The SID that represents the Azure AD Device Administrator role (referred to as Additional local administrators on Azure AD joined devices in the Azure portal)Īzure AD offers us two methods of allowing other users administrator access to Azure AD joined machines, but with issues.īoth role and “Additional local administrators” cannot be targeted to a group of machines, meaning that accounts that are Global Administrators or are “Additional local administrators” have admin access to EVERY machine in the environment. The SID that represents the Global Administrator role in Azure AD When enrolling a device through either the self-service OOBE process or autopilot, the user that joins the machine to AAD will be made a local administrator on the machine (in the case of autopilot, only if enabled in the autopilot profile).Īs part of this process two additional SIDs will be added into the “Administrators” group on the local machine. Local administration is significantly more complex with Azure AD joined devices, especially for larger organizations where different groups of users need administrator access to different groups of machines. Local Administration with Azure Active Directory However, local administrator access with Azure AD introduces some complexity. The next time the user logs in they have administrator access Leverage GPO and restricted groups to add the domain group into administrators group on the local machine Managing local administrator access to domain joined machines is simple: One such challenge is local administrator access for Azure AD joined machines. However, it does introduce some new challenges that were previously trivial. Modern Management addresses a myriad of challenges organizations have faced with legacy management.
0 Comments
Leave a Reply. |