AzureAD join give user Admin access- needs to restrict
By Default AzureAD join gives user Admin access can we restrict this? This is a huge security risk.
Thanks for the feedback, this is currently in development. We will be adding an option in Azure AD to control this
Currently, this can be controlled via Windows Autopilot or Bulk enrollment. Please see https://docs.microsoft.com/en-us/azure/active-directory/devices/azureadjoin-plan#understand-your-provisioning-options for more details
Eric Calcagno commented
Huge security risk for our organization as well. Does moving the user to a different group break Azure AD joined integration? I opened a case with MS and they confirmed our suspicions.
However, you are able to move the Azure identity to the local "Users" group and then remove it from the local Administrators group. Sync seems to continue to work but this has not been tested in production.
Add account to Users group
Add-LocalGroupMember -Group "User" -Member AzureDomain\AzureUser
Remove account from Administrators group
Remove-LocalGroupMember -Group "Administrators" -Member AzureDomain\AzureUser
Greg Scott commented
Agree - we would like to migrate to Azure AD but are holding back until we can stop office based users being local Admins . I understand that this is for BYOD users but we need a choice to change this for corporate devices