Thanks for the feedback, this is currently in development. We will be adding an option in Azure AD to control this
Currently, this can be controlled via Windows Autopilot or Bulk enrollment. Please see https://docs.microsoft.com/en-us/azure/active-directory/devices/azureadjoin-plan#understand-your-provisioning-options for more details
/RaviEric Calcagno supported this idea ·
An error occurred while saving the commentEric Calcagno commented
Huge security risk for our organization as well. Does moving the user to a different group break Azure AD joined integration? I opened a case with MS and they confirmed our suspicions.
However, you are able to move the Azure identity to the local "Users" group and then remove it from the local Administrators group. Sync seems to continue to work but this has not been tested in production.
Add account to Users group
Add-LocalGroupMember -Group "User" -Member AzureDomain\AzureUser
Remove account from Administrators group
Remove-LocalGroupMember -Group "Administrators" -Member AzureDomain\AzureUser