How to manage local user group membership with Microsoft Intune to make users local admin

I did several Intune projects by customers, and with almost every implementation a subset of users’ needs to have local administrator rights (for example developers). There are several ways to grant users these rights, for example via a separate Autopilot profile where you specify that users need to be local Administrator. Or via the “additional local administrators on all Azure AD joined devices” option in the Azure AD device settings. Although in that case they will become administrator on all Azure AD joined devices, which is not recommended when they only need to be admin on their own device.

A good alternative is to give the user the admin rights via the local user group membership policy by making the user member of the local Administrators group via Microsoft Intune. In the policy you specify which user(s) or group(s) needs to have local admin rights. Next you assign this policy to a group of devices where the policy should be applied on.

In this blog I will show you step-by-step how to manage Local Groups with Microsoft Intune.

For the next steps go to the Microsoft Endpoint Manager admin center.

Navigate to Endpoint security > Account protection and click + Create Policy

Select Windows 10 and later as Platform and Local user group membership as profile.

Click Create

Fill in a Name and optionally a Description

Click Next

There are three options to configure the local group.

Add (Update): To add users or groups to the local group
Remove (Update): To remove users or groups from the local group
Add (Replace): To remove all assigned users and groups and add only the specified users and groups from this policy

When using the Add (Replace) option for configuring the built-in administrators group it is always required to add the administrator as a member. This is because the built-in administrator must always be a member of the administrators group. Otherwise, your policy will not work.

Beside the local administrator account you need to add two other SIDs as well. One for the Azure Global Administrators (is by default member of the local admin group) and one for the “Azure AD joined device local administrator” role. Which is used for the “Additional local administrators on all Azure AD joined devices” feature in Azure AD device settings.

There are several ways to get the SIDs of those groups. You can get it from an Azure AD joined device where no changes have been made to the local administrator group as shown in the screenshot above (but you cannot copy it from there). Another way to get the SIDs is via PowerShell with the following commands.

If not already installed, install the Azure AD module.

Install-Module AzureAD

Loggin with a Global Administrator account from your Azure AD tenant

connect-azuread

To get a list of all Azure AD Roles

Get-AzureADDirectoryRole

Here you can see the ObjectId of the “Global Administrators” and the “Azure AD Joined Device Local Administrators” role.

This ObjectIds needs to be converted to the SIDs. Oliver Kieselbach has created a perfect PowerShell script for this. You can find it here: https://github.com/okieselbach/Intune/blob/master/Convert-AzureAdObjectIdToSid.ps1

Enter the ObjectId in the script (1) and run it. In the output you will find the SID (2). Repeat this step for both roles.

And again, above steps are only required when using the Add (Replace) option.

Let’s go back to the policy. For this blog I will use the Add (Replace) option.

Select Administrators as Local group, Add (Replace) as Group and user action. Since we will use the Add (Replace) action we need to add the SIDs Manual because we cannot select Azure AD roles within this policy.

Click Add user(s) and add the Administrator, the SIDs of the “Global Administrators” and the “Azure AD Joined Device Local Administrators” roles and the user or groups you want to add additionally. If you want to add an Azure AD user, make sure you add in the following format:

AzureAD\<upn>

When you want to add a security group you need to use the SID of that group. For more information about the formats you can use, see the Microsoft Docs.

Click Next

Optionally you can add a scope tag.

Click Next

Click Add groups to add the Azure AD security group with devices in it.

Click Next

Click Create

This is the Local Administrators group before the policy is applied.

This is the local Administrator group after the policy have been applied. As you can see, the Administrator, SIDs and the test users are member of the group.

Add comment

Your email address will not be published. Required fields are marked *

About Robin Hobo

I am a Technology Specialist working for Microsoft with focus on the Modern Workplace. I am specialized in Microsoft Intune, Azure Virtual Desktop (AVD), Windows 365, Windows 11 and Azure AD. Also interested in mental health, NLP and personal development.

For more information, see the About Me page or my LinkedIn profile.

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close