Azure AD Joined Device Local Administrator Management

Azure AD Joined Device Local Administrator Management is a crucial aspect of managing devices in an Azure AD environment. This approach allows IT administrators to manage local administrators on Azure AD joined devices.

Azure AD joined devices can have multiple local administrators, which can be managed through group policies. This is done by creating a group policy that adds or removes local administrators from the device.

Having multiple local administrators can be beneficial for certain scenarios, such as having a separate administrator for each department in an organization.

Azure AD Joined Devices offer a secure way to manage local administrators. Anyone with the Azure AD Joined Device Local Administrator role gets local admin access on all AAD devices.

This role is assigned within Azure AD Roles and provides an extra layer of security by not enumerating the account on the device itself. This makes it harder for attackers to gain access to the device if an account is compromised.

The ideal way to manage this role is to link it with Privileged Identity Management (PIM) in AAD, which requires a P2 license. This allows admins to have local admin access on a just-in-time basis and only after requesting access, which can be approved or denied by someone else.

You can assign the Azure AD Joined Device Local Administrator role to users, giving them local admin access on all AAD devices.

This role is available for assignment only as an additional local administrator in Device settings. Users with this role become local machine administrators on all Windows 10 devices that are joined to Microsoft Entra ID.

Assigning the Azure AD Joined Device Local Administrator role offers an extra layer of security, as the account is not enumerated on the device itself, preventing lateral movement if an account is compromised.

This role should be linked with Privileged Identity Management in AAD (if you're P2 licensed) to provide just-in-time access and auditing capabilities.

If a machine loses internet connectivity, there is no way to resolve the issue, as everything is authenticated online.

Here's a summary of the Azure AD Joined Device Local Administrator role:

Assigning the Azure AD Joined Device Local Administrator role requires careful consideration of the times allowed for access, as a narrow timescale can improve security.

Azure AD Joined Device offers several benefits that make it an attractive option for businesses.

You can access company resources from any device, without the need for VPNs or complex setup processes.

Azure AD Joined Devices provide a seamless user experience, allowing users to access company resources and applications with a single sign-in.

This reduces the administrative burden on IT teams, as they don't need to manage separate VPN connections or passwords.

With Azure AD Joined Devices, IT teams can easily manage and update company resources and applications across all devices.

Azure AD Joined Devices also provide improved security features, such as conditional access and multi-factor authentication.

This helps protect company data and resources from unauthorized access and cyber threats.

Azure AD Joined Devices are also highly scalable, making them suitable for businesses of all sizes.

They can easily handle large numbers of users and devices, without compromising performance or security.

Local Device Administration is a crucial aspect of Azure AD Joined Device Local Administrator. You have a few options to consider, including assigning the Azure AD joined Device Local Administrator role, which grants local admin access on all AAD devices.

This role is particularly useful when you need to give IT staff admin access to their own machines without compromising the entire estate. By using the Azure AD joined Device Local Administrator role, you can ensure that IT staff have the necessary access without over-privileging them.

Another option is to use the Local User Group Membership feature in Intune, which allows you to add users or groups directly to the machine user groups. This is a Security Policy, so you can have multiple policies for different devices, giving you more control over who has admin access.

If you need to create a local admin account using Intune, there are two approaches to consider: using OMA-URI Settings or PowerShell Script. The OMA-URI Settings method is recommended as it is reliable, easy to deploy, and easy to troubleshoot.

Here's a comparison of the two methods:

Keep in mind that both methods require an internet connection to enumerate the account.

Windows LAPS is a feature that allows you to manage local administrator passwords on Azure AD joined devices. There are three main options to implement Windows LAPS: Cloud LAPS, Lean LAPS, and the traditional Windows LAPS implementation.

To implement Windows LAPS, you need to enable the functionality in your Azure tenant by going to the Azure AD app, clicking on Devices, then Device settings, and enabling Azure AD LAPS. Don't forget to click Save to apply the setting.

Once enabled, you can configure the policy in the Intune portal by going to Endpoint Security, then Account Protection, and creating a new policy with the Windows LAPS profile. You can set the password age, administrator account name, password complexity, password length, and post-authentication actions.

Here are the default settings for the policy:

You can adjust these settings as needed to suit your organization's requirements.

Windows LAPS is a security tool that helps protect local admin accounts on devices, whether they're end-user devices or servers. It's a must-have for domain-joined machines to reduce security risk.

To use Windows LAPS, you'll need to enable the functionality in your Azure tenant, which can be done by navigating to the Azure AD app, clicking on Devices, then Device settings, and enabling Azure AD LAPS.

There are two main ways to implement Windows LAPS: Cloud LAPS and Lean LAPS. Cloud LAPS uses a mixture of Azure resources and Proactive remediations to set a secure local admin password on the device, which is then stored in an Azure key vault.

Lean LAPS, on the other hand, creates an admin account on the local device using Proactive Remediations, which can be viewed by checking the Proactive Remediations output within the Intune portal.

Both Cloud LAPS and Lean LAPS are community-built tools that aim to bridge the gap between traditional on-prem LAPS and Azure AD-joined machines.

Here's a brief comparison of the two:

While Cloud LAPS offers higher security, it requires Azure resources and comes with a cost. Lean LAPS is simpler and quicker to implement, but it bypasses the key vault and requires careful management of Intune permissions.

In the next section, we'll dive deeper into how to implement Windows LAPS on your devices.

To set up Windows LAPS, you'll need to ensure you have the necessary prerequisites in place.

You'll need an Intune license to get started with Windows LAPS.

For Windows LAPS to work, your computers need to be running Windows 10 or 11 with the April 2023 CU installed.

If you're using Co-managed devices, you'll need to set the Device Configuration slider in SCCM's Co-Management settings to Intune or Pilot Intune for the devices on which you want to deploy Windows LAPS.

Here are the specific requirements in a concise list:

Cloud Device Management is a crucial aspect of Azure AD Joined Device Local Administrator. Azure AD Roles have a Cloud Device Administrator role that grants users the ability to enable, disable, and delete devices in Microsoft Entra ID.

This role is privileged and comes with a set of permissions that allow users to read Windows 10 BitLocker keys in the Azure portal. Users with this role can also read and configure Azure Service Health and audit logs.

The Cloud Device Administrator role is not limited to device management alone; it also grants users the ability to read and configure Service Health in the Microsoft 365 admin center. This is a powerful role that requires careful assignment to ensure the security and integrity of your devices.

Here are some of the key actions that can be performed with the Cloud Device Administrator role:

It's essential to note that the Cloud Device Administrator role is not the same as the Microsoft Entra Joined Device Local Administrator role, which grants users local machine administrator access on Windows 10 devices joined to Microsoft Entra ID.

In Azure AD, OMA-URI policies allow administrators to configure settings on enrolled devices without requiring a full MDM enrollment.

These policies are particularly useful for devices that are Azure AD joined but not enrolled in a full MDM solution.

OMA-URI policies can be used to configure a wide range of settings, including Wi-Fi and VPN connections.

Administrators can create custom OMA-URI policies to meet the specific needs of their organization.

By leveraging OMA-URI policies, administrators can simplify the process of managing settings on Azure AD joined devices.

This can be especially helpful for organizations with a large number of devices that require specific settings configurations.