Local administrators on AAD Joined devices

Last Updated on

7 min read

In this article, I will explain how, one could attempt to manage the built-in administrators group, on an Azure AD Joined Windows 10 device, using an AAD Security Group.

Since the local Administrators group, does not support the addition of AAD born security groups, We will be using Intune, PowerShell, GraphAPI and Azure AD to accomplish this.

With these tools come great power, and even though this is a simplified use case, I will give some examples on more advanced use cases, at the end of the article.

The motivation for this article, has come from user voice, and a lot of people emailing me, asking for this. (Thank you! you are welcome guys/gals).

And remember: โ€œCommunity work is not just for delinquents.โ€ ๐Ÿ˜‰

If you wish to read the official guidelines on How to manage the local administrators group on Azure AD joined devices, it can be found here: https://docs.microsoft.com/en-us/azure/active-directory/devices/assign-local-admin

The overview and the script.

Now, lets just quickly talk about whatโ€™s needed here, and then I will give you the script.. donโ€™t TL;DR; me on this oneโ€ฆ

This script does the following on a high level:

  • Connects to Azure AD via the Graph API as a registered App.
  • Gets the members of a predefined security group.
  • (Optionally) Clean out ALL Azure AD users from the Administrators group.
  • Adds security group members to the built-in Administrators group if they donโ€™t already exists.

This script requires a few things:

If you got all of that stuff under control, then by all means, go ahead and deploy the script with Windows Intune – assigning it to the devices you wish to use it on.

Otherwise, read on after the script link, on how to actually deploy it (The links above, can be used to jump to the different tasks you need to perform).

Oh and, you might want to save it to a file now, so you you have it handy, once we get to the upload part. ๐Ÿ™‚

aad_controlled_localadmins.ps1 on GitHub

Getting things ready for the script (Pre-reqs).

Getting the Azure Group Object ID

First we need to create a security group in Azure AD, that contains the users that we want added to the built-in Administrators group, on the devices we assign it to.

  1. Sign-in to your Azure tenant portal and open Azure Active Directory -> Groups, and create a new security group, and make sure to add one or more users to it!
  2. Get the groups Object ID, by viewing the properties of it.
  3. Add the groups Object ID to the script, in the โ€œCONFIGโ€ section.
Image of how to get the Object ID of an Azure AD Group.
Security Group Properties

Registering an application, in order to gain API access for the powershell script.

If you donโ€™t know how the basics of getting API access, via an app registration in Azure AD, then itโ€™s about time bro!

Lets get to it! 
(Donโ€™t worry, we are doing the simplest form of app registration – Easy Peasy, Kanye is Jeezy.)

Go to your Azure Active Directory blade, in the Azure Portal, and click on โ€œApp Registrationsโ€ -> โ€œNew application registrationโ€.

Image depiction of how to add an app registration in azure ad
Azure AD App Registration

Now in the โ€œCreateโ€ blade, fill in like this:
(The URL is just a placebo, as we wonโ€™t be using it, but is required to be filled).

Image depiction of how to create an app registration in Azure AD
Azure AD App Registration “Create”

…and click on the blue โ€œCreateโ€ button, at the bottom of the blade.

On the next blade that appears, you will immediately be presented with one of the things we need, namely the โ€œApplication IDโ€, copy that sucker and paste it into the CONFIG section of the PowerShell script.

Image of how to get the application id from azure ad
Azure AD Application ID

Now click the blue โ€œSettingsโ€ gear icon.

Next we create a key to give our script access.

Click on โ€œKeysโ€œ

Enter a description (important if you decide to change keys because it might have been compromised, so keep track of these!).

Choose and expiration date for the key (I choose never, so I donโ€™t have to deal with any s**t in a few years, lol).

Notice that the key will only be shown upon saving – so click on โ€œsaveโ€ and copy paste the key into the CONFIG section of the script.

Image depicting how to generate an api key for azure ad
Azure AD Application Keys

Now we need to assign the appropriate permission in Azure AD for the scriptโ€ฆ

Close the โ€œKeysโ€ blade, so you are back at the โ€œSettingsโ€ blade.

Click on โ€œRequired Permissionsโ€.

Take a close look – a lot is going on here:

Image depicting how to add required permissions to an app in azure ad.
Azure AD Application Permissions

So first, we double click on โ€œWindows Azure Active Directoryโ€, which opens up the โ€œEnable Accessโ€ blade.

Here we deselect any defaults, and just tick the box next to โ€œRead Directory Dataโ€, and click on โ€œSaveโ€.

After that ordeal, we click on โ€œGrant permissionsโ€, and accept that we are now granting the app full permission to access the data we are requesting.

Now you can close all the blades – this part is d o n e !

Getting the Tenant ID (Directory ID)

This might be the easiest thing in the world for some people, but here is how to find your tenant ID in Azure Active Directory.

Go to your Azure Active Directory portal – Open up the Azure Active Directory service from the lefthand menu – click โ€œPropertiesโ€, and there you have itโ€ฆ Ready to be copied into the CONFIG section of the script.

Image depicting how to find the Tenant ID or Directory ID in Azure AD
Azure AD Tenant ID / Directory ID

Yup! Thatโ€™s all there is to it.

Now on to the final part!

Publishing the PowerShell script with Intune.

While signed-in to the Azure portal as your tenant, open โ€œIntuneโ€.

From the Intune portal, go to โ€œDevice Configurationโ€ -> โ€œPowerShell scriptsโ€ and click the blue โ€œ+ Addโ€ button, to add the script.

Image depicting how to add a powershell script to intune
Intune PowerShell Scripts

Now fill in a Name and Description, and select the script file to be uploaded.

Image depicting how to name and select a powershell script to be uploaded to Intune.
Intune Add PowerShell Script

Afterwards go directly to the blue โ€œCreateโ€ button at the bottom of the blade, as the default settings are fine.

You should be familiar with assigning the script to some devices, so this guide will not cover that in detail.

However, please consider scoping the devices with groups, instead of just adding the script to all devices (itโ€™s best practice yo!).

Advanced use cases

For some more advance use cases, one could create multiple versions of the script, that source from different security groups.

This would allow you to assign different administrators, to a segregated list of devices.

The scenario could be one where local IT staff exists in branch offices, and they have no business handling devices not belonging to their branch.

To do this, you would create multiple PowerShell Device Configurations that each target a different security group. these would in turn be assigned to different device groups.

More could be done, but this was just one quick example…

Final Words

NB: The cons of adding any powershell script via Intune, is that it only runs once. So you will need to fix that by deleting the policy, and recreating it, if you have changes to the group membership.
I have another workaround for this, in my blog post here: https://www.iphase.dk/force-reload-intune-powershell-scripts/
ALSO: Read the script through, there are experimental features in there you might need!

As always, I welcome any ideas, script changes, remote work gigs, and dad jokes.

Hope you found this article useful, if so PLEASE @mention me or follow me on Twitter@michael_mardahl