yes, it is dumb to have to manually add each individual user to Azure local admins, let us use security groups please
-
Martin Wüthrich commented
and thus there are huge organization, and they only want to have a reasonable amount of admin per device:
Please make the group assignment more finegrained, so that I can add only the Asia IT on the ASIA Devices. Maybe connect it with:
Administrative Units?
https://docs.microsoft.com/en-us/azure/active-directory/active-directory-administrative-units-management -
Mark Rusbridge commented
Could we expand this to adding Azure AD groups to any local group on the device?