How to grant an Azure AD user with local admin rights

How to grant an Azure AD user with local admin rights

Have you encountered such scenarios where some of your end user that requires to be granted with Administrator role on their Windows 10 PC (a Azure AD joined devices) to run some programs, but you don’t want to setup the administrator rights with specific device and wish to revoke at anytime… Well, you would do that by assign “Azure AD joined device local administrator” role to the user. In the following I’ll demonstrate how to do that step by step.

Note, before you start make sure your Azure AD account has been granted with “Global Administrator” or “Device Administrator” roles.

  1. Login into Azure portal from https://portal.azure.com.

2. Go to Azure Active Directory.

3. From Azure Active Directory to All users, then search for the desired user account.

4. Click the user account > Click “Assigned roles” from left side panel under “Manage”.

5. Click “Add assignments” > search for the key words “local” then you should find the exact match with “Azure AD joined device local administrator” role > click “Add” button to assign.

6. By the time, you should saw a message says “Successfully added assignment” on the upper right corner.

7. If you don’t see the role being assigned to the user, please wait for couple of minutes to be updated. Usually it only takes 1-2mins depends on your network conditions or tenant location. After 3-5mins you may click the “Refresh” button to see the assignment.

8. Once the role being assigned, you may reach out that user to sign out of their account and re-sign in. You can let the user to run PS/cmd with administrator rights to test or simply go to “user Accounts” to view the effect rights.

Notice, according to Microsoft, on a device where a user is already signed into, the privilege elevation takes place when both actions happen:

  • Upto 4 hours have passed for Azure AD to issue a new Primary Refresh Token with the appropriate privileges.
  • User signs out and signs back in, not lock/unlock, to refresh their profile.

The above two actions are not applicable to users who have not signed in to the relevant device previously. So, in that case the administrator privilege are applied immediately after their first sign-in to the device.

When you revoked the “Azure AD joined device local administrator” role from the user, they may still have the local administrator privilege on that device as long as they are signed in to it. The privilege is revoked during their next sign-in when a new primary refresh token is issued. Same as the privilege elevation, if could take upto 4 hours.

3 thoughts on “How to grant an Azure AD user with local admin rights

  1. Not sure why my previous post isn’t showing, my question was:

    Would this work if the device was joined to Azure AD as a registered device instead of a joined device? would I still be able to use the “Azure AD joined device local administrator” role?

Leave a Reply

Your email address will not be published. Required fields are marked *