The following forum(s) are migrating to a new home on Microsoft Q&A (Preview): Azure Active Directory!

Ask new questions on Microsoft Q&A (Preview).
Interact with existing posts until December 13, 2019, after which content will be closed to all new and existing posts.

Learn More

 none
azur ad join local admin RRS feed

  • Question

  • Hi,

    when I join a laptop of my client to their azure AD that user is made local admin as soon as they login again, right?

    So this means they can install any program they download from the internet.

    Is that what most companies allow or how do you people do this?

    I would think the advantage of joining them to azure AD is to use Intune as a GPO system and block/allow stuff and that the user is just a member, but not a local admin.

    Or is it necessary that they are local admin and that you start blocking things from within Intune.... ?

    Saturday, November 9, 2019 8:56 PM

All replies

  • Hi,

    Using Intune would get around that if they are remote, however there is a cost to using that with the license required.  Are these laptops local or remote workers? If local then getting an admin to join them to the domain will work and the end user wont be an AD admin.

    Thanks,

    Matt

    Sunday, November 10, 2019 8:44 PM
  • By default, Azure AD adds the user performing the Azure AD join to the administrator group on the device. If you want to prevent regular users from becoming local administrators, you have the following options:

    • Windows Autopilot - Windows Autopilot provides you with an option to prevent primary user performing the join from becoming a local administrator. You can accomplish this by creating an Autopilot profile.
    • Bulk enrollment - An Azure AD join that is performed in the context of a bulk enrollment happens in the context of an auto-created user. Users signing in after a device has been joined are not added to the administrators group.
    -----------------------------------------------------------------------------------------
    Do click on "Mark as Answer" on the post that helps you, this can be beneficial to other community members.
    Monday, November 11, 2019 10:56 AM
    Moderator
  • If local then getting an admin to join them to the domain will work and the end user wont be an AD admin.

    ok, but what is the disadvantage of letting the user be local admin.

    What do organizations usually do?

    Tuesday, November 12, 2019 8:20 AM
  • Hi,

    If local then getting an admin to join them to the domain will work and the end user wont be an AD admin.

    ok, but what is the disadvantage of letting the user be a local admin.

    What do organizations usually do?

    Friday, November 15, 2019 7:43 AM