How can we improve Azure Active Directory?

AzureAD join give user Admin access- needs to restrict

By Default AzureAD join gives user Admin access can we restrict this? This is a huge security risk.

16 votes
Sign in
(thinking…)
Sign in with: Microsoft
Signed in as (Sign out)

We’ll send you updates on this idea

Praneeth shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

2 comments

Sign in
(thinking…)
Sign in with: Microsoft
Signed in as (Sign out)
Submitting...
  • Eric Calcagno commented  ·   ·  Flag as inappropriate

    Huge security risk for our organization as well. Does moving the user to a different group break Azure AD joined integration? I opened a case with MS and they confirmed our suspicions.

    However, you are able to move the Azure identity to the local "Users" group and then remove it from the local Administrators group. Sync seems to continue to work but this has not been tested in production.

    Add account to Users group
    Add-LocalGroupMember -Group "User" -Member AzureDomain\AzureUser

    Remove account from Administrators group
    Remove-LocalGroupMember -Group "Administrators" -Member AzureDomain\AzureUser

  • Greg Scott commented  ·   ·  Flag as inappropriate

    Agree - we would like to migrate to Azure AD but are holding back until we can stop office based users being local Admins . I understand that this is for BYOD users but we need a choice to change this for corporate devices

Feedback and Knowledge Base