I did several Intune projects by customers, and with almost every implementation a subset of users’ needs to have local administrator rights (for example developers). There are several ways to grant users these rights, for example via a separate Autopilot profile where you specify that users need to be local Administrator. Or via the “additional local administrators on all Azure AD joined devices” option in the Azure AD device settings. Although in that case they will become administrator on all Azure AD joined devices, which is not recommended when they only need to be admin on their own device.
A good alternative is to give the user the admin rights via the local user group membership policy by making the user member of the local Administrators group via Microsoft Intune. In the policy you specify which user(s) or group(s) needs to have local admin rights. Next you assign this policy to a group of devices where the policy should be applied on.
In this blog I will show you step-by-step how to manage Local Groups with Microsoft Intune.
For the next steps go to the Microsoft Endpoint Manager admin center.
Navigate to Endpoint security > Account protection and click + Create Policy
Select Windows 10 and later as Platform and Local user group membership as profile.
Fill in a Name and optionally a Description
There are three options to configure the local group.
Add (Update): To add users or groups to the local group
Remove (Update): To remove users or groups from the local group
Add (Replace): To remove all assigned users and groups and add only the specified users and groups from this policy
When using the Add (Replace) option for configuring the built-in administrators group it is always required to add the administrator as a member. This is because the built-in administrator must always be a member of the administrators group. Otherwise, your policy will not work.
Beside the local administrator account you need to add two other SIDs as well. One for the Azure Global Administrators (is by default member of the local admin group) and one for the “Azure AD joined device local administrator” role. Which is used for the “Additional local administrators on all Azure AD joined devices” feature in Azure AD device settings.
There are several ways to get the SIDs of those groups. You can get it from an Azure AD joined device where no changes have been made to the local administrator group as shown in the screenshot above (but you cannot copy it from there). Another way to get the SIDs is via PowerShell with the following commands.
If not already installed, install the Azure AD module.
Loggin with a Global Administrator account from your Azure AD tenant
To get a list of all Azure AD Roles
Here you can see the ObjectId of the “Global Administrators” and the “Azure AD Joined Device Local Administrators” role.
This ObjectIds needs to be converted to the SIDs. Oliver Kieselbach has created a perfect PowerShell script for this. You can find it here: https://github.com/okieselbach/Intune/blob/master/Convert-AzureAdObjectIdToSid.ps1
Enter the ObjectId in the script (1) and run it. In the output you will find the SID (2). Repeat this step for both roles.
And again, above steps are only required when using the Add (Replace) option.
Let’s go back to the policy. For this blog I will use the Add (Replace) option.
Select Administrators as Local group, Add (Replace) as Group and user action. Since we will use the Add (Replace) action we need to add the SIDs Manual because we cannot select Azure AD roles within this policy.
Click Add user(s) and add the Administrator, the SIDs of the “Global Administrators” and the “Azure AD Joined Device Local Administrators” roles and the user or groups you want to add additionally. If you want to add an Azure AD user, make sure you add in the following format:
When you want to add a security group you need to use the SID of that group. For more information about the formats you can use, see the Microsoft Docs.
Optionally you can add a scope tag.
Click Add groups to add the Azure AD security group with devices in it.
This is the Local Administrators group before the policy is applied.
This is the local Administrator group after the policy have been applied. As you can see, the Administrator, SIDs and the test users are member of the group.