For a while, it is possible to log on to Windows with your Office 365 account. This enables a nice amount of flexibility. Especially when using different devices in your company. Sometimes you need local administrator rights, however.
Here are 4 ways to assign local administrator rights to Azure AD joined devices.
UPDATE!
Microsoft also added a 5th way now! You can check out this new blog article for the new improved method.Assign administrator permissions on a Azure AD joined PC the easy way
Pre-requisites
- Windows 10 Pro
- Azure AD subscription
- A regular local administrator account
1. Join a new Windows 10 device with Azure AD during a first run
A brand new Windows 10 Pro lets you choose to join this device with Azure AD. The first-run experience gives you the option to let your organization manage your computer. You then automatically become this device’s owner.
Who gets a promotion to local admin?
- The person that performs the Azure AD join (first user)
- All global administrator accounts in Office 365
Also, this applies when you add an existing device to Azure AD.
2. Global administrator accounts in Office 365
Whenever you join a computer with Azure AD it automatically prepares some policies and settings. These policies and settings are enforced by your company.
One of these policies populates the local “Administrators” group with new entries. For each global administrator account, you can find a new entry. Then, if a global administrator accounts logs on, they instantly receive local administrator privileges.
3. Manually add Azure AD users to your local “Administrators” group
Sometimes a regular Office 365 user needs to be a local administrator on a specific Azure AD joined device. This is where command line comes in handy. The GUI does not support adding Azure AD accounts yet.
Important to know is that the user you wish to add first needs to log in. He or she should enter their Azure AD credentials. A new Windows user profile is then prepared and Windows populates the GUID.
Steps to add the user to the “Administrators” group:
- Login to Windows as the user you wish to grant rights
- Start a command shell as Administrator
- Find the username of the new user (an easy way to find the username is to copy it from their user folder and append it to “AzureAD\”)
- Perform the command below
net localgroup administrators AzureAD\<username> /add
The command should give “The command completed successfully” as a result. If not, you can check for typos. Furthermore, double check if the user surely logged on to this computer previously.
Finally, the user needs to log off and on.
4. Add users to the local “Administrators” group on all Azure AD joined devices
Lastly, you can assign specific users, in your tenant, local administrator rights. This way you grant them local administrator rights on all devices owned by your company.
Here we need some pre-requisites:
- Windows 10 Pro
- Azure AD subscription with AAD Premium
- A regular local administrator account
Additional local administrators on Azure AD joined devices – You can select the users that are granted local administrator rights on a device. Users added here are added to the Device Administrators role in Azure AD. Global administrators in Azure AD and device owners are granted local administrator rights by default. This option is a premium edition capability available through products such as Azure AD Premium or the Enterprise Mobility Suite (EMS).
- Sign-in to the Azure portal as an administrator.
- On the left navbar, click Active Directory.
- In the Manage section, click Devices.
- In the next Manage section, click Device Settings
Here you can find the option “Additional local administrators on azure ad joined devices”.
- Highlight the option “Selected”. This enables you to choose additional accounts.
- Add or remove accounts as necessary and press OK.
As the last action, do NOT forget to press the SAVE button at the top left.
This will save you a lot of time troubleshooting…
