Emulating the Intune Roles method with Assignments, Members and Scopes would be ideal. Also the ability to disable Global Admin access (limit to groups/scopes added).158 votes
We’re currently working on this capability and will provide an update when it’s done.
However, instead of expanding the “Additional Local administrators” setting, we will support adding AAD groups to Windows 10 local groups (.e.g Administrators, Remote Desktop Users) via MDM policy and elevate user privileges on logon. This will provide greater flexibility to assign different groups to different devices
The user role User administrator is not able to remove users registered device objekts in Azure AD. I think that roles should be granted that permisson.
Or create an addiotional role that have the permission to remove device objects in Azure AD.69 votes
Cloud Device Administrator is the new role that will provide this capability . This will be generally available in the coming months
By Default AzureAD join gives user Admin access can we restrict this? This is a huge security risk.27 votes
Thanks for the feedback, this is currently in development. We will be adding an option in Azure AD to control this
Currently, this can be controlled via Windows Autopilot or Bulk enrollment. Please see https://docs.microsoft.com/en-us/azure/active-directory/devices/azureadjoin-plan#understand-your-provisioning-options for more details
- Don't see your idea?