Step-by-Step guide to add Additional Local Administrators to Azure AD Joined Devices

I am sure every engineer knows how “Local Administrators” works in a device. If it’s a device in on-premise Active Directory environment, either domain admin or enterprise will need to add it to Administrators group. if it’s a workgroup environment, another user with local administrator privileges will need to add additional users to Administrators group. 

If it is Azure AD join device, Azure Global Administrators and Device Owner have local administrator rights by default. 

localad1

localad2

Azure AD allow to define local administrators in device level. however, this is a global setting. If it is need to handle in device level, still you need to login from an account which already have local administrator rights and then add additional users. 

Let’s see how we can do this. 

1) Log in to azure portal as Global Administrator

2) Then click on Azure Active Directory and the Devices

localad3

3) Then click on Device Settings

localad4

4) By default, Additional local administrators on Azure AD joined devices setting is set to None. click on tab Selected to enable it. 

localad5

5) In my demo, I am going to make user RA886611@therebeladmin.com local administrator for devices. To do that click on Selected option. 

localad6

6) In new window click on Add members to add users. 

localad7

7) From the list find the relevant user and click on it to select. Then click on Select

localad8

8) Then click on OK

localad9

9) Finally click on Save to apply the settings. 

localad10

10) To Test this, I logged in to a Azure Domain Joined Device as RA886611@therebeladmin.com 

localad11

11) Now to test it, I trying to launch PowerShell console as Administrator. If it works, I shouldn’t get login prompt. 

localad12

12) As expected it didn’t ask for admin user name and password as logged in user now have local admin privileges. 

localad13

localad14

13) Also, when needed, using Remove Members option in Local administrators on devices page, we can remove the users from local administrator group. 

localad15

This marks the end of this blog post. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

Share and Enjoy:
  • Print
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • LinkedIn
  • Live
  • RSS
  • StumbleUpon
  • Twitter
Share: