none
Azure PIM and Device Administrator privilege for bulk enrolled Intune Windows 10 devices RRS feed

  • Question

  • Hello,

    i am verifying the functionality to elevate timely local admin rights on Intune MDM Windows 10 devices by using Azure PIM and Device Administrator role. According to the MS documentation, this supposed to be the right way to do it. 

    However, when end-user activates the Device Administrator role in Azure portal, nothing changes on user's local PC. The user still has no local admin rights. Even the manual synchronization in Company Portal does not help, Intune device sync in Azure portal too. Multiple re-logins or PC reboots do not help. After 30 min - still nothing.

    Azure AD has Azure AD Premium P2 (trial version though). 

    Windows 10 (Pro - 1709) device had been enrolled successfully using WCD provisioning package and is fully compliant. Other Intune policies and apps are synchronized and delivered to the device successfully!!!

    Please advice, what am i missing here!

    Thanks,

    Elmars

    Friday, March 23, 2018 10:58 AM

Answers

  • Hi all!

    My PIM case closed with Microsoft. Currently this is expected behavior, that there is no defined time constraint when the activated privileged role shall be synced between Azure AD and end-user device/O365. It can take up to 24 hours for a role to become active. My recent tests also confirm this. So, if you want to have temporary admin role assignment (<24h), then this will not gonna work.

    MS is aware of this and are working to deliver fix some time within 6 months at minimum.


    • Marked as answer by Elmars Bergs Wednesday, May 2, 2018 11:36 AM
    Wednesday, May 2, 2018 11:36 AM

All replies

  • Using Azure privileged identity management(PIM) with Device Administrator role. Where end-user activates the Device Administrator role in Azure portal for local administrator rights. Make sure customer has enabled the below feature to select the users for granting local administrator rights on a device and also this option is available only for the azure ad premium or  ems suite. Please find the below link for further reference.
    Additional local administrators on Azure AD joined devices -  You can select the users that are granted local administrator rights on a device. Users added here are added to the Device Administrators role in Azure AD. Global administrators in Azure AD and device owners are granted local administrator rights by default. This option is a premium edition capability available through products such as Azure AD Premium or the Enterprise Mobility Suite (EMS).
    -------------------------------------------------------------------------------------------------------------
    Do click on "Mark as Answer" on the post that helps you and vote it as helpful, this can be beneficial to other community members. 
    • Proposed as answer by vijisankar Friday, March 23, 2018 4:11 PM
    Friday, March 23, 2018 4:11 PM
  • This configuration option "Additional local administrators on Azure AD joined devices" does not make any effect too.

    Azure AD is Premium P2

    the test user has both valid "Azure Active Directory Premium P2" and "Enterprise Mobility + Security E3" licenses assigned.

    Just thinking out loud here, could this issue be related to the time-zone settings between AAD and end-user MDM device?  asking because, one time this actually worked, after waiting 2+ hours. But cannot reproduce this anymore.



    Monday, March 26, 2018 6:38 AM
  • The time-zone settings might be one of the reasons for the issue. you can also check on the below: 
    Device admin role on AADJoin PC's should populate like the attached image:

    Anything added to device admin populates one of those groups in AAD. if a user is a member of that group they should be local admins. Azure AD allow to define local administrators in device level. however, this is a global setting. If it is need to handle in device level, still you need to login from an account which already have local administrator rights and then add additional users. 
    The issue might also be with the  time-zone settings. 

    Reference: www.rebeladmin.com/2017/12/step-step-guide-add-additional-local-administrators-azure-ad-joined-devices/
    -------------------------------------------------------------------------------------------------------------
    Do click on "Mark as Answer" on the post that helps you and vote it as helpful, this can be beneficial to other community members.

    Disclaimer: This response contains a reference to a third-party World Wide Web site. Microsoft is providing this information as a convenience to you. Microsoft does not control these sites and has not tested any software or information found on these sites; therefore, Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. There are inherent dangers in the use of any software found on the Internet, and Microsoft cautions you to make sure that you completely understand the risk before retrieving any software from the Internet. 
    Tuesday, March 27, 2018 6:14 PM
  • Working now with Microsoft Support to address this issue. We still want to control local admin rights for remote users via AAD PIM. Will get back here with the resolution case

    Thanks all for the input!

    Tuesday, April 3, 2018 6:53 AM
  • Sure. Do update the resolution which will help the other community members. 

    Tuesday, April 3, 2018 6:37 PM
  • Hi all!

    My PIM case closed with Microsoft. Currently this is expected behavior, that there is no defined time constraint when the activated privileged role shall be synced between Azure AD and end-user device/O365. It can take up to 24 hours for a role to become active. My recent tests also confirm this. So, if you want to have temporary admin role assignment (<24h), then this will not gonna work.

    MS is aware of this and are working to deliver fix some time within 6 months at minimum.


    • Marked as answer by Elmars Bergs Wednesday, May 2, 2018 11:36 AM
    Wednesday, May 2, 2018 11:36 AM
  • Thanks for updating the forum, this will address the other community members who is facing the same. 
    Wednesday, May 2, 2018 8:01 PM
  • Hi Elmars,
    Hi all!

    Are there any updates to this?

    We are willing to use PIM für Device Administrators too, but experiencing the same strange behaviour (sometimes it works, sometimes not).

    Monday, February 11, 2019 6:56 PM