The following forum(s) have migrated to Microsoft Q&A (Preview): Azure Active Directory!
Visit Microsoft Q&A (Preview) to post new questions.

Learn More

 locked
azur ad join local admin RRS feed

  • Question

  • Hi,

    when I join a laptop of my client to their azure AD that user is made local admin as soon as they login again, right?

    So this means they can install any program they download from the internet.

    Is that what most companies allow or how do you people do this?

    I would think the advantage of joining them to azure AD is to use Intune as a GPO system and block/allow stuff and that the user is just a member, but not a local admin.

    Or is it necessary that they are local admin and that you start blocking things from within Intune.... ?

    Saturday, November 9, 2019 8:56 PM

All replies

  • Hi,

    Using Intune would get around that if they are remote, however there is a cost to using that with the license required.  Are these laptops local or remote workers? If local then getting an admin to join them to the domain will work and the end user wont be an AD admin.

    Thanks,

    Matt

    Sunday, November 10, 2019 8:44 PM
  • By default, Azure AD adds the user performing the Azure AD join to the administrator group on the device. If you want to prevent regular users from becoming local administrators, you have the following options:

    • Windows Autopilot - Windows Autopilot provides you with an option to prevent primary user performing the join from becoming a local administrator. You can accomplish this by creating an Autopilot profile.
    • Bulk enrollment - An Azure AD join that is performed in the context of a bulk enrollment happens in the context of an auto-created user. Users signing in after a device has been joined are not added to the administrators group.
    -----------------------------------------------------------------------------------------
    Do click on "Mark as Answer" on the post that helps you, this can be beneficial to other community members.
    Monday, November 11, 2019 10:56 AM
  • If local then getting an admin to join them to the domain will work and the end user wont be an AD admin.

    ok, but what is the disadvantage of letting the user be local admin.

    What do organizations usually do?

    Tuesday, November 12, 2019 8:20 AM
  • Hi,

    If local then getting an admin to join them to the domain will work and the end user wont be an AD admin.

    ok, but what is the disadvantage of letting the user be a local admin.

    What do organizations usually do?

    Friday, November 15, 2019 7:43 AM
  • @Nick_Loenders

    This completely depends on organization's policies and the data they are dealing with. There shouldn't be any problem granting local admin access to the users if the organization performs regular compliance checks to ensure device is in healthy state from security perspective.

    Thursday, December 12, 2019 6:55 AM