Prerequisite:
Azure Active Directory Premium P2
Azure AD joined devices
Information
We don’t want our users to be local admin on their devices, and currently there is no LAPS (Local Administrator Password Solution) available for Azure AD only clients. There are some really creative solutions built to give you the same functionality as LAPS, links below are to some of those solutions.
LeanLAPS using Proactive remeditations
Autopilot Settings for User account type (Extra)
If you are using Autopilot make sure you configure the deployment profile “User account type” : Standard.
Configuring the Role Azure AD Joined Device Local Administrator
Go to Privileged Identity Management
Select Roles under Manage and find the role Azure AD Joined Device Local Administrators.
Click the settings button to configure the activation settings et c.
For this setup we will require ticket information on activation, you might have other requirements that needs to be filled and you can configure the role according to those requirements.
Example of how the activation of the role would look like. (With this setup you can see we are requiring a “Ticket number”. Our administrators would then fill out the reason and activate the role to be able to help the user.
After the role has been activated the user now becomes local admin on all AAD joined devices for the specified duration of the role activation.
There is a sync delay before the role becomes active, during my testing it was very fast between 5-10minutes. Now the administrator could help the user repair or install applications by entering their credentials when UAC prompts or use the “Run as a different user”
Permanent local administrator
If you need a permanent local administrator account you can easily configure this, remember the accounts added here will be local admins on all your AAD joined devices.
Go to Azure Portal
Select Devices then Device settings.
At the bottom you will find “Additional local administrators on all Azure AD joined devices”
Clicking Add assignment and you can add the users you want to be local administrator on all AAD devices.
Microsoft Documentation (How to manage the local administrators group on Azure AD joined devices)
Hi thanks for this. Is it possible through PIM to make users local admin on specific devices?
Thanks!
You would need to create a custom flow, if I recall correctly when i tested some senarios like that, i had a conditionall access policy that limited the acces to the specific device etc.
But i would say the correct way would be to use EPM, it will soon have a functione where the user can ask for temporary admin and IT can approve it.
https://learn.microsoft.com/en-us/mem/intune/protect/epm-overview
Other then that you need a 3rd party application or build a custom flow.